The incident rate of data breaches continues to climb during this time of COVID-19. Organizations continue to discover that they have weaknesses, many at great expense. For mid to large enterprise organizations, a defense-in-depth strategy includes testing your defenses. The idea behind functional testing is to determine the weaknesses that can affect the organization, and determine the effectiveness of the defenses currently in place. Similar to these digital exercises, attacking and defending have long been used by the military to test readiness of their personnel.
It is advisable and more affordable to have a group of friendly professionals working with you to address your vulnerabilities, compared to discovering these issues at the hands of criminal enterprises who seek to exploit your data and reputation for their gain. In this article, our goal is to inform you about red team exercises, describe the objectives of a red team exercise, and explain how red team assessments are different from very important penetration tests.
What are red team exercises?
According to Center for Internet Security, Red Team exercises take a comprehensive approach at the full spectrum of organization policies, processes, and defenses in order to improve organizational readiness, improve training for defensive practitioners, and inspect current performance levels. Independent Red Teams can provide valuable and objective insights about the existence of vulnerabilities and the efficacy of defenses and mitigating controls already in place and even of those planned for future implementation.
Red team assessments are similar to penetration tests, but take the approach of “by any means necessary” when it comes to gaining access to an organization’s private networks or sensitive data. Red team exercises are done to simulate a realistic cyber attack by using the methods and techniques that have been recently used in real world attacks against businesses. These attacks do not aim to take down the target systems, but to compromise the gaps between good design, intentions, implementation, and maintenance of target systems in a manner that allows the attacker to circumvent security protocols to achieve the malicious objective, leading to the compromise of the network, and stealing sensitive data. In a real-world incident scenario, this would include business disruption and financial losses.
Why conduct red team exercises and what is the objective?
The objectives of a red team exercise are mainly defined by what the manufacturer or supply chain partner to learn from the exercise, and what has been defined in the scope of the exercise to be tested. There are 3 common objectives that red team members accomplish during the exercise.
- The first objective of a red team exercise is to identify any physical, hardware, software, and human vulnerabilities that affect the security of your business. Compared to vulnerability assessments and penetration tests, where the goal is to identify vulnerabilities within a given environment, red team exercises are focused on identifying and exploiting multiple vulnerabilities across multiple environments, including trying to gain physical access to specific locations owned by the business.
- The second objective of a red team exercise is to obtain a realistic understanding of the risks that your business can face. As the scope of what can be tested is increased, more vulnerabilities and risks will be revealed. Red team exercises focus on multiple security aspects that can affect a business, including procedures used for guiding visitors around a facility, training used to prepare employees for cyber incidents, and the equipment and their setup used for physically securing a facility.
- The final objective of a red team exercise is to help address and fix all identified security weaknesses. Once the risks that affect a manufacturer or business have been identified, a report is given from the red team that will include how the vulnerability was exploited and what changes should be made to prevent the vulnerability from being exploited again.
Depending on the capabilities of the business, red team exercises can also be used to test the capabilities of blue team. As the purpose of the red team exercise is to simulate an external attack, they can also serve the purpose of assessing how effective a business’ internal security team maybe when dealing with an ongoing cybersecurity attack. During the red team’s simulated attack against the target organization the business’s dedicated security team, also known as a blue team, will begin detecting and blocking attempted attacks while mitigating and isolating compromised machines to prevent the red team from compromising additional machines connected to the network.
Afterward, both the red and blue teams will discuss the capabilities as to what machines were compromised, how they were compromised, how certain attacks were detected, and what methods and techniques were used by the blue to deal with compromised machines. These meetings help blue team members understand more about the common attack methods that are currently used, while also learning how to detect and react to these types of attacks in the future. In some cases, a manufacturer may ask that a red team and blue team work together during an assessment in order to help improve the effectiveness of the blue team. These types of exercises are known as purple team assessments.
What does “think like an attacker” mean?
It is common to hear red team members and penetration testers talk about “think like an attacker”, but what does it mean to think like an attacker? When conducting red team exercises, the members of the team have to think about how they can prolong their control over devices and systems across a business network, without alerting the blue team of their presence. Often, red team members will spend weeks or even months scanning and testing the manufacturers’ resources for vulnerabilities, depending upon the number of attack vectors to be assessed. During this time, the red team may also launch several phishing campaigns in an attempt to establish footholds within multiple devices. Doing this allows attackers multiple opportunities and pathways to launch attacks, even if some methods are detected.
Thinking like an attacker can also apply to how a business remediate discovered risks and vulnerabilities. When it comes to remediating identified issues, manufacturers would devote their attention to vulnerabilities where the frequency of threats that would impact the confidentiality, integrity, and availability of critical data and processes within the business are adequate to cause substantial financial loss. Some attackers will focus their attention to vulnerabilities that are easily exploited and offer the most return for minimal effort. Some criminal enterprises will devote more resources to hacking manufacturers where they believe they can generate much greater returns. Then there is a subset of these criminals that take a more methodical approach. They study their targets, reviewing their social media profiles, reading their business news, researching their customers and family members, looking for the weak links in the security chain. Thinking like an attacker can help manufacturers prioritize remediation efforts on probable threats likely to cause loss, better-utilizing resources, and more effectively securing their environments.
How are the red team exercises different from penetration tests?
