red teaming? and what are the benefits to my business? | BSI America

Given today’s cyberthreat landscape, it is imperative organizations have the correct protocols, policies and procedures in place to keep their information safe, data secure, infrastructure robust and ultimately, make them resilient. In 2017, the 2013 Yahoo breach was recently recalculated to have affected close to 3 billion users accounts, and the Equifax data breach — with 145.5 million customers affected — exceeds the largest publicly disclosed hacks ever reported. These breaches along with WannaCry and Petya cyberattacks are signals of what is to come in the cyber space. With this in mind, organizations need to identify their susceptibility to a successful attack by testing their systems and networks before an attacker does.


What is red teaming?

Red teaming is a step above traditional penetration (pen) testing by simulating real-world attacks by replicating the Techniques, Tactics and Procedures (TTPs) of real-world adversaries.

A red teaming engagement differs from traditional pen testing as it is performed from as close to a zero knowledge perspective as possible, meaning the organization as a whole is not notified ahead of time, nor is the red team supplied with any pre-requisite information up-front.

The role of the red team (which is often independent from the organization, but can also be an internal team) is to simulate an attack on the target organisation, whereas the blue team (typically an internal security team, but can be outsourced) must defend the organization from infiltration against the simulated attack.

The objectives of a red team test is to reflect a real-world attack scenario focusing on revealing potential threats to the critical data from the wider business rather than being confined to a specific subset of assets. It is a deep dive into the risks and vulnerabilities of the business and is also designed to exercise internal teams and their procedures for such an event.


CREST Simulated Target Attack and Response (STAR) testing

CREST provides internationally recognized accreditation for organizations and individuals providing pen testing, cyber incident response and threat intelligence services.

Working alongside the Bank of England (BoE), government and industry, CREST developed a framework to deliver controlled, bespoke, intelligence-led cybersecurity tests. STAR incorporates pen testing and threat intelligence services to accurately replicate threats to critical assets.

Different levels of simulation

There are a number of different levels of testing representing the types and level of attack an organization may face. Typically, the engagement starts with the threat intelligence phase which is used to inform the assessment. The output from this phase of the engagement dictates the type of adversary and skill level that will be imitated during the testing. There are varying levels of attack “noise” which can be replicated during the test, which also corresponds to the level of adversary being emulated such as:

  • Low level adversaries - noisy on a network using off-the-shelf products exploiting known vulnerabilities
  • Advanced adversaries - less noisy and includes more sophisticated techniques like spear phishing
  • Nation state adversaries - covert and run over longer periods of time in order to avoid detection, for example using Remote Access Tools (RATs) to evade security products such as Intrusion Prevention Systems (IPS)

Benefits of red team:

  • Identifies the risk and susceptibility of attack against key business information assets
  • Techniques, Tactics and Procedures (TTPs) of genuine threat actors are effectively simulated in a risk managed and controlled manner
  • Assesses the organization’s ability to detect, respond and prevent sophisticated and targeted threats
  • Close engagement with internal incident response and blue teams to provide meaningful mitigation and comprehensive post-assessment debrief workshops
  • CREST STAR framework provides consistent engagements that utilize threat intelligence

For a red team assessment to be successful organizational buy-in is essential from senior management from the very start across departments such as IT, HR and legal.

A red team assessment is not just about highlighting the company’s weaknesses but is an attempt to think outside the box when it comes to the security of the business. It is a clear effort from the organization to understand and continuously improve the security posture of the business into the future.

> Read more about pen testing, objective-orientated pen testing and red teaming in our whitepaper