Maksim Kabakou - Fotolia

Security Think Tank: Time to look at red teaming?

How can organisations use red teaming to identify security gaps?

Penetration testing and red teaming are designed to identify vulnerabilities in your IT systems, but the methodologies are very different. Red teaming is simply a no-holds-barred use of realistic attacker tactics, from spear-phishing and deployment of bespoke Trojans to the testing of defences to gain physical entry to a building.

While a penetration test usually relies upon the company providing relevant information such as the IP addresses to scan or the necessary credentials to access an application, a red team starts from the same position as a real attacker – from inside or out of the organisation. Red team exercises also take place without the knowledge of most personnel at the target organisation. 

Traditional penetration testing does not provide that same in-depth view of border protection, employee awareness and how well processes and procedures cope when faced with a real-life attack scenario.

Red team exercises will generally start with passive reconnaissance or open source intelligence gathering, using publicly available data such as social media postings and online searches to identify individuals to target within the organisation.

Effective planning and recon will provide a good base of information on systems, people and locations to attack and also identify a starting point to uncover potential vulnerabilities. 

The information gathered is used to plan and deliver a multi-staged attack. The first stage will be attack delivery and exploitation, which may often involve the creation of custom exploits – known as implants – to target employees and gain access to the internal network.

A typical implant will act in a very similar way to a Trojan, with the difference being that its actions are under the full control of the red team attackers. By customising the implant for each engagement, the red team can optimise the chances of evading detection. The distribution platforms of email attachments exploiting known current vulnerabilities and fake websites are all common methods.

Read more about red teaming

Red teaming is not an instant gratification exercise, and the whole testing window usually lasts between four to six weeks; including the internal system attack, which probes the network and identifies assets of interest such as key systems and critical data, which will often have been specified by the client as targets.

A successful breach can also be measured in terms of the footprint left behind. Exfiltration is an important stage of the exercise, where the client systems are cleaned to remove any evidence, including uninstallation of the implanted Trojan from any infected laptops for example.

This leaves the reporting phase, which is where the real business benefit of red teaming can be found. This needs to be both comprehensive and high-level, and provide mitigation advice where vulnerabilities have been identified.

Legal implications of a red team

The legal implications of a red team are much the same as for a penetration test. This means the attack team could potentially be in contravention of the Computer Misuse Act, and the Data Protection Act (DPA) could come into play where access to data is concerned.

Provision of the relevant authorisation avoids the former, and if the security company conforms to standards such as ISO27001 and ISO9001, DPA issues can be avoided.

However, a company using an implant needs to ensure it is a trusted application and any data being sent from the company network is being transmitted securely. Red teams will usually oversee the development of these implants to be in control over the functionality they possess rather than risk malicious activity from an unknown Trojan.

What’s the business benefit?

A properly conducted red team exercise extends much further than simply identifying gaps in security practices and controls. It determines how an organisation is equipped to deal with real-world attacks and put a security posture to the test like nothing else.

Nobody wants to find out how well equipped they are to detect and repel threats and how effective incident monitoring and response processes are when under the pressure of a malicious criminal attack. The results can be used to engage the board of directors, to get further investment in security defences and staff security awareness training, for example. The real business benefit is delivered by being able to put lessons learned into place to deal with a real attack.

Read more on Hackers and cybercrime prevention