The incident rate of data breaches continues to climb during this time of COVID-19. Organizations continue to discover that they have weaknesses, many at great expense. For mid to large enterprise organizations, a defense-in-depth strategy includes testing your defenses. The idea behind functional testing is to determine the weaknesses that can affect the organization and determine the effectiveness of the defenses currently in place. Like these digital exercises, attacking and defending have long been used by the military to test their personnel’s readiness.
It is advisable and more affordable to have a group of friendly professionals working with you to address your vulnerabilities, compared to discovering these issues at the hands of criminal enterprises who seek to exploit your data and reputation for their gain. In this article, our goal is to inform you about red team exercises, describe the objectives of a red team exercise, and explain how red team assessments are different from crucial penetration tests.
What are red team exercises?
According to the Center for Internet Security, Red Team exercises take a comprehensive approach at the full spectrum of organization policies, processes, and defenses to improve organizational readiness, improve training for defensive practitioners, and inspect current performance levels. Independent Red Teams can provide valuable and objective insights about vulnerabilities and the efficacy of defenses and mitigating controls already in place and even of those planned for future implementation.
Red team assessments are similar to penetration tests but take the approach of “by any means necessary” to gain access to an organization’s private networks or sensitive data. Red team exercises are done to simulate a realistic cyber attack by using the methods and techniques that have been recently used in real-world attacks against businesses. These attacks do not aim to take down the target systems but to compromise the gaps between good design, intentions, implementation, and maintenance of target systems in a manner that allows the attacker to circumvent security protocols to achieve the malicious objective, leading to the compromise of the network, and stealing sensitive data. In a real-world incident scenario, this would include business disruption and financial losses.
Why conduct red team exercises, and what is the objective?
The objectives of a red team exercise are mainly defined by what the manufacturer or supply chain partner to learn from the exercise and what has been defined in the scope of the exercise to be tested. There are 3 common objectives that red team members accomplish during the exercise.
- The first objective of a red team exercise is to identify any physical, hardware, software, and human vulnerabilities that affect the security of your business. Compared to vulnerability assessments and penetration tests, where the goal is to identify vulnerabilities within a given environment, red team exercises are focused on identifying and exploiting multiple vulnerabilities across multiple environments, including trying to gain physical access to specific locations owned by the business.
- The second objective of a red team exercise is to obtain a realistic understanding of the risks that your business can face. As the scope of what can be tested is increased, more vulnerabilities and risks will be revealed. Red team exercises focus on multiple security aspects that can affect a business, including procedures for guiding visitors around a facility, training used to prepare employees for cyber incidents, and the equipment and their setup used for physically securing a facility.
- The final objective of a red team exercise is to help address and fix all identified security weaknesses. Once the risks that affect a manufacturer or business have been identified, a report from the red team will include how the vulnerability was exploited and what changes should be made to prevent the vulnerability from being exploited again.
Depending on the business’s capabilities, you can also use red team exercises to test the capabilities of the blue team. As the purpose of the red team exercise is to simulate an external attack. They can also assess how effective a business’ internal security team responds when dealing with an ongoing cybersecurity attack. During the red team’s simulated attack against the target organization, the business’s dedicated security team, also known as a blue team, will begin detecting and blocking attempted attacks while mitigating and isolating compromised machines to prevent the red team from compromising additional machines connected to the network.
Afterward, both the red and blue teams will discuss the capabilities of what machines were compromised, how they were compromised, how attacks were detected, and what methods and techniques were used by the blue to deal with compromised machines. These meetings help blue team members understand more about the common attack methods currently used while also learning how to detect and react to these types of attacks in the future. In some cases, a manufacturer may ask that a red team and blue team work together during an assessment to help improve the effectiveness of the blue team. These types of exercises are known as purple team assessments.
What does “think like an attacker” mean?
It is common to hear red team members and penetration testers talk about “think like an attacker,” but what does it mean to think like an attacker? When conducting red team exercises, the team members have to think about how they can prolong their control over devices and systems across a business network without alerting the blue team of their presence. Often, red team members will spend weeks or even months scanning and testing the manufacturers’ resources for vulnerabilities, depending upon the number of attack vectors to be assessed. During this time, the red team may also launch several phishing campaigns to establish footholds within multiple devices. Doing this allows attackers multiple opportunities and pathways to launch attacks, even if some methods are detected.
Thinking like an attacker can also apply to how a business remediate discovered risks and vulnerabilities. When it comes to remediating identified issues, manufacturers will devote their attention to vulnerabilities where the frequency of threats that would impact the confidentiality, integrity, and availability of critical data and processes within the business are adequate to cause substantial financial loss. Some attackers will focus their attention on vulnerabilities easily exploited and offer the most return for minimal effort. Some criminal enterprises will devote more resources to hacking manufacturers to generate much greater returns. Then there is a subset of these criminals that take a more methodical approach. They study their targets, reviewing their social media profiles, reading their business news, researching their customers and family members, looking for the weak links in the security chain. Thinking like an attacker can help manufacturers prioritize remediation efforts on probable threats likely to cause loss, better-utilizing resources, and more effectively securing their environments.
How are the red team exercises different from penetration tests?
