Background and Introduction
To clarify any misconceptions, let’s begin with some definitions. Penetration testing is a well-known concept among tech professionals. It aims to identify as many vulnerabilities as possible, assess their exploitability to demonstrate real-world impact, and report them for remediation. Red Teaming, although sharing some similarities and overlap with penetration testing, has a distinct objective. Rather than uncovering all vulnerabilities, a red team engagement emulates a real-world attacker to evaluate the blue team’s (the defenders) ability to detect and respond to an attack. Although both terms are often mistakenly used synonymously, they each serve unique purposes in offensive security testing. In essence, penetration testing focuses on assessing defenses, while red teaming evaluates the defenders. We can identify weaknesses through red teaming and better prepare our defenders to face real-world threats.
How It Works
So, how do we run a red team engagement? There are two primary approaches to consider. The first mimics a real hacker’s strategy, starting with reconnaissance, selecting a target, and attempting to gain initial access to the network. This access is often achieved through a simulated phishing exercise, where the red teamer deceives a user into downloading and executing malicious code, granting the attacker network access. However, this process can take weeks, as it relies on the phishing attempt’s success.
The alternative approach is the assumed breach methodology, which presumes that an attacker has already infiltrated the network or gained initial access. In this scenario, the tester begins with existing network access. A common way to bridge the gap between these approaches is to run a phishing campaign simultaneously with the assumed breach, allowing the assessment of initial access and social engineering aspects without waiting for the phishing attempt to succeed before proceeding with the test.
What does the engagement entail? Most red team engagements utilize Mitre’s ATT&CK (pronounced “attack”) framework to emulate the tactics, techniques, and procedures (TTPs) of an attacker. We can use ATT&CK and the ATT&CK Navigator to model threats specific to certain hacker groups and industry-specific threats. Again, when red teaming, we try to emulate a real-world attacker as closely as possible, not enumerate all vulnerabilities. Since our goal is to test our defenses and our blue team, we heavily emphasize stealth and defense evasion. By doing so, we can identify gaps in our detection and response capabilities and better counteract those techniques for the future. Many TTPs can be automated using commercial tools such as cobalt strike or open-source tools such as Mitre Caldera. The red teamer will select a target within the organization and move through the TTPs to get there.
Blue teamers should practice what is known as defense in depth, meaning if one defense fails, there should be another layer of security to prevent the full attack from succeeding. So we evaluate the detection and response capabilities throughout each engagement phase. Suppose the red team successfully can move through various TTPs undetected, or with no response by the blue team. In that case, the red and blue teams will work together to identify the gaps that allowed them to go undetected and then improve upon them. Suppose the defenders successfully detect and prevent an attack. In that case, the red team can go back and try another method to evade the defenses of the blue team. This cycle could repeat in an infinite game of cat and mouse. The result should be a comprehensive report of the strengths and weaknesses in the detection and response capabilities of the organization. Once the red teamers are satisfied that they have done this, the engagement can conclude, and they select a new target and begin to plan another engagement.
How We Utilize Red Teaming at Ginkgo
At Ginkgo, our VAPT (Vulnerability Assessment and Penetration Testing) team adopts a comprehensive approach to vulnerability assessments that extends beyond traditional penetration testing. To maximize the effectiveness of our red team capabilities, we employ cyber-war games as a powerful tool. During these war games, we embrace a “purple team” approach, leveraging the strengths of both our red and blue teams. Through close collaboration, the red team strategically progresses while the blue team’s detection and response capabilities are continuously evaluated at each phase. These exercises serve as valuable learning experiences, enhancing the capabilities of our red and blue teams. This symbiotic relationship ensures that our offensive and defensive teams have a deep understanding of each other, fostering a strong and cohesive security infrastructure.
We can go beyond what a traditional penetration test includes through red teaming. While it is crucial to discover and patch vulnerabilities, it is often said that “prevention is ideal; detection is a must.” In the event that things slip through our systems, we must equip our blue team for early detection and response. While performing adversary emulation, we “battle harden” our blue team defenders. While blue teamers are guaranteed to see many threat attempts in their careers, they will never experience them all, especially in the wild. By mimicking the TTPs of our industry and organization’s most likely attack scenarios, we help prepare our defenders to detect and respond to real-world scenarios.