What is Red Teaming

Red Team emulates Tactics, Techniques, and Procedures (TTPs) of real adversaries to improve the people, processes, and technology in the target environment. The goal is to make the Blue Team better by training them and testing the detections, response policies, procedures, and technologies in place.

Red Teaming vs Penetration Testing

Red teaming is sometimes mistaken with penetration testing, although the two are not the same.

A penetration testing is scope based. The purpose of it is to cover the full attack surface of an application/network/process and find all the vulnerabilities in it. The goal is not to be silent and not alert the SOC but to use all the available way to do the security assessment.

A red team engagement on the other hand is objective based and should include not only technical controls but also non-technical controls as well. The purpose of it is to reach the goal without alerting the SOC and getting caught. Red teams put a heavy emphasis on stealth. It is often more based around social engineering people and active directory abuse.

Why Red Teaming?

Red Team Exercises and Adversary Emulations are used for a variety of reasons:

Obtain a comprehensive picture of the organization's data

Most offensive security evaluations are restricted in scope and focus on technology. “Only test this URL or these IP addresses.” While such vulnerability assessments and/or penetration tests are highly beneficial to a business, they do not give a comprehensive evaluation or perspective of the security posture of the whole firm.

End-to-end adversary simulation, also known as full Cyber Kill Chain emulation, will give a comprehensive perspective of the organization's defense in depth strategy and allow it to be tested.

Test people, process and technology

Testing something is the only way to determine if it has improved. It's difficult to determine the exact times of an attacker activity to correlate with the reaction in a genuine attack or breach. The Red Team will collect timings for each activity in a red team exercise to properly measure the responsiveness of the people, process, and technology: When and what was detected and prevented?

Test Assumptions

Stakeholders in companies (especially senior management) frequently assume that something is operating in a certain way. The Red Team can test that assumption to see if it's true or not.

Train and Improve Blue Teams

One of the most important parts of Red Team Exercises and Adversary Emulations is training the Blue Team. The Blue Team might be made up of anyone in an organization (or defenders). From the Human Resources department assessing new hires before they start working for the company to the analyst who detects and reports phishing attempts, everyone is involved. The majority of references to the Blue Team Team imply security analysts who spend their time monitoring and defending a network: Security Operations Center (SOC). While they are the primary Blue Team, everyone in the organization should be considered a member of the Blue Team and an organization defender.

Red Team vs Threat Emulation

An Adversary Emulation is a type of Red Team Exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective (similar to those of realistic threats or adversaries)

Red Team vs Purple Team

Purple Teaming is a function or process, not an individual team, where the Red and Blue Teams work together. While many Red Team Exercises and Adversary Emulations are performed “blind” from the Blue Team perspective, Purple Team engagements are fully known and performed together with the Blue Team. They often follow a scenario, in order to test the detection of new TTPs or tools.