While the outcome of both red team exercises and penetration tests are similar, the methodologies and focus of these two assessments are vastly different. The first difference between red team exercises and penetration tests is the scopes of the assessments. Penetration tests are typically defined to focus on specific systems or web applications in a sequence with a shared timeline with the manufacturing team members. Red team exercises will attempt to exploit multiple systems and applications during the cybersecurity engagement. Social engineering and physical security are commonly within the scope of testing during these exercises. The second difference between red team exercises and penetration tests is the level of adversary emulation used. For pen testing, testers will often use common tools and techniques during their engagements to achieve their assigned goals. Red team exercises will use custom tools and attack techniques based on attack methods that cybercriminals use against manufacturers and supply chain partners.
What is the red team assessment methodology?
Similar to the methodology that penetration testers use during their engagements, red team members will also follow a process during their engagement. Based on the security needs of the business, the entire IT and network infrastructure might be evaluated, or just certain applications. Before starting the engagement, the exercise’s scope is discussed between the red team organization and the leadership team of the business. They will define the objectives and goals to be met and the “rules of engagement” to clarify the cyber attacks that are allowed and any specific attacks that are not permitted. A timeline and budget are agreed upon. A letter of authorization is issued, which grants explicit permission to conduct the cyber attacks and helps alleviate the challenges that the red team may encounter during physical security assessments to resolve any issues if local law enforcement were to become involved.
The next phase of the red team methodology is reconnaissance and intelligence gathering. During this phase, the red team will begin gathering information about the target business and its staff. This can include enumerating domains owned by the business, scanning internal network ranges to gather information about the devices connected to the network and perform electronic “dumpster diving” to identify documents that could contain usernames, passwords, or specifications of how to access the business’s internal network, as well as personal data of employees within the organization. Red team members may also perform reconnaissance of any of the allowed sites to understand how employees enter and exit the building.
The next phase of the red team’s methodology is the mapping phase. During the mapping phase of the engagement, the red team will begin reviewing their findings and discuss any known misconfigurations, weaknesses, and vulnerabilities and how the attacks are launched. This phase can also include creating forged ID badges and creating phone scripts for social engineering attacks.
The fourth phase of the red team methodology is the attack phase. During this phase of the assessment, red team members will launch their attacks at all of the vulnerable resources previously discovered during the mapping phase. These attacks can range from attacking web applications, taking over internal network resources, and accessing sensitive information locally stored on the network. During this phase of the assessment, the red team mustn’t cause permanent damage to the manufacturers’ business.
The final phase of the red team methodology is the documentation and findings phase. The red team will document all of their efforts, including how the vulnerabilities and misconfigurations were discovered, how vulnerabilities and misconfigurations were exploited, what actions were allowed post-exploitation, and the goals achieved. In many cases, these reports will also provide insight into how the leadership team can resolve security issues to prevent future attacks, business disruption, and financial losses.
You mentioned physical assessments and social engineering. What are they?
During a red team exercise, the testers will often incorporate physical security assessments and social engineering to identify lesser-known vulnerabilities to exploit. Physical security assessments are focused on testing the physical security of approved locations, such as factories, headquarter offices, and isolated sites owned by the business. A physical security assessment aims to identify issues with doors, locking mechanisms, and security procedures that could allow an unauthorized person access to sensitive locations within a facility.
Social engineering uses social manipulation to gain or leverage information or access for future attacks. These attacks can be performed both in person and electronically and be performed in various ways. Alongside physical security assessments, social engineering can help a red team member gain access to a building that would normally require special access or a key card to enter. Additionally, social engineering can gather information about key employees to identify key targets during the exercise better.
We are not a large manufacturer. Should we perform a red team exercise?
This is a good question to ask, as this is also another major difference between penetration testing and red team exercises. Red team exercises target complex security issues through more elaborate methods, which more closely resemble an attack that can launch against an organization. Certainly, manufacturers and producers with multiple business units and multiple locations have more potential holes in their security.
Small manufacturers may have multiple locations, but the number of on-premise and cloud-based systems is manageable. The number of people with access to critical data is also minimized with the smaller number of employees. Also, we typically do not see small manufacturing developing their own applications and hosting their business platforms.
In contrast, mid-sized manufacturers can have numerous Internet-facing (external) that offer attackers more vectors to target and potentially exploit. Red team exercises are a proactive indication by the leadership team that cyber risk is important. Allocating resources to identify weaknesses and cooperatively fix them reduces future financial losses. It is important to remember that this initiative is not assigning blame and punishing IT leadership. The red team exercise should increase shared knowledge, which will likely include surprises. It is far less expensive to identify security gaps with your security partner than endure the consequences of a cyber breach by a criminal enterprise.
This is not to say small manufacturers should not conduct a red team exercise. The exercise would occur after penetration testing concluded and the internal team performed the remediation. Unlike penetration testing for compliance, red team exercises would adjust the assessment’s focus to test against the rules governed by the compliance requirements.
Certitude Security® is an Ohio-based cybersecurity services company that protects manufacturers, throughout the United States, from injustice. If you are interested in learning more about our assessment services or talking about how your leadership team desires assistance to understand cyber risk better, please visit our website to speak to one of our representatives.