The incident rate of data breaches continues to climb during this time of COVID-19. Organizations continue to discover that they have weaknesses, many at great expense. A defense-in-depth strategy includes testing your defenses for mid to large enterprise organizations. The idea behind functional testing is to determine the weaknesses that can affect the organization and assess the defenses’ effectiveness. Like these digital exercises, the military has long used attacking and defending to test their personnel’s readiness.
It is advisable and more affordable to have a group of friendly professionals working with you to address your vulnerabilities, compared to discovering these issues at the hands of criminal enterprises who seek to exploit your data and reputation for their gain. In this article, our goal is to inform you about red team exercises, describe the objectives of a red team exercise, and explain how red team assessments are different from crucial penetration tests.
What are red team exercises?
According to the Center for Internet Security, Red Team exercises take a comprehensive approach to the full spectrum of organization policies, processes, and defenses to improve organizational readiness, improve training for defensive practitioners, and inspect current performance levels. Independent Red Teams can provide valuable and objective insights about vulnerabilities and the efficacy of defenses and mitigating controls already in place and even those planned for future implementation.
Red team assessments are similar to penetration tests but take the “by any means necessary” approach to gain access to an organization’s private networks or sensitive data. Red team exercises simulate a realistic cyber attack using the methods and techniques recently used in real-world attacks against businesses.
These attacks do not aim to take down the target systems but to compromise the gaps between sound design, intentions, implementation, and maintenance of target systems in a manner that allows the attacker to circumvent security protocols to achieve the malicious objective, leading to the compromise of the network, and stealing sensitive data. This reality would include business disruption and financial losses in a real-world incident scenario.
Why conduct red team exercises, and what is the objective?
The red team exercise objectives are defined by the manufacturer or supply chain partner concerns and are limited in the exercise’s scope to be tested. There are three common objectives that red team members accomplish during the exercise.
- The first objective of a red team exercise is to identify any physical, hardware, software, and human vulnerabilities that affect the security of your business. Compared to vulnerability assessments and penetration tests, where the goal is to identify vulnerabilities within a given environment, red team exercises focus on identifying and exploiting multiple vulnerabilities across multiple domains, including gaining physical access to specific locations owned by the business.
- The second objective of a red team exercise is to obtain a realistic understanding of your business’s risks. As the scope of testing increases, findings will reveal more vulnerabilities. Red team exercises focus on multiple security aspects that can affect a business, including procedures for guiding visitors around a facility, training used to prepare employees for cyber incidents, and the equipment and their setup used for physically securing a facility.
- The final objective of a red team exercise is to help address and fix all identified security weaknesses. When the exposures are identified, the red team report will include how the vulnerabilities were exploited, and what changes should be made to prevent the vulnerabilities from being used again.
Depending on the business’s capabilities, you can also use red team exercises to test the capabilities of the blue team. As the purpose of the red team exercise is to simulate an external attack. They can also assess how effective a business’ internal security team responds when dealing with an ongoing cybersecurity attack.
During the red team’s simulated attack against the target organization, the business’s dedicated security team, also known as a blue team, will detect and block attempted attacks. They also mitigate and isolate compromised machines to prevent the red team from compromising additional network-connected devices.
Afterward, the red and blue teams will discuss the capabilities of the compromised machines, how they were compromised, how they detected attacks, and the blue methods and techniques used to deal with compromised devices.
These meetings help blue team members understand more about the common attack methods currently used while also learning how to detect and react to these types of attacks in the future. In some cases, a manufacturer may ask that a red team and blue team work together during an assessment to help improve the effectiveness of the blue team. These types of exercises are known as purple team assessments.
What does “think like an attacker” mean?
It is common to hear red team members and penetration testers talk about “think like an attacker,” but what does it mean to think like an attacker? When conducting red team exercises, the team members have to think about how to prolong their control over devices and systems across a business network without alerting the blue team of their presence.
Red team members often spend weeks or even months scanning and testing the manufacturers’ resources for vulnerabilities, depending upon the number of attack vectors to be assessed. The red team may also launch several phishing campaigns to establish footholds within multiple devices during this time. This approach allows attackers numerous opportunities and pathways to launch attacks, even if some methods are detected.
Thinking like an attacker can also apply to how businesses remediate discovered risks and vulnerabilities. When it comes to remediating identified issues, manufacturers will devote their attention to vulnerabilities where the frequency of threats that would impact the confidentiality, integrity, and availability of critical data and processes within the business can cause substantial financial loss. Some attackers will focus their attention on vulnerabilities easily exploited and offer the most return for minimal effort.
Some criminal enterprises will devote more resources to hacking manufacturers to generate greater returns. Then, a subset of these criminals takes a more systematic approach. They study their targets, review their social media profiles, read their business news, research their customers and family members, looking for the weak links in the security chain. Thinking like an attacker can help manufacturers prioritize remediation efforts on probable threats likely to cause loss, better-utilizing resources, and more effectively secure their environments.
How are the red team exercises different from penetration tests?
