So You Want a Red Team: The Primer
In my former life, I was a member of an institutional Red Team at a Fortune 500 organization with several colleagues and friends who are/were members of Red Teams at other Fortune 500s. While White Oak Security provides some pretty incredible services, Red Teaming being one of them, we wanted to shed some light on a common thread among our shared experiences – that most organizations struggle to understand how to apply Red Teaming against their own business and frequently misunderstand the intent of a Red Team.
This blog post intends to help disambiguate the most common offensive security roles that we observe at large organizations and provide talking points for members and leaders of Red Teams when explaining how their role differs from the rest.
Threat Actor Definition
In Cyber Intel circles, they refer to the “bad guys” as an Adversary or Threat Actors, which are malicious individuals or groups who intend to commit harm against organizations and/or people. Depending on the motivations and sophistication of Threat Actor groups, they may have a specific industry sector that they target or they may attack multiple industries more broadly. Although we may all be familiar with the “bad guys”, we don’t necessarily know if they can breach our organizations.
Consider the following threat model (below) that most corporations face:
For those of us who aren’t indoctrinated, these categories of cyber security Threat Actors are grouped according to sophistication and prevalence. As they increase in sophistication, they’re less noisy and less likely to be caught by your detection capabilities. Although they generally have different motivations from each other, there can be some bleed-over between the groups in terms of individual actors.
cyber security threat actors:
- Nation States / Intelligence Services – Usually part of a country’s military or a civilian service, executing attacks at the request of the nation. Motivations are usually to steal state or military secrets and to disrupt the populace. They take advantage of zero-day vulnerabilities and utilize tooling that costs in the millions of dollars to develop. It’s unlikely you’ll catch these actors.
- Organized Crime – Highly capable criminals, executing attacks against organizations. They are usually motivated by financial gain. These actors employ the full technical capability needed to achieve their goals, similar to the above Nation States, however, lack the resources to implement tooling quite as sophisticated. These threat actors are likely to breach your organization to commit corporate espionage.
- Motivated Individual – Highly capable individual, executing attacks against organizations and individuals. These threat actors’ motivations vary the most, and may include financial, personal, or political reasons for their actions. Since they usually operate alone their capabilities generally don’t rival that of Organized Crime. They may take advantage of publicly known vulnerabilities, exploit development, and phishing attacks/scams, but at a much smaller scale than more sophisticated actors.
- Hacktivists – Less capable groups of threat actors, executing attacks against organizations or individuals. These actors are often motivated by political ideology. These actor groups usually don’t possess many highly sophisticated individuals and rely on publicly available exploit code, denial of service tools, credential breaches, and social media to execute attacks.
- Script Kiddies – Least capable threat actors. These actors generally rely on publicly available exploit code or scripts to execute attacks. They are generally motivated by notoriety to gain credibility amongst their peers. Many threat actors start as Script Kiddies before developing more sophisticated techniques.
What Is Red Teaming?
This is the operating space for a Red Team: The Adversary or Threat. Your neighborhood friendly adversary! You may see interchangeable terms like “Adversary Simulation” or “Threat Emulation” as explanations for the function of a Red Team, and that Red Teams utilize “Adversarial Tactics” or “Attack Simulations”. These are all correct: the purpose of your Red Team is to simulate threats against your organization, and as a result Red Teams can be said to be Threat Focused, not Risk Focused.
Red Team Assessment
Red Teams perform assessments that are generally referred to as an operation, red team operations or RTOs. These operations are well-defined scenarios that utilize adversarial tactics against their organization to achieve a goal or set of goals. The result of a Red Team Operation (RTO) feeds into defense (Blue Team) improvements, organizational awareness, and strategic decision making.
There are generally two types of operations that internal Red Teams perform, Continuous and Strategic.
Continuous operations generally run at a weekly, biweekly, or monthly cadence. Common examples of continuous operations include Cyber Kill Chain (CKC) and Account Takeover (ATO) attacks. These operations generate metrics that a business can use to track Blue Team (Detection and Response) improvements over time.
