In order to protect business from increasingly numerous and more sophisticated targeted threats, it is necessary to change mentality and evolve towards a more offensive approach that brings greater benefits on a defensive level. Performing realistic intrusion simulations where an external team, the Red Team, simulates the techniques, tactics, and procedures (TTPs) that an attacker would use becomes indispensable to preserve the critical assets of the organization.
We all know that the evolution of technologies is constant and its growth unstoppable. We see it every day with smart devices, the Internet of Things, smart cities, and so on. What few people know are the real risks and the new methods or vectors of attack associated with this evolution, which make threats a reality for any organization, big or small.
One of the objectives of the audit department of a company is to verify that all risks are being mitigated correctly but… do organizations really know what their level of security is? Do they know their ability to identify the risks and threats they face? The real answer is no.
So far organizations have increased their security through devices in their internal network or infrastructure, deploying their SOC (security operation center) or performing a multitude of audits and intrusion tests. These actions, although necessary, do not allow the organization to know the degree of protection against threats directed, nor to know their ability to cope with these risks.
Every organization has more and more assets that are often not controlled. This is the case of industrial systems, present in most organizations, such as cooling systems in data centers, lighting management systems, and so on.
It is therefore necessary to change mentality and evolve towards a more offensive approach that provides greater benefits at the defensive level. If, as an organization, we want to protect ourselves against targeted threats, it is necessary to perform realistic intrusion simulations where an external team simulates the TTPs that an attacker would use to access the critical assets of the organization.
Red Team, the Enemy Mindset
The concept of Red Team comes from the military field and is used in opposition to the Blue Team, both encompassed within the activities of war games or war simulations, where one team acquires the role of attacker (Red) and another of defender (Blue). This type of exercise has been carried out continuously for decades by armies of a number of countries and is one of the most effective trainings to know, because it reveals the state of safety, weak flanks, and their defensive capabilities and reaction to any intrusion.
In the aftermath of the 9/11 attacks in 2001, this military practice of attack and defense has been moving and intensifying the intelligence community (both civilian and military) and the private sector, particularly the security sector of large contracting companies of the US government.
The objective of the Red Team is to materialize an intrusion that allows them to take control of the main assets of the organization. This is done by creating attack vectors combining vulnerabilities in different scopes of action (digital, physical, and human), resembling the mode of action to that of a real intrusion.
The result of the intrusion allows them to obtain the level of security and protection against threats that the target organization has, since it has not only verified the security systems as in the audits and tests of intrusion, but also internal processes, policies, level of employee awareness, and so on.
The main objective of the exercise is to equip the security team or Blue Team with the necessary knowledge to deal with identified threats, showing how to prevent and defend against attack vectors identified during the exercise. The continuous execution of this type of exercise allows the organization to remain in a constant state of alert and, with it, to evolve continuously. Being under continuous attack involves constant training for the prevention and detection of threats.
Advantages of Red Team
So far, the audit and intrusion test exercises that are performed in most organizations, although necessary, are not enough. They usually allow isolated checks, and their objective is to know the level of security in these assets. In contrast, the exercises of Red Team will seek to simulate a real intrusion that allows the organization to know the level of global security that exists.
Due to the specialization of the exercises, a Red Team must be formed by multidisciplinary professionals with extensive experience in the accomplishment of intrusions, where lateral thinking, creativity, and high discipline stand out.
Another distinguishing aspect that gives exercises greater realism is the almost complete ignorance of these exercises by the organization. The simulations should be reported to as few people as possible, which allows the contracting department, usually the internal audit department, to know the actual state of protection of the organization.
The use of these specialized intrusion exercises allows identifying and executing alternative attack vectors that take advantage of any type of vulnerability or weakness to take control of the main assets of the organization. These vectors can exploit vulnerabilities in industrial systems, Wi-Fi networks, inefficient physical access control, and so on.