How to use red teaming to find real-world vulnerabilities

Red teaming simulates a cyber criminal attack under controlled conditions to identify risks and the impact on the business

A red team exercise involves completely re-imagining the traditional penetration test and vulnerability analysis. Rather than examining individual components of the security model in isolation, red teaming simulates a criminal attack under controlled conditions. 

These tests mimic the real-world targeted attacks that businesses face on a daily basis, using a goal-based engagement that delivers the true business impact of a breach.

A red team exercise starts with a threat and risk analysis, personalised to the business, to identify real-world attackers, their motivation, skills and likely avenues of attack. Once the most likely and damaging threats have been identified, scenarios are created that the target organisation would recognise as real and pertinent to their company.

Each scenario begins with an information gathering and reconnaissance phase to identify weaknesses in physical premises, staff members and internet-facing technology. Premises are located and reviewed online to produce a shortlist for further examination. On-site reconnaissance of selected buildings will be used to plan a more detailed, multi-staged operation.

Read more about red teaming

  • Red teaming assesses the security of an organisation and can be a more effective way to assess the organisation's security posture.
  • Expert Nick Lewis provides advice for enterprises looking to take inspiration for an incident response plan from Facebook's red team exercises.

Spear phishing campaign

The organisation’s registered domains, address ranges and internet hosts are examined, exposing the software in use, and finding public-facing systems such as Outlook Web Access. Internet searches harvest email addresses and associated employee information from sites such as LinkedIn. Emails are sent to elicit responses containing the company’s official style and layout.

A spear phishing campaign is mounted, using email addresses discovered in the information-gathering phase, with fake domain names and cloned sites facilitating password theft.

Stolen credentials can be deployed in an on-premises attack or remotely. Physical access to premises is facilitated through a combination of impersonation and telephone pretexting. Subsequent network access using the phished passwords permits theft of information from a variety of servers and also demonstrates persistent remote access through technical exploits.

On-premises attacks

More sophisticated on-premises attacks are designed to test visitor controls and desktop security. Scenarios are developed with team members having fully developed "legends" – back stories – for each engagement. Stories might entail impersonating a prospective customer requiring a tour of a facility, or masquerading as a member of the press researching the charitable activities of the business. Once inside, a team member can keep staff occupied while another excuses themselves for a "comfort break" and takes the opportunity to look for unprotected computers or to plant a remote control device on the network.

This threat-based approach highlights vulnerabilities that may otherwise be missed or perhaps are not even considered during a typical due diligence exercise. It delivers often critical results for a modest outlay in time and expenditure. Red teaming is not an alternative to traditional testing, but provides a valuable additional activity.

The results of red teaming can be used for security awareness training. Presentations based on this type of simulated criminal attack can engage people in a fashion completely unlike traditional training. Because the audience is following a story, and because that story is genuinely relevant to their organisation, it is possible to raise the bar on that most difficult of security controls - the human firewall. 

Security awareness at all levels can be increased significantly and staff members become security evangelists in their own right. Further red team exercises can build on this exciting precedent and provide more engaging stories to continue the education of everyone in the organisation.

Peter Wood is CEO of First Base Technologies LLP

Read more on Hackers and cybercrime prevention