Strategic operations are much more open-ended, longer-running, and objective oriented. These operations can cover other areas of the business that are generally not considered during initial foothold simulations of the CKC.
Red Team Scenarios
A couple red team example scenarios I’ve seen played out at other organizations are:
- Vishing scenarios to call centers
- Generic Phishing campaigns
- Physical/Social onsite attacks at branches/stores/facilities
- Internet perimeter breach scenarios
- Assumed breach lateral movement exercises
Most of the organizations I’ve interacted with focus more on the Strategic and less on the Continuous RTOs. Both can add significant value, but depending on the maturity of the business’s Blue Team function, it may make more sense for Red Teams to focus on Strategic RTOs before justifying the additional time and resource investment that Continuous RTOs require.
Cyber Security Kill Chain
If you’re unfamiliar with the Cyber Kill Chain, I highly recommend reading up on it as it’s an important primer to understand the function of a Red Team, you can read that CKC info here. Overall, the Cyber Kill Chain is a cyberattack framework developed by Lockheed Martin, designed in part from US military attack models. It captures the essential stages used by Threat Actors to breach organizations. If you need a model to operate your Red Team, this is where you start.
Many others have written about the CKC, and I won’t do it much justice by giving my own spin in this blog. But for those who prefer the short synopsis, these are the basic stages of the CKC.
Cyber Kill Chain Steps:
- Reconnaissance – Information gathering on the target
- Weaponization – Preparation of an initial payload stage
- Delivery – Delivering the payload stage to a victim
- Exploitation – Detonation or execution of the payload stage (initial foothold)
- Installation – Installing additional payloads upon initial detonation
- Command & Control – Attacker communicates with compromised system
- Actions on Objective – Additional actions upon compromise (move laterally?)
Red Team Jobs
Most large organizations have two primary offensive security roles. Sometimes we see them as a combined function, but more often we see the functions divided up much more granularly. The following are common clustering of the roles we see at organizations:
Vulnerability Management Jobs
- Manage automated, enterprise-wide security scanning
- Identify vulnerabilities by signature using vulnerability scanner tools/appliances
- Prioritize remediation based on risk and severity
- Coordination of remediation with affected teams
- Seen divided into Enterprise and Online teams
Penetration Testing Jobs
- Manage penetration testing of applications, servers and network segments
- Usually “stop” at the point of exploiting a vulnerability
- Apply a risk-based approach to vulnerability identification
- Closer involvement with dev teams’ SDL
- Seen divided into AppSec, Network Security, and Continuous App Scanning teams
As mentioned previously, depending on the size and scope of an organization we may see the above teams more granularly divided. In a former life I’ve seen Vulnerability Management divided into two teams: Enterprise and Online. Similarly, I’ve seen Penetration Testing teams divided into AppSec, Network Security and Continuous Application Scanning teams. At one colleague’s institutio, their VM and Pentest teams are actually a combined function, where team members wear several hats. Your mileage may vary (and this is by no means a recommendation for how to structure your security org, we have other blogs on that).
Risk Oriented, Threat Focused
But the key take-away from these teams’ function is they are very risk-oriented, because risk is the language the business speaks. Taking a risk-based approach to information security is critical for organizations for two main reasons: prioritizing remediation and resolving compliance obligations.
The results of Red Teaming activities can inform companies of the risks, but are not risk-based by nature. Remember: Red Teams are Threat Focused, not Risk Focused. And simulating threats is the most effective method to defend against threats.
There’s a lot to say about how to build a Red Team, however there’s no one best-fit way to do so. In the next entry in this series, we’ll dig into the Continuous and Strategic operating models, discuss the skills and roles necessary to deliver important outcomes, and end on how to make the Red Team an effective member of your Cyber Security Organization.
MORE FROM WHITE OAK SECURITY
White Oak Security is a highly skilled and knowledgeable cyber security testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion.