So You Want a Red Team: The Primer

So You Want a Red Team: The Primer

In a former life I was a member of an institutional Red Team at a Fortune 500 organization.  Colleagues and friends are members of institutional Red Teams at other Fortune 500s, and White Oak Security provides Red Teaming as a service. The common thread among our shared experiences is that most institutions struggle to understand how to apply Red Teaming against their own business, and frequently misunderstand the intent of a Red Team. This blog post intends to help disambiguate the most common offensive security roles that we observe at large organizations and provide talking points for members and leaders of Red Teams when explaining to the business how their role differs from the rest.

 

It’s All About The Threat

In Cyber Intel circles they refer to the “bad guys” as an Adversary or Threat Actor, which are malicious individuals or groups who intend to commit harm against organizations and/or people. Depending on the motivations and sophistication of Threat Actor groups they may have a specific industry sector that they target, or they may attack multiple industries more broadly. Although we may all be familiar with the “bad guys”, we don’t necessarily know if they can breach our organizations.

Consider the following threat model that most corporations face:

threat triangle.png

For those of us who aren’t indoctrinated, these categories of Threat Actors are grouped according to sophistication and prevalence. As they increase in sophistication they’re less noisy and less likely to be caught by your detection capabilities. Although they generally have different motivations from each other, there can be some bleed-over between the groups in terms of individual actors.

·       Nation States / Intelligence Services – Usually part of a country’s military or a civilian service, executing attacks at the request of the nation. Motivations are usually to steal state or military secrets, and to disrupt the populace. They take advantage of zero-day vulnerabilities and utilize tooling that costs in the millions of dollars to develop. It’s unlikely you’ll catch these actors.

·       Organized Crime – Highly capable criminals, executing attacks against organizations. They are usually motivated by financial gain. These actors employ the full technical capability needed to achieve their goals, similar to Nation States, however, lack the resources to implement tooling quite as sophisticated. These threat actors are likely to breach your organization, to commit corporate espionage.

·       Motivated Individual – Highly capable individual, executing attacks against organizations and individuals. These threat actors’ motivations vary the most, and may include financial, personal or political reasons for their actions. Since they usually operate alone their capabilities generally don’t rival that of Organized Crime. They may take advantage of publicly known vulnerabilities, exploit development, and phishing attacks/scams, but at a much smaller scale than more sophisticated actors.

·       Hacktivists – Less capable groups of threat actors, executing attacks against organizations or individuals. These actors are often motivated by political ideology. These actor groups usually don’t possess many highly sophisticated individuals, and rely on publicly available exploit code, denial of service tools, credential breaches and social media to execute attacks.

·       Script Kiddies - Least capable threat actors. These actors generally rely on publicly available exploit code, or scripts to execute attacks. They are generally motivated by notoriety to gain credibility amongst their peer. Many threat actors start as Script Kiddies before developing more sophisticated techniques.

 

Your Friendly Neighborhood Adversary:

This is the operating space for a Red Team: The Adversary or Threat. You may see interchangeable terms like “Adversary Simulation” or “Threat Emulation” as explanations for the function of a Red Team, and that Red Teams utilize “Adversarial Tactics” or “Attack Simulations”. These are all correct: the purpose of your Red Team is to simulate Threats against your organization, and as a result Red Teams can be said to be Threat Focused, not Risk Focused.

Red Teams perform assessments that are generally referred to as an operation. These operations are well-defined scenarios that utilize adversarial tactics against their organization to achieve a goal or set of goals. The result of a Red Team Operation feeds into defense (Blue Team) improvements, organizational awareness, and strategic decision making.

There are generally two types of operations that internal Red Teams perform: Continuous and Strategic.

Continuous operations generally run at a at a weekly, biweekly or monthly cadence. Common examples of continuous operations include Cyber Kill Chain (CKC) and Account Takeover (ATO) attacks. These operations generate metrics that a business can use to track Blue Team (Detection and Response) improvements over time.

Strategic operations are much more open-ended, longer-running and objective oriented. These operations can cover other areas of the business that are generally not considered during initial foothold simulations of the CKC. A couple example scenarios I’ve seen played out at other organizations are:

  • Vishing scenarios to call centers

  • Generic Phishing campaigns

  • Physical/Social onsite attacks at branches/stores/facilities

  • Internet perimeter breach scenarios

  • Assumed breach lateral movement exercises

Most of the organizations I’ve interacted with focus more on the Strategic and less on the Continuous RTOs. Both can add significant value but depending on the maturity of the business’s Blue Team function it may make more sense for Red Teams to focus on Strategic RTOs before justifying the additional time and resource investment that Continuous RTOs require.

If you’re unfamiliar with the Cyber Kill Chain, I highly recommend reading up on it as it’s an important primer to understand the function of a Red Team:

https://www.sans.org/security-awareness-training/blog/applying-security-awareness-cyber-kill-chain

Essentially the Cyber Kill Chain is a cyberattack framework developed by Lockheed Martin designed in part from US military attack models. It captures the essential stages used by Threat Actors to breach organizations. If you need a model to operate your Red Team, this is where you start.

Many others have written about the CKC, and I won’t do it much justice by giving my own spin in this blog. But for those who prefer the short synopsis, these are the basic stages of the CKC:

  1. Reconnaissance – Information gathering on the target

  2. Weaponization – Preparation of an initial payload stage

  3. Delivery – Delivering the payload stage to a victim

  4. Exploitation – Detonation or execution of the payload stage (initial foothold)

  5. Installation – Installing additional payloads upon initial detonation

  6. Command & Control – Attacker communicates with compromised system

  7. Actions on Objective – Additional actions upon compromise (move laterally?)

 

What About Pentesting and Vulnerability Management?

Most large organizations have two primary offensive security roles. Sometimes we see them as a combined function, but more often we see the functions divided up much more granularly. The following are common clustering of the roles we see at organizations:

Vulnerability Management:

  • Manage automated, enterprise-wide security scanning

  • Identify vulnerabilities by signature using vulnerability scanner tools/appliances

  • Prioritize remediation based on risk and severity

  • Coordination of remediation with affected teams

Penetration Testing:

  • Manage penetration testing of applications, servers and network segments

  • Usually “stop” at the point of exploiting a vulnerability

  • Apply a risk-based approach to vulnerability identification

  • Closer involvement with dev teams’ SDL

As mentioned previously, depending on the size and scope of an organization we may see the above teams more granularly divided. In a former life I’ve seen Vulnerability Management divided into two teams: Enterprise and Online. Similarly, I’ve seen Penetration Testing teams divided into AppSec, Network Security and Continuous Application Scanning teams. At one colleague’s institution their VM and Pentest teams are actually a combined function, where team members wear several hats. Your mileage may vary, and this is by no means a recommendation for how to structure your security org.

But key take-away from these teams’ function is they are very risk-oriented, because risk is the language the business speaks. Taking a risk-based approach to information security is critical for organizations for 2 reasons: prioritizing remediation and resolving compliance obligations.

The results of Red Teaming activities can inform risk but are not risk-based by nature. Remember: Red Teams are Threat Focused, not Risk Focused. And simulating threats is the most effective method to defend against threats.

 

What’s Next?

There’s a lot to say about how to build a Red Team, however there’s no one best-fit way to do so. In the next entry in this series we’ll dig into the Continuous and Strategic operating models, discuss the skills and roles necessary to deliver important outcomes, and end on how to make the Red Team an effective member of your Cyber Security Organization.