Analysis

TECH Talk Q&A: Red Team Testing

Stroz Friedberg is a specialized risk management firm built to help clients solve the complex challenges prevalent in today’s digital, connected, and regulated business world

We have collected and summarized some of the top questions we received from our webinar, “Seeing Red: Tales from the Red Team”.

For more information on this topic watch the full webinar here.

1) What is the difference between traditional Penetration Testing and Red Teaming?

On the face of it, Red Teaming and ‘traditional’ penetration testing might look alike on some aspects, but they have many fundamental differences.

  • Red Team is ‘depth’ driven – how far into an organization can you infiltrate. It will commonly exploit some vulnerabilities to achieve the objective, but it will be done mainly through a single attack path. Red teaming is not attempting to utilize all possible attack vectors to achieve the objective. Penetration testing is often regarding a ‘coverage first’ exercise, in that as many vulnerabilities as possible are identified but not necessarily exploited.
  • Because of the goal, the Red Team needs a broad scope. There shouldn’t limitations on what can be attacked, otherwise some attack paths may not be possible, potentially giving a false sense of security. A regular penetration test will be limited in scope. Only specific URLs or servers that can be targeted.
  • The Red Team is often going in ‘blind’, having to perform some initial reconnaissance. Penetration testing can be black-box, but most of the time there will be at least information about what the technology is in use and potentially documentation as well etc.
  • Red Teaming is using a “low and slow” approach. Trying to remain as stealthy as possible. We do not usually perform port scanning or other noisy attacks which are typically used in a penetration test.
  • During Red Teaming you might end up using a wide variety of techniques and attacks, such as social engineering or network poisoning which may not be an option during a normal penetration test.
  • Finally, there is also fundamental difference in the fact that the Red Team is procured at the C-suite level or by the legal counsel, whereas penetration tests are usually requested by project teams.

2) What are the benefits of Purple Teaming and how does it compare to Red Teaming?

Most of the time, Red Teaming can be quite adversarial as it’s opposed in all aspects to the blue team. Experience has shown us that collaboration between the two methods gives outstanding results. This approach recently coined as ‘Purple Teaming’ attempts to make those two teams work together for increased efficiency. The way that purple teaming is executed is a continuous effort from both red teamers and blue teamers to narrow down the efficiency of the attack strategies.

In a Red Teaming engagement, we include recommendations at the end of the assessment. However in a purple teaming engagement we provide recommendations in each phase of the assessment and replicating the same attacks and / or bypasses to these in order to efficiently lock down the issue as much as possible.

3) How is Red Teaming better than a cyber-table top exercise with executives?

The primary goal of a Red Team engagement is to train the blue team (i.e. individuals, technologies, processes). A table top exercise is usually used to exercise against defined scenarios.

In both cases, these are intended to test how an organization will respond, however a Red Team engagement can potentially test this to a far deeper level and test other items such as, the organization’s ability to detect a breach in the first place, as well as uncovering weaknesses in the organization’s security posture that were previously unknown.

The Red Team serves that purpose, in that it shows the real impact of a compromise with an attack on live systems, in real-life conditions.

4) How is Red Teaming better than a cyber-table top exercise with executives?

The primary goal of a Red Team engagement is to train the blue team (i.e. individuals, technologies, processes). A table top exercise is usually used to exercise against defined scenarios. In both cases, these are intended to test how an organization will respond, however a Red Team engagement can potentially test this to a far deeper level and test other items such as, the organization’s ability to detect a breach in the first place, as well as uncovering weaknesses in the organization’s security posture that were previously unknown. The Red Team serves that purpose, in that it shows the real impact of a compromise with an attack on live systems, in real-life conditions.

5) How does a Red Teamer keep up with the latest attack techniques?

It requires regular research in the area, in order to constantly improve existing methods or weaponize newly discovered techniques. It’s a significant time investment on top of normal delivery time, compared to more traditional Penetration Testing. We share updates across our global Red Team to discuss the latest techniques and tools, this way the whole team can benefit from new findings and to ensure consistency. We review the latest publications from the community on a daily basis (Twitter, private channels, blogs, etc…). It’s a rapidly changing landscape so we are constantly investing our time to stay ahead.

6) How can I build my own Red Team?

There are a few differences in building an internal Red Team compared to hiring an external independent firm, which we covered in the webinar. In terms of building a corporate Red Team here is a suggested reading material.

Commentary, new discoveries, and innovative ideas
right to your inbox.
Stroz Friedberg

Sorry! You are using an older browser which is not supported by this website.

Please download one of these free browsers to enjoy all our website has to offer:
Firefox, Chrome or Internet Explorer.