Cybersecurity Red Team 101

“Red Team” is an expression coined in the 19th century, related to German military preparedness exercises conducted as realistic board games between two adversaries operating under time constraints and certain rules. In cybersecurity, Red Team exercises—also often called adversarial simulations—involve a simulated adversary attempting to gain access to sensitive and protected IT assets, data, networks, and other technology elements.

The National Institutes of Standards and Technology (NIST) defines a (Cyber) Red Team as “A group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. The Red Team’s objective is to improve enterprise cybersecurity by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders (i.e., the Blue Team) in an operational environment.”

Cyber Red Team exercises have long been a staple of organizational security practices, dating back to 1997 when they were first employed by the National Security Agency to test the federal response against cyber attacks on critical infrastructure networks. Some CISOs at larger organizations maintain standing Red Teams to constantly simulate attacks against their cyber defenses. Other CISOs contract with third-party Red Team experts for annual or semi-annual exercises. In this blog, we’ll explore some high-level topics around Red Teams, including what they do, what their goals are, what weaknesses exist in their methodology, and what a more modern approach may look like.

What do Red Teams do?

Red Teams may combine cyber attacks with social engineering and attempts to physically infiltrate organizations to access or steal devices, gather information, or place mechanisms to capture data. More specifically, Red Team exercises test:

• Technology defenses. Red Teams use common tools, such as network scanners and penetration testing programs, to probe networks, devices, IP addresses, and APIs for potential vulnerabilities. In addition to using commonly available tools, sophisticated Red Teams may also use custom tools to simulate an advanced attacker. They may target any publicly addressable system, including hardware, software (e.g., firewalls and API gateways), routers, switches, and smart peripherals connected to enterprise networks.
• Human defenses. Red Teams will direct attacks at humans, including phishing emails, browser-activated malware, SMS messages with links containing malware, and even phone calls or chat requests to reset passwords or supply sensitive information. Anyone within an organization may be tested, including staff, partners, and those with access to networks, software, hardware, cloud infrastructure, or APIs.
• Physical defenses. More recently, Red Teams also do tests of physical security measures and controls. This might include access controls for offices or data centers, requests for after-hours entry at key facilities, and even surveillance to look for weaknesses in security coverage at entrances, gates, and other access points.

The goal of red-team testing

Rather than merely testing one-off security controls like a firewall or an anti-virus system, red-team testing is more holistic in nature and designed to test the security posture of organizations and their employees. Beyond the posture, the exercise is designed to test responses and adaptations that illuminate how well people and systems adjust to hostile acts. This is a critical difference from simple penetration testing (although Red Teams usually incorporate some elements of penetration testing), which is an exercise to penetrate cybersecurity defenses that is generally focused on the technology and not on the people. This form of testing is more circumscribed and is not conducted in a war-game format.

In contrast, a red-team testing exercise not only identifies security flaws and seeks to penetrate defenses, but also tests how the organization reacts and how effectively it responds to any successful attack. The best Red Teams will figure out a way to exploit some flaw. According to Deloitte, 94% of organizations that run red-team testing face some level of successful penetration.

Often, Red Teams are pitted against Blue Teams—their defensive counterpart that is tasked with detecting, responding to, and blunting cyber attacks. More recently, we have seen the emergence of Purple Teams, where Red and Blue Teams are combined into a single unit that switches roles frequently to better learn from each other and to gain fresh perspectives.

Weaknesses of red-team methodology

A key weakness of red-team testing, however, is that it requires considerable expertise, financial resources, and coordinated planning. Organizations must synchronize multiple parties, create war-game environments and IT setups, develop or train on methods for preparation, and complete post-mortems. Equally as important, red-team exercises are rarely, if ever, comprehensive and are not continuous.

Red-team exercises are human-directed, which can lead to some creative and unanticipated attack patterns and vectors, but also mean they are limited to the cognitive abilities of human attackers. While they may include network scan results as a means of targeting, for example, they cannot exhaust all possible options because the exercises are time-bound.

Red-team exercises are also usually tightly structured and focused on specific goals or targets, often using tactics of a specific type of attacker. This means the exercise can test only a limited subset of the actual attack surface, as a live adversary faces no such limits or time restrictions.

For these reasons, red-team exercises can only provide snapshots of an organization’s security posture and may not be relevant or effective a few months or even weeks later. In modern software development processes, new code is added, and existing code is changed daily or weekly. This creates new attack vectors and accelerates security drift, rapidly dating red-team findings and efficacy. The natural evolution of IT and applications also increases the exposed attack surface quickly with the growth of the Internet of Things (IoT), cloud computing, cloud-native software architectures, and distributed applications. This broader attack surface means red-teaming can cover an ever-smaller portion of potential threats.

By combining red-team exercises with automated tools like breach and attack simulation (BAS), organizations can improve the efficacy of red-team exercises. BAS tools provide the ability to scale and test against multiple scenarios, threats, and attackers at the same time, allowing red-team experts to focus on specific, critical objectives or high-profile targets. By leveraging BAS tools simultaneously with a red-team attack, security teams can uncover various additional attack paths that may not be known if only red teaming was deployed. BAS tools can make it possible to run red-team exercises efficiently, at scale, and with fewer resources on a continuous basis.

Building a more modern red-team infrastructure

Red-teaming is a useful exercise that can help organizations test their security posture in a holistic way and understand how well people and systems react in case of a serious cyberattack. But traditional red-team approaches could be dramatically improved to better reflect the current reality of constant attacks and their growing sophistication. Red teams could benefit from tapping into newer technologies, like BAS tools, to expand their coverage of the evolving attack surface and more accurately simulate the modern cybersecurity challenges faced by enterprises in keeping their applications, infrastructure, and data assets safe.