Red teaming is a special form of penetration testing that simulates an advanced persistent threat (APT). In this process, a team of qualified security experts puts itself in the role of the attacker and - under real conditions - carries out a cyber attack on your company. As in a real attack, they try to obtain sensitive data or possibly even hack entire IT systems and networks as well as connected applications.
The approaches and attack techniques used by malicious actors can be summarized under the technical term "Tactics, Techniques and Procedures" (TTPs for short). Each malicious actor or malicious group has its own repertoire of procedures to which the Red Team adapts in order to achieve the most accurate simulation possible.
This is contrasted with the so-called "Blue Team" - these are the IT managers in your company who are responsible for IT security and are supposed to detect cyber attacks at an early stage and, at best, defend against them.
A Red Teaming campaign always aims to execute an attack with a pre-defined threat profile and thus evaluate the effectiveness of existing defenses, security measures and management processes - against the threat profile - and uncover potential vulnerabilities.
Examples of such a threat profile can be findings from previous cyber attacks on your company or potential
At the beginning, a threat profile is developed in close consultation with you, which is to be simulated during the attack. Furthermore, it is determined which data or systems are to be hacked or compromised by the Red Team. For this purpose, dummy data or mock-up systems can be used, for example, which are subject to the same security precautions as the production systems but do not contain any actual data. However, it should be ensured that your IT managers are not aware of the planned measures. Only in this way can a realistic scenario be realized.
The Red Team then begins to simulate the attack, usually from an external perspective, and applies appropriate attack techniques and procedures. In the process, the Red Team tries to remain undetected and bypass possible detection and defense mechanisms. Since this can be a time-consuming process, such a campaign usually extends over 3 to 4 weeks. In some cases, longer.
At the end of the test period or after the previously defined goal has been met, a final report is prepared with all activities and successful attacks, including a time stamp, which also shows the exploited vulnerabilities in systems, guidelines or even management processes and, if necessary, provides approaches for action. The results are then discussed with you and further options for action are developed in dialog. If possible, technical findings can also be discussed directly with the responsible contacts on your side and a joint refinement of detection and defense rules can be carried out.
A Red Team is usually commissioned by companies to put their own IT security to the test - under realistic conditions - and to review the existing defense mechanisms of their own IT department. In this way, existing vulnerabilities can be uncovered, subsequently remedied and the risk of a real cyber attack drastically reduced. Therefore, appropriate systems must already be in place at your company and you should have an internal IT department. However, Red Teaming may also audit your external service providers (e.g., third-party software and/or hardware used).
Furthermore, Red Teaming does not check individual systems for vulnerabilities, but your entire IT system as well as related systems and applications. The Red Team also does not limit itself exclusively to your IT, but may also pose as an employee of your company and thus attempt to physically infiltrate your company.
A Red Team usually consists of various IT security experts who use their specific expertise to attack completely different areas of your IT. Of course, no real damage is caused in the process, as the Red Team does not introduce any maleware / ransomware into your system. In addition to qualified IT security experts, a Red Team also includes, for example, programmers, system administrators or specialists for networks. Furthermore, Red Teams can also have former hackers (ethical hackers) who use their experience to outsmart security mechanisms. The closer the attack is to reality, the better your IT security can be tested.
Red Teaming differs from penetration testing initially in its implementation. While a penetration test usually involves unlocking the systems to be tested and thus reveals technical deficits in as many systems as possible by means of vulnerability scanners and manual testing, a red team campaign, on the other hand, pursues the approach of undetected compromising of the previously defined target systems or their data and also uncovering and exploiting non-technical vulnerabilities by means of social engineering attacks.
Furthermore, a pentest also differs from a red teaming campaign in the duration of the test period. The active test period of an average penetration test usually extends over one to a maximum of two weeks, depending on the scope of the test. In a red teaming campaign, on the other hand, the active test period can extend over a month.
The Blue Team consists of the IT experts or responsible persons of your company. In order to conduct a realistic cyberattack on your company, the Blue Team should not be informed of the Red Team's assignment. Ideally, as few employees as possible will be involved, as your employees' behavior and the physical security of your sites may also be put to the test.
The goal of Red Teaming is clearly defined: A team of IT experts will attempt to hack your IT system to determine how well your company is protected against cyberattacks and whether any vulnerabilities exist. In the process, various IT security topics will be examined: Network security, security of the end devices used, server security, firewalls, but also the behavior of your employees (social engineering), the physical security of your sites and organizational security measures. Typical questions asked during Red Teaming include:
- Are there vulnerabilities in IT security?
- Is the attack detected early by the Red Team and how does the Blue Team respond to the cyber attack?
- How effective are your IT department's measures?
- Do visitors have to identify themselves and is it noticeable when someone unauthorized enters the building?
- How do employees handle phishing emails?
- Are security policies and protocols being followed?
Red Teaming uses a variety of approaches, tools and tactics. After all, it's about putting your IT through its paces. For example, attacks are made on networks, but your employees are also put under the microscope. Enclosed is a list of common tactics / methods used in Red Teaming:
- Penetration Testing: In Red Teaming, penetration testing is usually always performed as well. For example, applications, networks or physical security controls can be looked at and put to the test. In our article "What type of pentest do I need?" you will find more information on the different types of pentest.
- Social engineering: Social engineering is an attempt to manipulate your employees into revealing sensitive data. Social engineering can take place via telephone or e-mail (e.g. phishing attacks), but also by a so-called "social engineer" attempting to gain access to a restricted area or to enter office premises unobserved.