In our two day workshop with CISO Platform on “Shifting from Pentest to Red Teaming” our speakers Jitendra Chauhan, Head of Research, FireCompass, and Apoorv Saxena, Red Team Researcher, FireCompass have covered in detail how pen testing and red teaming differ from each other and how you as an organization can implement red teaming as a practice.
The session shed light on how Red Teaming became what it is today. Red Teaming as a category is taken as a technique but in reality, it is really a mindset.
A Red Teamer needs to have a broader mindset and knowledge of tools and techniques than other defenders, eg. a pentester.
If I had to put this in a perspective red teaming is “ The emulation of adversarial tactics, techniques, and procedures (TTP) to test plans and system the way they may actually be defeated by aggressors to challenge plans and improve the decision-making process.”
And a red team mindset involves :
- Not Taking Anything For Granted
An organization can have the best in class security mechanism in place but that does not mean it is safe. Adversaries today are constantly trying to attack you and they need to get lucky just once. A red teamer will never take anything for granted and will test everything every day.
2. Challenging Everything
Much like the first rule, the second rule is the next step. A red teamer will always challenge the security mechanism that is built.
3. Thinking The Unthinkable
Red teamers will always think more like an attacker than a defender. And one of the main thing there is to find out how I can break into this system, rather than figuring out how safe the system is.
All of this goes with the understanding that there is no perfect security. Attackers get smarter and change their methods all the time.
A red teamer will always view a problem from the attacker’s point of view, sometimes all it takes is a low tech solution to approach a high tech problem. Just thinking does not do this trick, one needs linear thinking combined with lateral and ridiculous thinking.
Reactive security is no security at all, red teamers will always be proactive and think 3 steps ahead of the attacker. Place detection and depiction measures to make a future attack hard.
One of the major things about a red team mindset is to not get burdened by the past and looking at the future.
Goals for Red Teaming in Cyber Security
Red teaming is a goal-based exercise. And red teaming goals are mostly broad, it id never to just find vulnerabilities and report. Red teaming is done to change practices. Some of the goals for red teaming are below:
- Continuously find and exploit vulnerabilities – As the nature of attacks and threats change its nature. Conducting various vulnerability discoveries and safely exploiting the vulnerabilities, can provide valuable feedback to the defensive teams to patch and fix vulnerabilities on a continuous basis.
- Emulate Adversarial Behaviour – Emulate TTP of the latest Ransomware, Nation threat actors and threat actors can test the resilience defensive controls and blue team effectivity on a continuous basis.
- Measure, communicate, and improve the security posture of the organization
- Improve the security IQ of the organization
- Break the norm and challenge the effectiveness of the organization
- Drive Culture Change
The Cyber Security Kill Chain
A red team will always follow an attackers path to achieve these goals, let’s see what a cybersecurity kill chain involves, the anatomy of an attack is formed by the following things.
- Reconnaissance – Doing a proper recon can stop an attack even before it can happen
- Weaponize – Coupling of remote access trojan with an exploit into a deliverable payload can be called a cyber weapon
- Delivery – Transmitting the weapon to the target
- Exploitation – Trigerring the attackers’ payload on the target system
- Installation – Instaling backdoor and maintaining persistence
- Command and control – Out internet controllers to communicate with compromised host
- Act on the objective – Date exfiltration, system disruption, etc
A red teamer will perform all of this to test the security of the organization. Today while intelligence-driven security is the new black, intelligence-driven attacks are the new white. Red teamers will learn from the attacks that did not work. These attacks will show patterns that link individuals to systems to network and then to target. Red teamers will create false trails, create noisy attacks, and let the target follow them. While a second stealth attack would be ready.
Finally, one major thing about a red team mindset is to maintain pace and always have a plan – Primary, Alternate, Contingency, and emergency.
In our recent workshop on “ Shifting from Pentest to Redteaming”, our experts have shared a lot more regarding the process of red teaming.
You may watch the whole session that went on for two days below.
Red Team WorkShop Part 1:
Red Team WorkShop Part 2:
Continuous Automated Red Teaming
Continuous automated red teaming is an emerging technology that is designed to automate the manual red teaming process. While having the red team mindset is important to keep the organization safe from threat actors, doing a point in time red teaming is a tedious time consuming manual process that is hard to scale.
FireCompass’s latest platform Continuous Automated Red Teaming is a new technology that combines Attack Surface Management (ASM), Shadow IT Discovery, and the simulation of various types of attack playbooks, including ransomware attacks, network and application attacks, social engineering, and more. The platform uses an outside-in approach by working with zero knowledge and without the need for any hardware or software to find risks on the digital attack surface of an organization.