While the outcome of both red team exercises and penetration tests are similar, the methodologies and focus of these two assessments are vastly different.
The first difference between red team exercises and penetration tests is the scopes of the assessments.
- Penetration tests are typically defined to focus on specific systems or web applications in a sequence with a shared timeline with the manufacturing team members.
- Red team exercises will exploit multiple systems and applications during the cybersecurity engagement.
- Social engineering and physical security are commonly within the scope of testing during these exercises.
The second difference between red team exercises and penetration tests is the level of adversary emulation used.
- Testers will often use common tools and techniques during their engagements to achieve their assigned goals for pen testing.
- Red team exercises will use custom tools and attack techniques based on cybercriminals’ attack methods against manufacturers and supply chain partners.
What is the red team assessment methodology?
Similar to the methodology that penetration testers use during their engagements, red team members will also follow a process. The business’s security needs might evaluate the entire IT and network infrastructure or specific applications. Before starting the engagement, the red team organization and the business’s leadership team will discuss the exercise’s scope.
They will define the objectives and goals and the “rules of engagement” to clarify the allowed cyber attacks and any specific attacks that are not permitted. A timeline and budget are confirmed. A letter of authorization is issued, which grants explicit permission to conduct the cyber attacks and helps alleviate the red team’s challenges during physical security assessments to resolve any issues if local law enforcement were to become involved.
The next phase of the red team methodology is reconnaissance and intelligence gathering. During this phase, the red team will gather information about the target business and its staff. The discovery can include enumerating domains owned by the company and scanning internal network ranges to collect information about the devices connected to the network.
Some may perform electronic “dumpster diving” to identify documents that could contain usernames, passwords, or specifications of how to access the business’s internal network and personal data of employees within the organization. Red team members may also perform reconnaissance of any of the allowed sites to understand how employees enter and exit the building.
The next phase of the red team’s methodology is the mapping phase. During the mapping phase of the engagement, the red team will begin reviewing their findings and discuss any known misconfigurations, weaknesses, and vulnerabilities, and how the attacks are launched. This phase can also include creating forged ID badges and phone scripts for social engineering attacks.
The fourth phase of the red team methodology is the attack phase. During this assessment phase, red team members will launch their attacks at all of the vulnerable resources previously discovered during the mapping phase. These attacks can include attacking web applications, taking over internal network resources, and accessing sensitive information stored locally on the network. During this assessment phase, the red team mustn’t cause permanent damage to the manufacturers’ business.
The final phase of the red team methodology is the documentation and findings phase. The red team will document their efforts, including discovering vulnerabilities and misconfigurations, how they used them, the actions allowed post-exploitation, and the goals achieved. In many cases, these reports will also provide insight into how the leadership team can resolve security issues to prevent future attacks, business disruption, and financial losses.
You mentioned physical assessments and social engineering. What are they?
During a red team exercise, the testers will often incorporate physical security assessments and social engineering to identify lesser-known vulnerabilities to exploit. Physical security assessments are focused on testing the physical security of approved locations, such as factories, headquarter offices, and isolated sites owned by the business. A physical security assessment aims to identify issues with doors, locking mechanisms, and security procedures that could allow unauthorized access to sensitive locations within a facility.
Social engineering uses social manipulation to gain or leverage information or access for future attacks. These attacks can be performed both in person and electronically and in various ways. Alongside physical security assessments, social engineering can help a red team member gain access to a building that usually requires special access or a key card to enter. Social engineering can also gather information about key employees to identify critical targets during the exercise better.
We are not a large manufacturer. Should we perform a red team exercise?
This question is excellent, as this is also another significant difference between penetration testing and red team exercises. Red team exercises target complex security issues through more elaborate methods, which more closely resemble an attack that can launch against an organization. Indeed, manufacturers and producers with multiple business units and multiple locations have more potential holes in their security.
Small manufacturers may have multiple locations, but the number of on-premise and cloud-based systems are manageable. The number of people with access to critical data is minimized with fewer employees. Also, we typically do not see small manufacturing developing their applications and hosting their business platforms.
In contrast, mid-sized manufacturers can have numerous Internet-facing (external) that offer attackers more vectors to target and potentially exploit. Red team exercises are a proactive indication by the leadership team that cyber risk is essential. Allocating resources to identify weaknesses and cooperatively fix them reduces future financial losses. It is important to remember that this initiative is not assigning blame and punishing IT leadership. The red team exercise should increase shared knowledge, likely including surprises. It is far less expensive to identify security gaps with your security partner than endure the consequences of a cyber breach by a criminal enterprise.
We do not intend to say small manufacturers should not conduct a red team exercise. The exercise would occur after penetration testing concluded and the internal team performed the remediation. Unlike penetration testing for compliance, red team exercises would adjust the assessment’s focus to test against the rules governed by the compliance requirements.
As a proud supporter of American manufacturing, Certitude Security® is working diligently to inform leaders and facilitate essential asset protection priorities for supply chain businesses throughout the United States. When you are interested in learning about the empowering services that Certitude Security® can offer, visit our website or coordinate a time to speak to a team member today.