A Red Team security evaluation consists of carrying out cyberattacks against the organization being evaluated, mimicking what a real attacker (group of attackers, adversary organization, etc.) could do, using their very same methods and resources, with the goal of identifying and exploiting potential vulnerabilities in the prevention, detection and response countermeasures of the target organization.
Nevertheless, although the attacks are conceived and performed in the most realistic fashion, in order to obtain an exact vision of the level of protection of the organization against real attacks, the Red Team exercises obviously present a fundamental difference with respect to attacks from a real enemy organization: the attacks are carried out under authorization by the target organization, with the commitment from the Red Team to not cause real damage and to report to the target organization any and all possible vulnerabilities that they identify during the exercise.
Our Red Team service provides our clients with answers to important questions like:
Performing Red Team exercises in an iterative fashion allows the organization to notably and progressively improve their security posture, to a level that would not be reachable using by using only vulnerability assessments or penetration tests (pentests).
In summary, it is all about staying a step ahead of the attackers, detecting vulnerabilities and preventing security breaches that could have an irreparable cost for the organization.
A vulnerability assessment consists of performing an analysis of the attack surface of an organization, searching for known vulnerabilities: comparing versions of installed software with those affected by known vulnerabilities, running automatic vulnerability detection tools, etc. This is a basic activity that needs to be done no matter what.
In a penetration test (Pentest) a targeted attack is carried out against a delimited environment, usually limited in time, with a dedication that does not normally exceed three weeks, with the goal of identifying as many vulnerabilities as possible in the allotted time. The scope of the pentest needs to be very well defined and limited in order to do an efficient use of the time assigned for the analysis. Performing pentests allows the organization to identify vulnerabilities in specific environments that would not be found by simple vulnerability assessments.
Finally, a Red Team evaluation provides the organization with a much more realistic viewpoint of their protection capabilities (prevention, detection and response) against real cyberattacks. An ultimate goal is established and the Red Team is free to explore alternative attack paths that might enable them to reach that goal. The Red Team will carry out reconnaissance activities, identify specific attack techniques and vectors to breach the target organization, develop any tools needed (including the design and deployment of APTs) and will launch the attacks just as a real attacker would. All of it always in perfect coordination with the contact person from the target organization, so the attack is fully controlled and safe.
The duration and effort of each Red Team exercise is agreed beforehand taking into account the scenario of adversarial resources and capabilities to be simulated, but it rarely falls below the three months mark. The order of magnitude is therefore much bigger than the other two other types of tests described earlier. This kind of evaluation does not attempt to be a comprehensive analysis of all vulnerabilities present in the systems. Instead, it focuses on finding the path of minimum resistence to achieve the specified goal, in the same conditions tha a real attacker would have, thus providing a persective that is different from and complementary to the other types of security evaluations.
In Layakk we are of the opinion that for a Red Team exercise to be very effective and efficient the following three factors are key.
One factor to be considered is the technical and lateral-thinking capabilities of the Red Team, to devise and implement attacks as a real attacker would.
Another key factor is the ability of the Red Team to effectively communicate the results of their exercises. Keep in mind that the sole goal of the exercise is to improve the security of the target organization and that can only be achieved with a thorough analysis by the organization of all the information about vulnerabilities found by the Red Team during the attack, which, obviously, needs to be communicated by the Red Team to the organization at the end of each exercise.
Finally, a third factor that is also key and it is probably the most important, is the reliability of the Red Team. The organization needs to trust the Red Team to scrupulously comply with the rules of engagement to achieve the goals of the evaluation, reporting all relevant information at the end of it, and treating with maximum care all data to which they might gain access during the exercise. In Layakk we are fully aware of the responsibility that entails such trust and we are proud to say that our clients usually end up becoming permanent partners with us in their continuous effort to improve their security.
The term “Red Team” comes from the execution of this kind of training exercises, traditionally in military environments, where a team plays the role of defender, arbitrarily named “Blue Team“, and the other team plays the role of attacker, arbitrarily named “Red Team“.
Confidentiality es an essential value in our relationship with our clients and therefore we do not disclose with whom we work, unless we have express authorization from the client, which we do not request from them for publicity purposes. The closest we have to a set of references are the public presentations we occasionally give about attack techniques that we have used in the past in Red Team exercises (always after anonymization and client approval) which are available on the Internet. In the Research section of our web page you can find links to some of them.