Philosophy of Red Teaming:
- Attack is the secret of defence; defence is the planning of an attack - The Art of War, Sun Tzu
- To defend better, you need to know how to attack and how to stop that attack!!
Answers to important Questions when it comes to Red Team Security
- Red Teaming is a form of penetration testing with main aim and focus on not getting detected by Blue Teams and persisting in the target environment as long as possible. It is part of offensive security testing with a particular focus in exploring post-compromise attacks.
- Red Teaming is like administration of vaccines which prepares the host (the organization, in this case) to learn on how to fight back, in an event when an actual foreign body [black hat adversaries, rogue nation state actors and advanced persistent threats (APTs) etc] has entered the system(network).
- Blue Teams are also called as defenders. They mostly consist of SOC Team, IT Infra teams such as Server Team, Network Team, and Incident Response Team etc. SOC Team monitors the events and threats and based on their intel, the Infra Team further secures the infrastructure i.e. Blue Teams are reactive in nature, meaning, they wait for the things to happen.
- Red Teams constantly simulate attacks on the IT infrastructure. They are proactive in nature. They simulate real attackers when penetrating defences and try to get inside and remain inside the network undetected. Their role is to showcase lapses in defences to improve the overall security posture.
- Red Teams can act as a catalyst for blue teams to model the configuration of their security tools upon their attack vectors and post-compromise behaviour
- Where penetration testing includes checking the defenses, Red Teaming is all about checking the defenders and measuring the overall capability of Blue Teams to see how quickly they can detect and respond to an actual anomaly.
- To check the preparedness of an organization in detecting attacks and responding to them.
- To learn how fast the organization is in detecting a breach and determine the presence of unwanted foreign personnel on their network.
- To test the effectiveness of the Incident Response Team.
- To determine the application of the cyber-security maturity model adopted by the organization.
- To understand the immediate steps that would be taken by an organization after an attack.
- If an organization that has a robust IT infrastructure with a dedicated blue team having SIEM/SOAR(Security Information and Event Management / Security Orchestration, Automation and Response), EDR (Endpoint Detection and Response), AV(Antivirus), FIM(File Integrity Monitoring) and PAM(Privilege Access Management), wishes to calculate how well tuned their infra actually is to detect, stop and mitigate an actual attack, then they should go for Red Team exercise.
- There are different approaches to perform red teaming. Before learning the same, let's decode the meaning of simulate and emulate. As per Cambridge dictionary, emulate means to copy something achieved by someone else and try to do it as well as they have and simulate means to do or make something that looks real but is not real.
- Now, let’s understand the types of approaches:
- Adversary Simulation: Here, red teamers will use different TTPs (Tactics, Techniques and Procedures) to simulate attacks. MITRE ATT&CK framework can act as reference guide for the same
- Adversary Emulation: Here, red teamers will try to mimic the behaviour of a real life criminal hacking organization or group or institution. All TTPs used will be done to emulate how a particular APT group will work if and when they will breach the network. The result of such a security assessment will determine how ready the organization is to face a particular adversary. This is more focused on simulating particular bad actors rather than following a generalized approach
- Purple Teaming: Here, the Red Team and Blue Team, instead of working individually as per their calendar, work together under the common leadership umbrella of Purple Teaming. Here the Red Teaming work will complement Blue Team i.e. Pre-planning information to achieve security as well as detection for a attack scenario will be decided first-hand and both teams will work in close coordination to achieve the common goal of securing the organization against that that particular attack scenario before moving
- Here the report is like penetration testing but also constitutes a dedicated detection part for blue teamers to refer, so that they can configure all IT security products to detect the attack at the earliest