Red team assessments have recently become the fashionable way to describe offensive measures that test an organization's...
security maturity. Due to this recent shift toward red teaming, the industry needs to understand what it actually is and how it differs from a penetration test.
This article describes what a red team is, who would benefit from these assessments, what the deliverables from such an assessment are and how they are designed to help organizations improve their post-assessment posture.
First things first: Penetration tests are not red team assessments. While there is definitely an overlap between the two, a penetration test is an assessment designed to discover technical risks within an organization through the use of vulnerability scans, tools and intel.
The scope of a penetration test is normally broader than a red team assessment, as a pen test's objective is to highlight exploitable risks within an enterprise, and they often have a much shorter timeframe. The objective of a pen test is to understand technical risks by using a larger net to find and exploit vulnerabilities within the environment.
On the other hand, red teaming allows users to act like an adversary using a scenario-based approach, while also enabling them to move toward previously established objectives and goals that are set at the start of the engagement. A red team approach is more focused than a pen test and aims to solve something different.
Red team assessments enable a more mission-oriented focus that offers the business a better understanding of how adversaries gain access to both the environment and to sensitive data using intelligence gathering, heavy reconnaissance, and a combination of social engineering and physical and cyberattacks.
While a red team assessment can take months to a year to complete, they aren't bound to the timeframes of many pen tests because attackers have time on their hands and they will persist when looking to compromise systems. They're not just looking to poke holes in your network to determine if vulnerabilities can be exploited.
When undergoing a red team assessment, an organization must determine specific goals based on what it deems critical. The red team uses a combination of methods -- physical, social and cyber -- to gain access to the end game results. This might include creating custom attacks and code, gaining physical access to a location to install hardware, befriending people in the organization to gain access, or using other open source and social attacks that have occurred in their specific industry against them. In short, red team assessments are laser-focused engagements with particular objectives, longer timeframes and no limitations of scope.
Not everyone is ready for a red team assessment, as they normally are only considered after an organization has developed a solid understanding of their risks, has implemented a functional vulnerability management program and has done past pen tests with actively remediated results. These organizations should also have security policies and procedures in place and a security team that is continuously monitoring their environment -- both will be reviewed after the assessment.
While everyone can benefit from a red team assessment, the organizations that will benefit the most are those that have already leveled up their maturity level by performing these assessments previously, as well as those that already have a blue team or security culture in place to detect and deter threats.
The benefits of a red team include being directly targeted by a team of individuals who are looking to compromise a particular area of your environment. This can include team members who have an advanced skill set and the objective of breaching a particular target. There is automation involved, but not as much as with a pen test, as the goal of a red team is to be extremely discreet and to work as a team.
Red team assessments normally deliver more data and metrics to the client after achieving the objectives, including businesses process improvements and intelligence. The deliverables include results from testing the people, processes and technologies of an organization and how they defend sensitive data. These metrics also include the organization's capability to detect an attack, how they respond to it and if the response helped deter the engagement. It also shows how chained threats worked together from the physical, social and cyber angles to help create a real-world example of how advanced persistent attackers work today to achieve their missions and gain access to sensitive data.
Red team engagements are an advanced method of working with a team of individuals who share a common goal of completing a particular objective that is hyper-focused. Red teams must use a no holds barred approach to validate the posture and security of your organization and the assets that are important to your business.
Likewise, it is a realistic approach, mimicking how attackers act today and what they can do with a coordinated approach, plenty of time and highly capable teams working together toward a single objective.