What is Red Teaming? 

Red teaming is a proactive, strategic evaluation of an organization’s cybersecurity defenses. By simulating realistic cyber threats, red teaming uncovers potential weaknesses that could be exploited by cybercriminals. The main goal of a red team is to provide an unbiased assessment of a company’s security posture, adopting the tactics and strategies of potential adversaries.

This approach helps organizations identify blind spots, reveal hidden risks, and test the effectiveness of their current security controls. 

Red teaming offers numerous advantages. It uncovers vulnerabilities that traditional security assessments may miss. Through simulated attacks, organizations can discover weak points within their infrastructure, applications, and processes, empowering them to proactively address these issues.

This process also enhances an organization’s incident response capabilities, allowing them to identify gaps in their incident response plans, thereby boosting their overall resilience. In the ever-evolving landscape of cybersecurity, red teaming serves as a proactive tool to stay one step ahead of potential threats

By performing a red team engagement, organizations can test the effectiveness of their technology, processes, and people to identify gaps, mitigate vulnerabilities, and gather insight to guide them for future security efforts. 

Red Teaming vs. Pentest

It is common to confuse red teaming with penetration testing, also known as a pentest, and there’s a good reason for that. A red team is a long-term, team-based, and goal-oriented adversarial attack simulation exercise of a target organization. A red teaming exercise is built out of many types of penetration tests that could run simultaneously but towards a clear goal, which is defined before starting the actual testing.

A penetration test aims to find as many critical and high-risk vulnerabilities as possible within a defined scope, objectives, and time constraints. These are the three main things you agree upon with a customer before starting the engagement and will define the type, the direction, and the time allowed for the penetration test to be performed, for instance, a Web Application Penetration Test or an External Network Penetration Test. It’s common to define and agree on a set of rules that will condition the exercise, such as whether domain user credentials will be provided to perform authenticated testing of an internal network or if source code is to be provided to assist dynamic web application testing. 

In contrast, the scope of a red team exercise is unlimited, allowing for all of the legal and ethical attack vectors you can imagine. They often involve more people, time, and resources as the team digs deep to fully understand the impact of vulnerabilities found to uncover their true risk level affecting an organization’s technology, employees, and physical assets. 

I sat down with VerSprite’s Offensive Security Group team leader, Joaquin Paredes, for an inside view on how we approach red teaming and administering a red teaming exercise. 

How Do Companies Benefit from a Red Teaming Exercise? 

Due to the inherent secrecy behind red teaming tactics, it is often unclear what goes on behind the scenes to grasp the nature and significance of red teaming to the overall security posture of an organization. We are lifting the veil of how red teaming engagements work to deliver results that penetration testing and written reports alone cannot.  

These goals vary from gaining access to certain databases holding customer data (PII) or health records (PHI), to stealing IP information of a product or source code for an application or service. They can either be defined by the organization or discovered during the initial threat modeling session. 

I remember I once heard someone say that pen testers are like pirates, who will, recklessly, launch all their weapons against your boat trying to steal every single coin they can find, while red teamers in this analogy, would be more like ninjas, who will carefully plan every attack and stealthily get inside the protected vault to carefully take only the most valuable crown jewel in the museum. 

– Joaquin Paredes, Offensive Security Group Team Leader 

Lines often get blurred among these two types of engagements. For Example:

• A network penetration test can also include elements of a web application pentest to complement specific testing efforts and objectives.
• Social Engineering can also be performed on its own as a penetration test exercise where a list of targets is provided, but no particular objectives are defined other than looking for a successful compromise.
• A red team can have the scope limited to a certain degree or restrictions placed upon specific tactics like stating that physical attacks are out of scope.

There is value in any assessment type. However, only red teams will simulate real-life attackers’ motivations and attack patterns to push the boundaries beyond what is thought to be possible. It is the closest you can get within ethical and time boundaries of truly knowing your organization’s security stance. We argue in favor of red teams because their goal is to assess the true, relevant risks that align with the business objectives of the company being targeted. 

What Qualifications and Backgrounds Do the VerSprite Red Team Members Have? 

Two qualifications can summarize the answer to this question: long and extensive expertise combined with a criminal mindset. We have an elite division of our Offensive Security team with an average of over 12 years of work experience in penetration testing and red teaming for Fortune 500 companies worldwide.

Among our elite team, we have an extensive background covering every single area that could comprise a real-life adversarial simulation, ranging from stealthily penetration testing networks and performing creative phishing attacks to reverse engineering complex applications and writing our exploits and payloads, to name a few. 

And yes, our team members also hold OSCP, OSCE, CREST, CISSP, and other certificates that we don’t mention often.

