Information Security / Red Team: Not all superheroes wear capes
Red Team: Not all superheroes wear capes
18 April 2019
Hugo van den Toorn, Manager Offensive Security at Outpost24, explains what Red Teaming assessments involve and how the benefits of realistic attack scenarios produce detailed insights on the strengths and weaknesses across the organisation’s environments
A hacker’s modus operandi is relatively simple: to bring destruction, chaos and suffering to anyone caught within their scope – just like Marvel supervillain Thanos. With damages caused by cybercrime estimated to equate to $6 trillion by 2021, the level of hostility displayed by hackers looks set to only increase. They are unpredictable; they never bring a knife to a gunfight and their victims are often weak, defenceless and unprepared.
Because there is no silver bullet to cyber security, can a solution be found? Yes, by working collectively together, enterprises can begin to identify weak points in their defense, eliminate threats and eventually lessen the strain placed on security teams. So, where can one find the cyber security equivalent to The Avengers? Enter Red Teaming.
The power of a holistic view
Conducting security assessments should never be seen as a waste of resources, as they offer enormous benefits when done right. The various methods that are currently available all reveal a different expected outcome and provide valid reasons for conducting the tests.
Firstly, there is the vulnerability assessment, which is commonly used to identity as many flaws as possible on a broad spectrum.
Then you have penetration testing, which consists of manual testing with analysis of the vulnerabilities discovered within a system, including exploiting these in a limited capacity.
Lastly, we have Red Team Assessments (RTAs). This comprises of a group of highly-skilled ethical hackers, testing the enterprise’s detection and responsive capabilities, by simulating a threat actor relevant to the targeted organisation. In doing so, the Red team is not limited by a pre-defined scope, but rather focused on targeting the most critical of assets by any means necessary.
With the need for information protection arguably at its highest, modern red teaming is growing in popularity due to organisations recognising the weaknesses of more traditional defence methods. Expanding on this further, the red team operatives, using their extensive skills and knowledge, will try to obtain the pre-defined crown jewels through the use of various adversarial tools, tactics and procedures (TTPs).
Attack is the best form of defence
A critical component of RTAs are the realistic attack drills that are formulated and executed by the operatives. The scenarios are tailored to the customer’s environment and allow for closely simulated adversarial attacks, as well as giving detailed insight into what is happening within the environment during the assessment.
The test will give the red team free rein to trigger detective and responsive controls so that they can (afterwards) be effectively evaluated by the organisations Blue Team during the exercise.
A report is then compiled, enabling the Blue Team and the security team the chance to analyse the outcome of the simulated attack and the response effort of the current security in place. After executing actual attack scenarios, the end results will give a realistic and wholesome overview of the weaknesses specific to the customers environment.
The traditional outlook to testing is evolving and this is having an effect on the way we look at current defence capabilities. By conducting RTAs, there will be a focus on challenging three key elements within an organisation: the human side to cybersecurity, the potential physical entry points and the overall cyber network.
In many instances, the human element in information security is often considered the weak link in an organisations defence. Many of today’s cyberattacks can be attributed to this very issue as a result of a lack of security awareness within the workforce.
Adversaries are well aware of this; hence the reason phishing attacks continue to be the most prominent tool used by hackers, and a often leveraged way to get a foothold into an organisation.
Next, the RTA will examine any areas of concern relating to physical entry onto a system and the potential scope of damage that can be done. The third element involves a scrutinised check on critical assets that require security across the networks and various applications.
Whether only one or all three of these elements are examined, the objective for the RTA is to provide the security team actionable output to help plug any highlighted red flags.
It is an aid, not a replacement
While the positives from conducting RTAs have been mentioned, enterprises would be greatly mistaken to think that once an assessment has been conducted, the need to invest in other security solutions would become unnecessary.
RTAs should be used as an opportunity by security teams to increase awareness and visibility into the effectiveness of their security measures, either within a specific area on the system or for the overall system defence.
Additionally, if the CISO or security team believes there is a lack of protection and they want this highlighted, RTAs’ realistic attack scenarios can help them to understand and confirm the need for change. Ultimately, it allows security teams to build stronger defensive capabilities, reduce the response time during a genuine attack and give the customer the knowledge about the different attack vectors while allowing mitigation to be made swiftly and with greater confidence.