An overview of Red Teaming and the role it plays in cybersecurity. Who should use it, how does it differ from penetration testing and is it better than Purple Teaming?
Red teaming, also known as Cyber Red Team is recognised as one of the best ways to assess the robustness and resilience (define these) of your cybersecurity and how well your defences stand up to a cyber-attack. It is a simulated attack performed against targeted areas of a business which could include vectors such as: ITC — Networks, applications, routers, appliances; People — Staff, contractors,, business partners; Physical — Offices, substations, data centres, other buildings
By simulating a real, determined attack a Red Team’s helps to improve security by demonstrating the impacts of successful attacks and also by highlighting which controls worked for the defenders (i.e., the Blue Team) in an operational environment. Although they are multi-layered to help bypass defence in depth, they do have scope and some aspects are usually out of scope such as attacking personal relationships and supply chains – even a simulation against these could cause real world damage.Cyber threats and crime
Red teaming and penetration testing are both ways of assessing an organisation’s security. Penetration testing aims to reveal all the technical vulnerabilities and assess their risk within the scope of the test, usually within the six buckets of:
- External Network Penetration Testing
- Internal Network Penetration Testing
- Social Engineering Testing
- Physical Penetration Testing
- Wireless Penetration Testing
- Application Penetration Testing.
Whereas red teaming is a simulated attack with the goal of exploiting a vulnerability then progressing through the attack lifecycle and getting hold of the most valuable asset possible. From an organisation perspective, this gives a more in depth view of how its defences stand up to a committed attack. It will give insights into which defences worked and which didn’t as well as the performance of intrusion detection and how the blue team’s incident response ran.
In short we could say that a penetration test provides a todo list to improve security, whereas Red Teaming is an interactive learning and coaching activity, where not only the list of failures are taken away but the actual experience and knowledge gained during the event is beneficial to the organisation.
One of the best ways to gauge how your defences perform during a cyber-attack is to experience an attack, and this is where Red Teaming is useful. It isn’t just about identifying holes in your defence, as you would with penetration testing. It is about testing it in a multilayered way to find a way through your defences. We could think of it as a way of testing our defence in depth measures. Penetration testing will tell us where we have vulnerabilities, whereas Red teaming tells us how well our controls for those vulnerabilities have performed.
Red teaming can benefit any sized organisation, but to really extract value from it, you need to be ready. An organisation should have a reasonably mature security posture, having undertaken at least three different penetration tests and having setup controls and monitoring as a result. Once this is done a Red team exercise can add value by validating the security controls they have in place.
This applies regardless of size, if an organisation has valuable assets, then criminals will try and compromise them, Business Email Compromise is an example of criminals targeting small and medium businesses.
A simple example of a Purple team is a Red Team member embedded in a Blue Team. The advantage being that the Blue Team now has someone with an attacker mindset in the team, sharing their knowledge and identifying indicators of attack. Whether one is better or worse than the other depends on the context and purpose of the exercise. An organisation that has just reached a level of maturity where they have implemented the findings of a penetration test, set up monitoring and is now ready to test their security could benefit from the coaching aspect purple teaming to accelerate the learning process. Whereas an organisation which has been through multiple Ream Team exercises and has a battle hardened Blue Team may be looking to push their defenders, so Purple Teaming may be not only an additional expense but detrimental to the desired outcome.
References
ACSC. (2021, September 15). ACSC annual cyber threat report 2020-21. Cyber.Gov.Au. https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-2020-21
Alomar, N., Wijesekera, P., Qiu, E., & Egelman, S. (2020, August 10). “You’ve Got Your Nice List of Bugs, Now What?” Vulnerability Discovery and Management Processes in the Wild. Sixteenth Symposium on Usable Privacy and Security.
https://www.pentestpartners.com\/security-blog\/author\/andy-gill\/#author. (2020, July 13). Bridging the gaps between Red and Blue teaming. Pen Test Partners. https://www.pentestpartners.com/security-blog/bridging-the-gaps-between-red-and-blue-teaming/
Mansfield-Devine, S. (2018). The best form of defence – the benefits of red teaming. Computer Fraud & Security, 2018(10), 8–12. https://doi.org/10.1016/s1361-3723(18)30097-6
Miessler, D. (2016, February 8). The difference between red, blue, and purple teams. Daniel Miessler. https://danielmiessler.com/study/red-blue-purple-teams/
Mitnick Security. (2021, March 3). Red team operations vs. penetration testing. Mitnick Security. https://www.mitnicksecurity.com/blog/red-team-operations-vs.-penetration-testing
NIST. (n.d.). Red team – Glossary. CSRC. Retrieved September 12, 2022, from https://csrc.nist.gov/glossary/term/red_team
Talamantes, J. (n.d.). What is Red Teaming & Why Do I Need It? RedTeam Security. Retrieved September 11, 2022, from https://www.redteamsecure.com/blog/what-is-red-teaming-and-why-do-i-need-itWilliams, E. (2021). Why effective testing is essential to keep pace with advancing threats. Computer Fraud & Security, 2021(2), 12–15. https://doi.org/10.1016/s1361-3723(21)00019-1