Beyond pure technical knowledge, expertise, and certifications, our Offensive Security team can think like criminals. We are a team that’s passionate about cybersecurity with unlimited imagination and unbiased group thinking that will spend days and nights relentlessly working to capture that precious flag. 

What Tools Does VerSprite’s Red Team Use During Engagements? 

The tools we use were developed over the years after completing many red teaming exercises from OSINT tools, our threat intel platform that helps us with the initial stages of information gathering and reconnaissance, and custom stagers, which we use to download our C2 (Command and Control) custom payloads to test the effectiveness of IDS/IPS/EPP/EDR solutions to novel attacks and 0-day exploits. 

VerSprite has also put a lot of work into social engineering campaign innovation. We have done extensive research and development and created our proxy tool for MiTM attacks on different websites, allowing us to work on scenarios where 2FA authentication has been enabled for the users we are targeting. 

We have also created our device for when we do on-site testing during physical intrusion attempts. We called it the “NinjaPi,” which is a rogue device we plant into a company’s network after breaking into their office that can bypass NAC restrictions and has LTE capabilities so we can remotely connect. 

What is the Craziest Red Teaming Exercise Your Team Has Performed? 

We have done it all; calling users over the phone to impersonate someone from the IT department asking for passwords to bribing a janitor to let us into the office after-hours using a backdoor to using online content such as promotional videos to obtain sensitive data that no one thought could be used to build a convincing SE ploy. Anything is possible in terms of attack vectors. 

I specifically remember one social engineering ploy because of the precision we took in the execution. It was performed on-site, simultaneously in two locations: the client’s headquarters in San Francisco and a technical office in Bucharest, Romania.

The ploy consisted of a flyer with an NFC tag promoting an HR campaign to win a free, all-inclusive trip to visit the other office for one week; you would tap the flyer with your phone and log in with your SSO credentials to the intranet to submit your vote. The intranet was a cloned site hosted in one of our attack servers that you would access via a typo domain we bought specifically for the engagement. Long story short, we even had the CEO participating in this contest. 

For another gig, we were even thinking of parachuting and landing over the rooftop of the target’s building as the security at the floor level proved to be really tight in the previous years. Unfortunately, we did not get the insurance company to approve this time for the testing. I guess here you could say that the sky is the limit, right? 

However, other times are not that fun, especially during physical intrusion attempts, as there’s always the risk of getting caught. In the best-case scenario, you will have to deal with the security guards of the building. But as we all learned from the Coalfire Cause célèbre, this can also happen to be the police, and if things are not planned accordingly, you’ll end up in jail. 

So proper planning and coordination with the customer should be done from the very beginning of the engagement. The client should provide a GOJF card with details on the scope, all expected activities, dates, names of consultants, and points of contact, and should be signed by all parties involved; If a shared building is in scope, then you should even include the building owner and ideally law enforcement. 

How has the Remote Workforce Changed Red Teaming Exercises and Objectives? 

Not so long ago, I’m talking almost pre-COVID-19, most network security was focused on edge protection using firewalls, WAFs, UTM, etc. Not only that, but many people still think that once inside the network, things are much safer. 

Things are becoming more complicated than that, starting with the BYOD [Bring Your Own Device] trend, the rush movement to the Cloud, and now COVID-19 forcing millions of workers to work remotely, network boundaries are quite blurred. The “perimeter” is dead, and the discussion of a trusted vs. untrusted network became almost nonsense. The whole internet is your network now, and organizations are going to have to figure out how to operate without trusting the network at all. 

As a result, there has never been a better time for threat actors to target human assets as a way into an organization, as people have always been the weakest link to exploit in the information security chain. We have great stories of successful compromises during red team exercises by tailgating into customers’ offices and getting access to their data centers. But now that people are staying at home and servers and applications have been moved to the cloud, I would strongly recommend budgeting for a red teaming and letting the Cloud Penetration Testing and Social Engineering phases be the star of this “Mission Impossible” show. 

Why Should You Choose VerSprite for a Red Teaming Exercise? 

When considering a red teaming exercise, it’s important to know that the service provider has the necessary experience to perform a controlled attack that provides actionable feedback to your organization. With our team’s unique and creative tactics, criminal mindset, in-house developed tools, expertise, and certifications, VerSprite’s red team professionals can challenge organizations to provide mitigation solutions that will ultimately strengthen your overall security posture. Red teaming closes the gaps in your security posture.

organizations to provide mitigation solutions that will ultimately strengthen your overall security posture. Red teaming closes the gaps in your security posture.

When used in this fashion, red teaming becomes a vital tool to secure the cyber, physical, and employee attack vectors that criminals rely on to breach organizations.

Schedule a call with our professionals for more information on how VerSprite can administer a red teaming exercise and other services to help you.

Contact VerSprite → now.