Red Teaming - A Controlled Stress Test for Your Company

17. November 2022

During the Red Team Assesment, our security experts evaluate the resilience of your security organization against a cyber attack under real-life conditions. This way you receive a comprehensive overview of your real security level. 

Mark Zorko, Senior Consultantat usd HeroLab and responsible for our Red Team Assessments, explains in our interview what Red Teaming is all about, for whom it is relevant, what makes it different from penetration tests (pentests) and how we can help you achieve more security. 

How do we define Red Teaming?

During a Red Team Assessment, our analysts assume the role of a malicious attacker. Together with you, we define an individually elaborated threat scenario in advance. This includes clarifying the following questions: Which IT assets are particularly worth protecting for you? Should a special attack scenario be simulated during the Red Team Assessment? Which attacker perspective should the security analysts simulate during the assessment? That of an internal attacker (e.g., dissatisfied employee), an external attacker with no prior access to the organization, or the perspective of an attacker with physical access to the organization but without legitimate access to the IT infrastructure (e.g., service providers)? Our Red Team uses methods, techniques and approaches in the attack simulation that real attackers also use. In this way, we exploit vulnerabilities in technologies, processes and the human factor to achieve the previously jointly defined goals. This can be, for example, a ransomware attack, the exfiltration of important business secrets from internal databases or the (of course simulated) sabotage of production processes. This will tell you, among other things, how effective the defenses of your security organization or Blue Team* (hereafter "defenders") are. These are usually not informed about the Red Team Assessment in order to be able to realistically test the resilience during the scenario.  

As soon as all general conditions are clarified, we start with the simulated attack. In that process, we check, among other things: Was the Red Team cyber attack successful? Was it noticed by the defenders? If so, was it detected in time to prevent greater damage? Or were only parts of the attack detected while the main attack was allowed to continue in the background? Did the defenders manage to take effective action to stop the attack? The vulnerabilities identified during the attack simulation in technology as well as in processes and in the human factor will be made available to you afterwards, including recommended measures. If you wish, we can discuss the results with all participants in a joint debriefing. A Red Team Assessment thus provides you with valuable insights into your ability to defend against hacker attacks. In this way, you can strengthen your cyber protection in a targeted manner and significantly reduce your company ris

Who should conduct Red Team Assessments?

Basically, every company that deploys a dedicated team for defense against cyber attacks should conduct Red Team Assessments. After all, this is the only way to thoroughly test the effectiveness of the defense against cyber attacks and implement appropriate measures to improve your IT security. In addition, we also see the assessments as a challenge and learning opportunity for the defense team. It allows them to train their skills under real conditions so that they can act correctly in a real emergency. In addition, companies that are subject to the requirements of BaFin use Red Team Assessments according to TIBER-EU to fulfill the awareness measures in preparation for the BAIT audits. We understand Red Teaming Assessments as complementary to pentests, as the objective is different. 

What is the difference between pentests and red team assessments?

During In a pentest, the main focus is usually on uncovering as many technical vulnerabilities as possible in a specific test object. If these are then remedied afterwards, real attackers will find it more difficult to penetrate in the future. In pentests, the main focus is therefore on reducing attack surfaces in the technology.  

During a Red Team Assessment, on the other hand, the focus is on the overall state of your defense capabilities and the successful compromise of the pre-defined target, e.g. the database of your R&D department. Thus, the assessments can simulate realistic, highly professional attacks by attacker groups that attack your company in multiple stages. Like real attackers, the Red Team will proceed with extreme caution and refrain from doing anything that would risk detection by the defenders. Thus, unlike a pentester, a Red Team will not attack many vulnerabilities at all if they do not directly serve the mission objective. This is because it would lead to an unnecessary risk of detection.  

This example shows the very different goals and methods - and how pentests and red team assessments complement each other. 

What information does the Red Team have up front?  

How much information the Red Team has in advance depends on your desired approach or attacker perspective. In a so-called "full engagement" approach, the Red Team receives little or no information from you and must therefore first begin with the so-called reconnaissance phase. This includes, among other things, scouting out the defined target, gathering information about the technical infrastructure, evaluating employees' social media accounts, or enumerating employees' e-mail addresses. The information obtained in this way can then be used for targeted phishing attacks, for example, to gain control of a workstation belonging to one of your employees and thus access to your internal network. From this point, the actual attack on the internal network then begins. However, it can often be assumed that a targeted phishing attack by a persistent and professional attacker will succeed sooner or later.  

Therefore, it is alternatively possible, using the "Assumed Breach" approach, to start directly at this point. For example, by having an employee privy to the operation intentionally click on a manipulated email attachment. No company today should assume that it can absolutely prevent attacker intrusion. The real question is: Will such an intrusion be quickly and reliably detected and effectively stopped in its tracks? Many customers therefore opt for the "Assumed Breach" approach, which concentrates the Red Team's resources on precisely these questions. 

What else should companies know about red teaming?

Red Team Assessment projects are highly individual. The specific design of the Red Team Assessment depends largely on the type of simulated threat, the attacker model, and the goals set. Our Red Team Assessment always takes place within a controlled framework and with the involvement of your company's contact persons. You decide, for example, whether certain parts of the infrastructure should be excluded or whether certain tests should only be carried out at certain times. Learn more about our approach here. Do you need support? Please feel free to contact us! 

*Blue Team = The Blue Team are in-house IT security experts who defend the company against hacker attacks and Red Team offensives.

Also interesting:

Top 3 Vulnerabilities in Mobile App Pentests

Top 3 Vulnerabilities in Mobile App Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...