RED TEAM DOCUMENTATION
In a football match, there’s always offensive, defensive and center player roles in every team. Offensive players are the ones trying to break the defensive perimeter of the opponent and strike a goal, the defensive players are the ones trying to prevent the opponent from breaking their guard while the center player does enhancing both these for their team.
The same ones do exist in information security sector. The roles and responsibilities are the same as that of football but the terms used to define them vary. Here, the center team is the Purple team, the defensive team is the Blue team while the offensive team is none other than the Red team. This document will elucidate the deeds of Red team swiftly.
WHAT IS RED TEAM?
Red teams emulate real world attacking scenarios by getting into the shoes of a malicious hacker and launching attacks on a target’s security environment to exploit the systems/networks as much as possible. This is done by using various tools (both paid and commercial), techniques (based on OWASP, NIST, PTES and others) and through malicious coding practices.
It is an effective way to show the prevalent loopholes persisting in an organization’s security landscape, the potential ways they could be exploited and the attacks that could be driven from then and destroying the feel of ‘Zen’ for an organization. It further provides a pre-glimpse on how miserable things would look if security posture gets compromised.
Of-course, this is a Himalayan feat but the well-planned strategies deployed and executed make this look simple for hackers. Even the most sophisticated firewall and antivirus in the world means trivial against a well-planned deceiving strategy for hackers, which makes red team presence inevitable for an organization to foresee and prevent such occurrences.
What are some common Red Team tactics?
Many may wonder why Red teamers are more paid and dangerous than traditional pentesters?
Traditional testers only test the target using antiquated and routine techniques and their testing is confined within the given scope. This isn’t the case for Red teamers. They aren’t the old school testing guys whom practice monotonous techniques during testing. They are just given a task “Break this organization’s security defenses and gain internal access.” That’s it…. Since then, they use various tools (even indigenous), strategies, focus on various verticals (even through hardware compromises), updated hacking principles and execute all their wide range of prowess with one sole determination, “Break it!” Here are some of the most common ways that red team assessors do:
- Think outside the box: One sure quality for a skilled red teamer is to think outside the box and using or developing new tools and strategies to exploit the data and help blue team enrich their defense activity for helping company security. However, these wouldn’t be liked by the organization nor the blue team to be pin-pointed with their flaws but they’ve got to accept it if betterment is wanted.
- Dense Knowledge of systems: Having deep knowledge of computer systems, protocols and libraries and known methodologies will give you a clearer road to success. It’s crucial for a red team to possess an understanding of all systems and follow trends in technology. Having knowledge of servers and databases will allow you more options in finding ways to discover their vulnerabilities.
- Email and phone-based social engineering: With dedicated reconnaissance on individuals and organizations, phishing emails become undistinguishable from the legitimate ones and many fall into the bait of traps. This is the best weapon in red team’s arsenal as human insanity is ever an ongoing issue. Also, this is the most effective method to reach their goal i.e., do compromises.
- Network service exploitation: Exploiting unpatched or misconfigured network services can provide an attacker with access to previously inaccessible networks or to sensitive information. Often times, an attacker will leave a persistent back door in case they need access in the future. Red teamers waste no time in trying exploiting this.
- Physical facility exploitation: Gaining access to a secure facility is often as easy as following someone through a door. Red teamers sometimes try to impersonate as someone authentic or cover up as a doppelganger of another in order to gain physical access of the target, legitimately with the noble intention of indicating the physical security holes in an organization and ways to improve it.
- Application layer exploitation: Web applications are often the first thing an attacker sees when looking at an organization’s network perimeter. In order to give a chance for hackers, red teamers get into the shoes of a hacker and try to exploiting all the web application vulnerabilities (e.g., cross-site scripting, SQL injection, cross-site request forgery, etc) to fix the defects that detractors can use.
- Incessant R&D on it: A vulnerability that arose today becomes obsolete tomorrow as thousands of new ones pop-up every day. Hence, it’s mandatory for red team to know what are the latest vulnerabilities that are found and the ways they could be possibly exploited in order to check if organization security can be scoffed if a 3rd party manages to get it done. Thus, continous R&D is the key.
- Constantly updating the blue team: As much of the flaws red teamers find and exploit, they must also know to inform them to the blue team who’s responsible for the other side of the line, defense-in-depth. Constant discussions on the ways available for attacking, the ways for thwarting them, the ways to bypass those defenses, the ways to block them with better defensive techniques and this back-and-forth conversations must be ongoing by the red and blue team to best protect the organizations from any potential cyber threats.
- Discussions with the management team: If any requirements is lagging for red team, it should be brought to management notice rather waiting for them to ask and know about it. A weekly review of what are the deficit findings found, the insights given to blue team to numb these attacks by deploying better defenses, the progress in various researches and other such should be discussed during that time in order to make the management feel confident in their investments for the security team and happy to do more.