Bluedog Red Teaming
What is Red Teaming?
A determined threat actor will always gain access, it just depends how long they’re prepared to work at it, what their budget is and how strong your defences are, but sooner or later they’ll get in.
What you need to know is… how are they going to get in? Where are you vulnerable? Which staff and roles are vulnerable. How strong is your castle and how can you make it stronger?
Automated and Manual VAPT scanning is powerful and valuable in determining what your technical and software vulnerabilities are, but how can you test the vulnerabilities of your staff? Don’t forget that security is always about people! Unlike Vulnerability Assessments, Red Teaming concentrates a lot of effort on testing the human element of an organisation.
Red Teaming lets the client set specific goals that the Red Team (the attackers) have to try and achieve. For example, they could ask the Red Team to show the client a number of confidential records that they’ve obtained from the client’s network. Or could ask them to replace a particular page on their website with a pre-determined page or graphic to prove that the website is hackable.
When the attack is complete the bluedog Red Team produce a report to detail how they managed to attack the client and most importantly recommend how to strengthen the client’s defences. In effect it’s having a team of expert hackers on your side!
How does Red Teaming work?
Let’s look at the stages involved in Red Team exercise:
Of all the stages this is probably the most important. Red Teaming is goal driven. To be successful, a Red Team exercise must have clear and specific goals. A clearly defined goal could be for example; “Prove access to 100 Confidential Customer Records”.
Don’t worry if the client doesn’t really know what they need or want testing, we have the experience to suggest a list of useful goals.
Once the team and the client agree the goals, they will also agree the attack parameters; what the team are allowed to do and what they aren’t allowed to do, when they are allowed to do it, and the rules of “warfare”.
As with any attack in the real world or the world of cyber security, the first stage involves scoping out the landscape. Which in our case means listing all the assets within the attack area; web applications, servers, workstations, networks etc, and determine how they all interconnect.
A big difference between Red Teaming and Penetration Testing is the use of Social Engineering. Certain individuals or Roles can be specifically targeted to see if the attacks can exploit the person or role to obtain vital information… even if the person doesn’t know they are giving vital information away! This part of the attack may be carried out remotely or on-site depending upon the situation and the needs of the client.
Of course, in today’s world, many cyber-attacks start with a simple email. So, many (not all) Red Teaming exercises include Phishing attacks sometimes even highly targeted Spear Phishing where an individual or role is targeted. This allows the Red Team to accurately simulate a modern cyber-attack using real world scenarios.
All members of the bluedog Red Team are experts in both Automated and Manual Penetration Testing, which is an important part of the process to determine what the vulnerabilities of the network and assets are.
Once the Red Team have a list of vulnerabilities, they can get to work exploiting them in a safe manner. Rest assured that they won’t do anything that would cause network downtime or cause physical damage!
Unlike a standard Manual Penetration test, a Red Team attack may involve chaining vulnerabilities. This means what may be a relatively insignificant vulnerability in isolation, can be combined with other vulnerabilities to produce a much greater threat. Our Red Team are experts in this field, and these are the types of correlation that humans are really good at; asking the “what if” questions.
Using their years of experience, knowledge, skills, and maybe with the help of vulnerabilities our Red Team then attempt to gain access to the internal network. Now the real fun begins; How deep can we go? How wide can we go? Can we gain access to Administrative accounts?
Once the Red Team are inside the network or website infrastructure, they will utilise their skills and vulnerabilities to access admin accounts or escalate their privileges so they can take control of the asset or assets that are part of the goal. At no time will any of the Red Team cause damage to or jeopardize the safe running of the client network or websites. Any control gained is strictly managed.
The prizes for the Red Team are the goals which are agreed at the start of the exercise. This may be taking over a particular account or successfully obtaining sample confidential records. There’s an infinite number of scenarios that can be a goal.
The end of the exercise is the creation of a detailed report for both management and technical staff, the report will highlight the deficiencies found and recommendations to improve the security posture of the organisation based on the Red Teams findings. The report will concentrate on the risks to the organisation.
Furthermore, during the Remediation phase – which isn’t actually part of the Red Teams’ work – the Team leader will be available to give feedback and recommendations to the team performing the remediation and strengthening.