Red Teaming Is More Relevant Than Ever

Red Teaming, a form of proactive adversarial attack testing, was long been viewed as an extension of penetration testing but that is something of a deservice. Unlike a penetration test which tends to be limited in scope and overt, red teaming employs the tactics, techniques and procedures (TTPs) that a real attacker would use in a simulated attack and is carried out covertly.

It’s this ‘real world’ capability that sets it apart, with the red team seeking to exploit any chinks in the organisation’s defences and to continue to push forward and pivot the attack.  

Conversely, the blue team is composed of defenders who will attempt to detect any offensive activity. Their job is to identify the point of ingress, remove access or mitigate lateral movement in a bid to thwart the ‘attack’. In this respect, red teaming exercise can also be used to test the speed and agility of the blue team also often referred to as Mean Time to Detect (MMTD) and Mean Time to Respond (MTTR). Purple teaming sees both the red and blue teams collaborate, sharing TTPs to work together to identify vulnerabilities and can be useful for testing playbooks, for instance.

As to when to conduct a red team test, the general consensus is that the organisation needs to have a mature cyber security posture with good security hygiene in place by which we mean patching, monitoring and access control measures. There are numerous reasons why businesses embark on a red team test, from significant changes within the business in terms of transformation or a merger or acqusition, to risk assessing the infrastructure and its supply chain, to meet insurance or compliance demands or, of course, after the event when a security incident has already happened to reduce the risk of future compromise. But what is becoming apparent is that the need for red teaming is increasing.

Chinks In The Armour

Scenario-based testing never been more relevant thanks to a number of developments. Firstly, the way in which we work has changed enormously both in terms of the remote workforce and the move to distributed network architectures using the cloud. Securing both is far more challenging, requiring stringent endpoint monitoring and access control mechanisms based on the concept of Zero Trust. 

As of today, very few organisations have been able to successfully implement Zero Trust wholesale and Gartner predicts only 10% of large organisations will have mastered it by 2026. As a result, there are inevitably gaps in the infrastructure that an attacker can exploit. Application Programming Interfaces (APIs), which provide a fast and convenient way to spin up new services, or the Internet of Things (IoT), which again provides enhanced connectivity, have both been rapidly rolled out, for instance, and Gartner warns that its network elements such as these that could act as points of compromise. 

At the same time as technology has advanced, so too has the sophistication of attacks. We’ve seen the emergence of ransomware-as-a-service (RaaS), lowering the bar to entry, and organised assaults by nation state actors. There’s been a decrease in the time between when an attack commences and when it is detected, referred to as the dwell time, which went from a median of 10 days to 8 days for all attacks and from 9 days to 5 for ransomware attacks from 2022 to 2023, according to the Active Adversary Report for Tech Leaders 2023 from Sophos. This is most likely due to both improved detection capabilities but also the fact that attackers are speeding through the attack stages faster. They’re getting in and getting out with what they came for more quickly, indicating they have refined their TTPs.

Future Threats

We are now on the brink of AI-driven attacks that will further up the ante. Generative AI is expected to reduce costs for cybercriminals  by up to 96% according to the New Scientist by automating attacks. It will enable the reverse engineering of code, rapid malware development and the creation of backdoors, as well as the crafting of much more convincing phishing campaigns. The latter is particularly worrying when you consider that the majority of cyber attacks today (41%) use phishing as the vector for infection, according to the IBM Threat Intelligence Index 2023

To fight back against these escalating and emerging threats the organisation must become more proactive in identifying possible attack vectors and prioritising defences. Nothing will illuminate those threats more accurately than a red team test either conducted during a limited time period or until the attack/s are discovered by the blue team. Experienced providers will also often supplement their toolkits with open source and customised solutions to ensure maximum leverage so its worth asking what’s in their arsenal.

The value red testing confers lies in the reporting which will then unveil how far the red team were able to get and a detailed breakdown of each phase of the attack, from reconnaissance through to the development of payloads, exploit of vulnerabilities, escalation of privileges and potential exfiltration of data. By delving into these findings the security team can better understand the security posture, from identifying attack paths, to prioritising vulnerabilities and putting in place controls to mitigate issues. But the benefits can also extend further across the business, such as by informing end user education and training and helping to communicate risk to the board.

It's this ability to make security real and relevant to the business that makes red teaming so valuable. As the stakes increase, with business network architectures and workforces becoming more dispersed and attacks faster and more targeted, it’s this customised form of security testing that will help prioritise and target defence, helping to improve resilience.

Phil Robinson is Principal Consultant at Prism Infosec                                         Image: AndreyPopov

You Might Also Read: 

Why Are Businesses Ignoring Incident Response?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Critical Cyber Security Tips For Home & Family
British Voters Wide Open To Attack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

MindPoint Group (MPG)

MindPoint Group (MPG)

MindPoint Group is a specialist Information Security Consulting firm.

Herbert Smith Freehills

Herbert Smith Freehills

Herbert Smith Freehills is a leading professional services including data protection and privacy.

NSIT

NSIT

NSIT SAS is a consulting, advisory and service provider in IT systems. Solution areas include networking & infrastructure, IT management & administration, and cyber security.

NSEIT

NSEIT

NSEIT offers end-to-end Information Technology products, solutions and services including cybersecurity to organizations in the financial sector.

SaltStack

SaltStack

SaltStack develops award-winning intelligent IT automation software. We help businesses more efficiently secure and manage all aspects of their digital infrastructure.

Zamna

Zamna

Zamna (formerly VChain Technology) is an award-winning software company building GDPR compliant identity platforms for the aviation industry.

Upper Peninsula Cybersecurity Institute - Northern Michigan University

Upper Peninsula Cybersecurity Institute - Northern Michigan University

Upper Peninsula Cybersecurity Institute at Northern Michigan University offers non-degree and industry credentials relevant to emerging careers in cybersecurity.

GLESEC

GLESEC

GLESEC offer a complete range of Cyber Security services from Operations & Intelligence Services to Auditing & Compliance and Simulation and Training.

National Institute for Research & Development in Informatics (ICI Bucharest)

National Institute for Research & Development in Informatics (ICI Bucharest)

ICI Bucharest is the most important institute in the field of research, development and innovation in information and communication technology (ICT) in Romania.

Mindaro Insurance

Mindaro Insurance

Mindaro is adding the crucial piece of the cyber security puzzle that protects your organization from the financial ramifications of cyber attacks.

Creative ITC

Creative ITC

Creative ITC is a leading infrastructure and cloud enablement company. We design and deliver exceptional managed services and cloud solutions.

The IoT Academy

The IoT Academy

The IoT Academy is a reputed Ed-Tech Institute that provides training in emerging technologies such as embedded systems, the Internet of Things (IoT), Data Science and many more.

Axiata Digital Labs

Axiata Digital Labs

Axiata Digital Labs is the technology hub of Axiata Group Berhad Malaysia which is one of the leading groups in telecommunication in Asia.

ThreatDown

ThreatDown

ThreatDown, powered by Malwarebytes, is on a mission to overpower threats and empower IT by removing the complexity of detecting and stopping today’s most advanced threats.

SCS Technology Solutions

SCS Technology Solutions

SCS Technology Solutions has become the preferred partner for top performing organisations across Lincolnshire for IT support and consultancy.

Forthright Technology Partners

Forthright Technology Partners

Forthright Technology Partners (Forthright) is a next-generation cloud and managed IT services provider serving a global clientele.

Cypherleak

Cypherleak

Cypherleak provide Automated Cyber Risk Monitoring & Ai powered cyber recommendations.