While the outcome of both red team exercises and penetration tests are similar, the methodologies and focus of these two assessments are vastly different. The first difference between red team exercises and penetration tests are the scopes of the assessments. Penetration tests are typically defined to focus on specific systems or web applications in a sequence with a timeline that is shared with the manufacturing team members. Red team exercises will attempt to exploit multiple systems and applications during the cybersecurity engagement. Social engineering and physical security are commonly within the scope of testing during these exercises. The second difference between red team exercises and penetration tests is the level of adversary emulation that is used. For pen testing, testers will often use common tools and techniques during their engagements to achieve their assigned goals. Red team exercises will use custom tools and attack techniques based on attack methods that cybercriminals use against manufacturers and supply chain partners.
What is the red team assessment methodology?
Similar to the methodology that penetration testers use during their engagements, red team members will also follow a process during their engagement. Based on the security needs of the business, the entire IT and network infrastructure might be evaluated, or just certain applications. Prior to starting the engagement, the scope of the exercise is discussed between the red team organization and the leadership team of the business. They will define the objectives and goals to be met as well as the “rules of engagement” to clarify the cyber attacks that are allowed and any specific attacks that are not permitted. A timeline and budget are agreed upon, and a letter of authorization is issued which grants explicit permission to conduct the cyber attacks and helps alleviate the challenges that the red team may encounter during physical security assessments to help resolve any issues if local law enforcement were to become involved.
The next phase of the red team methodology is reconnaissance and intelligence gathering. During this phase, the red team will begin gathering information about the target business and its staff. This can include enumerating domains owned by the business, scanning internal network ranges to gather information about the devices connected to the network, and perform electronic “dumpster diving” to identify documents that could contain usernames, passwords, or specifications of how to access the business’s internal network, as well as personal data of employees within the organization. Red team members may also perform reconnaissance of any of the allowed sites to create an understanding of how employees enter and exit the building.
The next phase of the red team’s methodology is the mapping phase. During the mapping phase of the engagement, the red team will begin reviewing their findings and discuss any known misconfigurations, weaknesses, and vulnerabilities, and how the attacks will be launched. This phase can also include creating forged ID badges and creating phone scripts for social engineering attacks.
The fourth phase of the red team methodology is the attack phase. During this phase of the assessment, red team members will begin launching their attacks at all of the vulnerable resources that were previously discovered during the mapping phase. These attacks can range from attacking web applications, taking over internal network resources, and accessing sensitive information locally stored on the network. During this phase of the assessment, it is imperative that the red team does not cause permanent damage to the manufacturers’ business.
The final phase of the red team methodology is the documentation and findings phase. The red team will document all of their efforts, including how the vulnerabilities and misconfigurations where discovered, how the vulnerabilities and misconfigurations were exploited, what actions where allowed post-exploitation, and the goals that were achieved. In many cases, these reports will also provide insight into how the leadership team can resolve security issues to prevent future attacks, business disruption, and financial losses.
You mentioned physical assessments and social engineering, what are they?
During a red team exercise, the testers will often incorporate physical security assessments and social engineering to identify lesser-known vulnerabilities that could be exploited. Physical security assessments are focused on testing the physical security of approved locations, such as factories, headquarter offices, and isolated sites that are owned by the business. The goal of a physical security assessment is to identify issues with doors, locking mechanisms, and security procedures that could allow an unauthorized person access to sensitive locations within a facility.
Social engineering is the use of social manipulation to gain or leverage information or access that can be used in future attacks. These attacks can be performed both in person and electronically, and be performed in various ways. Alongside physical security assessments, social engineering can be used to help a red team member gain access to a building that would normally require special access or a key card to enter. Additionally, social engineering can be used to gather information about key employees to better identify key targets during the exercise.
We are not a large manufacturer, should we perform a red team exercise?
This is a good question to ask, as this is also another major difference between penetration testing and red team exercises. Red team exercises are targeted to identify complex security issues through more elaborate methods, which more closely resemble an attack that would be launched against an organization. Certainly, manufacturers and producers that have multiple business units and multiple locations have more potential holes in their security.
Small manufacturers may have multiple locations, but the number of on-premise and cloud-based systems are manageable. The number of people with access to critical data is also minimized with the smaller number of employees. Also, we typically do not see small manufacturing developing their own applications and hosting their business platforms.
In contrast, mid-sized manufacturers can have numerous Internet-facing (external) that offer attackers more vectors to target and potentially exploit. Red team exercises are a proactive indication by the leadership team that cyber risk is important. Allocating resources to identify weaknesses and fix them in a cooperative manner, reduces future financial losses. It is important to remember that this initiative is not assigning blame and punishing IT leadership. The red team exercise should increase shared knowledge, which will likely include surprises. It is far less expensive to identify gaps in security with your security partner than endure the consequences of a cyber breach by a criminal enterprise.
This is not to say those small manufacturers should not conduct a red team exercise, but this would be coordinated after penetration testing concluded and the associated remediation was performed. Unlike penetration testing for compliance, red team exercises would adjust the focus of the assessment to test against the rules governed by the compliance requirements.
Certitude Security™ is an Ohio-based cybersecurity services company that protects manufacturers, throughout the United States, from injustice. If you interested in learning more about our assessment services or talking about how your leadership team desires assistance to better understand cyber risk, please visit our website to speak to one of our representatives.