Due to the rise in both frequency and complexity of cyberattacks, many businesses are investing in security operations centers (SOCs) to enhance the protection of their assets and data. An SOC is the central hub for detecting, investigating and responding to security incidents. It manages a company’s security monitoring, incident response and threat intelligence.
What Is Red Teaming?
Red teaming uses simulated attacks to gauge the efficiency of a security operations center by measuring metrics such as incident response time, accuracy in identifying the source of alerts and the SOC’s thoroughness in investigating attacks.
Red teaming projects show business owners how attackers can combine various cyberattack techniques and strategies to achieve their goals in a real-life scenario. Red teaming allows businesses to engage a group of experts who can demonstrate an organization’s actual state of information security.
What Is Red Teaming?
Red teaming does more than simply conduct security audits. Its objective is to assess the efficiency of a SOC by measuring its performance through various metrics such as incident response time, accuracy in identifying the source of alerts, thoroughness in investigating attacks, etc. This evaluation is based not on theoretical benchmarks but on actual simulated attacks that resemble those carried out by hackers but pose no threat to a company’s operations.
Red teaming provides a way for businesses to build echeloned protection and improve the work of IS and IT departments. Security researchers highlight various techniques used by attackers during their assaults. With this knowledge, the customer can train their personnel, refine their procedures and implement advanced technologies to achieve a higher level of security.
Red Teaming vs. Penetration Tests
Typically, a penetration test is designed to discover as many security flaws in a system as possible. Red teaming has different objectives. It helps to evaluate the operation procedures of the SOC and the IS department and determine the actual damage that malicious actors can cause.
In this context, it is not so much the number of security flaws that matters but rather the extent of various protection measures. For example, does the SOC detect phishing attempts, promptly recognize a breach of the network perimeter or the presence of a malicious device in the workplace? How quickly does the security team react? What information and systems do attackers manage to gain access to? How do they bypass security tools?
During penetration tests, an assessment of the security monitoring system’s performance may not be highly effective because the attacking team does not conceal its actions and the defending team is aware of what is taking place and does not interfere.
For example, a SIEM rule/policy may function correctly, but it was not responded to because it was just a test and not an actual incident. How can one determine if the SOC would have promptly investigated a security incident and neutralized the attackers in a real situation if it were not for pen testing?
Alternatively, the SOC may have performed well due to the knowledge of an upcoming penetration test. In this case, they carefully looked at all the activated protection tools to avoid any mistakes. However, because they know the IP addresses and accounts used by the pentesters, they may have focused their efforts in that direction.
To evaluate the actual security and cyber resilience, it is crucial to simulate scenarios that are not artificial. This is where red teaming comes in handy, as it helps to simulate incidents more akin to actual attacks.
Preparing for a Red Teaming Evaluation
Preparation for a red teaming evaluation is much like preparing for any penetration testing exercise. It involves scrutinizing a company’s assets and resources. However, it goes beyond the typical penetration testing by encompassing a more comprehensive examination of the company’s physical assets, a thorough analysis of the employees (gathering their roles and contact information) and, most significantly, examining the security tools that are in place.
When there is a lack of initial data about the organization, and the information security department uses serious protection measures, the red teaming provider may need more time to plan and run their tests. They have to operate covertly, which slows down their progress.
Every pentest and red teaming evaluation has its stages and each stage has its own goals. Sometimes it is quite possible to conduct pentests and red teaming exercises consecutively on a permanent basis, setting new goals for the next sprint. Red teaming takes anywhere from three to eight months; however, there may be exceptions. The shortest evaluation in the red teaming format may last for two weeks.
Red Team Attack Vectors and Tools
Red team members can use many tools and techniques to identify vulnerabilities and simulate attacks. This may include port scanners, vulnerability scanners, traffic analysis tools, etc. For example, during the reconnaissance phase, analysts may use email search tools to gather information about the target.
Red teaming vendors should ask customers which vectors are most interesting for them. For example, customers may be uninterested in physical attack vectors.
Also, the customer’s white team, those who know about the testing and interact with the attackers, can provide the red team with some insider info. They could tell them, for example, by what means workstations or email services are protected. This may help to estimate the need to invest additional time in preparing attack tools that will not be detected.
Evaluating the Effectiveness of Red Teaming
Various metrics can be used to assess the effectiveness of red teaming. These include the scope of tactics and techniques used by the attacking party, such as:
- Web application pentesting
- Password cracking
- Malware delivery
- Physical infiltration
- Wi-Fi interception
One of the metrics is the extent to which business risks and unacceptable events were achieved, specifically which goals were achieved by the red team.
Additionally, the effectiveness of the SOC’s protection mechanisms can be measured, including the specific stage of the attack that was detected and how quickly it was detected.
An overall assessment of protection can be obtained by assessing the value of assets, damage, complexity and duration of attacks, as well as the speed of the SOC’s reaction to each unacceptable event.
Legal Risks of Red Teaming
While describing the goals and limitations of the project, it is necessary to understand that a broad interpretation of the testing areas may lead to situations when third-party organizations or individuals who did not give consent to testing may be affected. Therefore, it is essential to draw a distinct line that cannot be crossed.
Let’s say a company rents an office space in a business center. In that case, breaking into the building’s security system is illegal because the security system belongs to the owner of the building, not the tenant.
All sensitive operations, such as social engineering, must be covered by a contract and an authorization letter, which can be submitted in case of claims by uninformed parties, for instance police or IT security personnel. The authorization letter must contain the contact details of several people who can confirm the identity of the contractor’s employees and the legality of their actions.
Red Teaming and Data Leaks
Some customers fear that red teaming can cause a data leak. This fear is somewhat superstitious because if the researchers managed to find something during the controlled test, it could have happened with real attackers. Security experts work officially, do not hide their identity and have no incentive to allow any leaks. It is in their interest not to allow any data leaks so that suspicions would not fall on them.
In addition, red teaming vendors minimize possible risks by regulating their internal operations. For example, no customer data can be copied to their devices without an urgent need (for example, they need to download a document for further analysis.) All necessary measures are applied to protect this data, and everything is destroyed after the work is completed.
Future of Red Teaming
Due to Covid-19 restrictions, increased cyberattacks and other factors, companies are focusing on building an echeloned defense. Increasing the degree of protection, business leaders feel the need to conduct red teaming projects to evaluate the correctness of new solutions.
In the future, more complex red teaming scenarios are expected. The maturity of services will increase. They will involve SOCs, contractors, IS services and insiders. More organizations will try this method of security evaluation. Even today, red teaming projects are becoming more understandable in terms of goals and assessment.
This sector is expected to experience active growth. However, this will require serious investments and willingness from companies to increase the maturity of their security services.