Preparation is a crucial component of any successful cybersecurity strategy. To effectively protect your organization against threats, you must create a proactive, security-first company culture that continuously challenges security controls to assess each risk and its impact to the business.
Red teaming is a type of proactive engagement that aggressively challenges a company’s physical and network security measures by performing real-world adversarial attacks, much like a criminal would. By performing a red team engagement, organizations can test the effectiveness of their technology, processes, people, identify gaps, mitigate vulnerabilities, and gather insight to guide them for future security efforts.
Due to the inherent secrecy behind red teaming tactics, it is often unclear what goes on behind the scenes to grasp the nature and significance of red teaming to the overall security posture of an organization. In this blog, we lift the veil and explain how red teaming engagements work to deliver results that penetration testing and written reports alone cannot.
I sat down with VerSprite’s Offensive Security Group team leader, Joaquin Paredes, for an inside view on how we approach red teaming.
1. What is red teaming and how do companies benefit from red teaming engagements?
A red team is a long-term, team-based, and goal-oriented adversarial attack simulation exercise of a target organization. It is common to confuse red teaming with penetration testing, and there’s a good reason for that – a red teaming exercise is built out of many types of penetration tests that could run simultaneously but towards a clear goal, which is defined before starting the actual testing. These goals vary from gaining access to certain databases holding customer data (PII) or health records (PHI), to stealing IP information of a product or source code for an application or service. They can either be defined by the organization or discovered during the initial threat modeling session.
A penetration test aims to find as many critical and high-risk vulnerabilities as possible within a defined scope, objectives, and time constraints. These are the three main things you agree upon with a customer before starting the engagement and will mainly define the type, the direction, and the time allowed for the penetration test to be performed, for instance, a Web Application Penetration Test or an External Network Penetration Test. It’s common to define and agree on a set of rules that will condition the exercise, such as whether domain user credentials will be provided to perform authenticated testing of an internal network or if source code is to be provided to assist dynamic testing of a web application.
In contrast, the scope of a red team exercise is unlimited, allowing for all of the legal and ethical attack vectors you can imagine. They often involve more people, time, and resources as the team digs deep to fully understand the impact of vulnerabilities found to uncover their true risk-level affecting an organization’s technology, employees, and physical assets.
I remember I once heard someone say that pentesters are like pirates, who will, in a reckless way, launch all their weapons against your boat trying to steal every single coin they can find, while red teamers in this analogy, would be more like ninjas, who will carefully plan every attack and stealthily get inside the protected vault to carefully take only the most valuable crown jewel in the museum.
– Joaquin Paredes, Offensive Security Group Team Leader
Lines often get blurred among these two types of engagements. For Example:
- A network penetration test can also include elements of a web application pentest to complement specific testing efforts and objectives.
- Social Engineering can also be performed on its own as a penetration test exercise where a list of targets is provided, but no particular objectives are defined other than looking for a successful compromise.
- A red team can have the scope limited to a certain degree or restrictions placed upon specific tactics like stating that physical attacks are out of scope.
There is value in any assessment type. However, only red teams will simulate real-life attackers’ motivations and attack patterns to push the boundaries beyond what is thought to be possible. It is the closest you can get within ethical and time boundaries of truly knowing your organization’s security stance. So we argue in favor of red teams because their goal to assess the true, relevant risks align with the business objectives of the company being targeting.
2. What qualifications and backgrounds do the VerSprite red team members have?
Two qualifications can summarize the answer to this question: considerable expertise combined with a criminal mindset. We have an elite division of our Offensive Security team with an average of over 12 years of work experience in penetration testing and red teaming for Fortune 500 companies worldwide. Among our elite team, we have an extensive background covering every single area that could comprise a real-life adversarial simulation, ranging from stealthily penetration testing networks and performing creative phishing attacks to reverse engineering complex applications and writing our own exploits and payloads, to name a few.
And yes, our team members also hold OSCP, OSCE, CREST, CISSP, and other certifications that we don’t mention often.
Beyond pure technical knowledge, expertise and certifications, our Offensive Security team can think like criminals. We are a team that’s passionate about cybersecurity with unlimited imagination and unbiased group-thinking that will spend days and nights relentlessly working to capture that precious flag.
3. What kind of tools does VerSprite’s Red Team use during engagements?
The tools we use were developed over the years after completing many red teaming exercises from OSINT tools, our own threat intel platform that helps us with the initial stages of information gathering and reconnaissance, and custom stagers, we used to download our own C2 (Command and Control) custom payloads to test the effectiveness of IDS/IPS/EPP/EDR solutions to novel attacks and 0-day exploits.
VerSprite has also put a lot of work into social engineering campaign innovation. We have done extensive research and development and created our own proxy tool for MiTM attacks of different web sites, allowing us to work on scenarios where 2FA authentication has been enabled for the users we are targeting.
We have also created our own device for when we do on-site testing during physical intrusion attempts. We called it the “NinjaPi,” which is a rogue device we plant into a company’s network after breaking into their office that can bypass NAC restrictions and has LTE capabilities so we can remotely connect.
4. What is the craziest red teaming exercise your team have performed?
We have done it all. We’ve called users over the phone to impersonate someone from the IT department asking for passwords. We’ve bribed a janitor into letting us into the office after-hours using a backdoor. We’ve used online content, such as promotional videos, to obtain sensitive data that no one thought could be used to build a convincing Social Engineering (SE) ploy. Anything is possible in terms of attack vectors.
I specifically remember one Social Engineering ploy because of the precision we took in the execution. It was performed on-site, simultaneously in two locations: the client’s headquarters in San Francisco and a technical office in Bucharest, Romania. The ploy consisted of a flyer with an NFC tag promoting an HR campaign to win a free, all-inclusive trip to visit the other office during one week. Supposedly, you would tap the flyer with your phone and log in with your SSO credentials to the intranet to submit your vote. The intranet was actually a cloned site hosted in one of our attack servers that you would access via a typo domain we bought specifically for the engagement. Long story short, we even had the CEO participating in this contest.
For another gig, we were even thinking of parachuting and landing over the rooftop of the target’s building as the security at the floor level proved to be really tight the previous years. Unfortunately, we did not get the insurance company to approve this on time for the testing. I guess here you could literally say that the sky is the limit, right?
However, other times are not that fun, especially during physical intrusion attempts, as there’s always the risk of getting caught. In the best-case scenario, you will have to deal with the security guards of the building. But as we all learned from the Coalfire Cause célèbre, this can also happen to be the police, and if things are not planned accordingly, you’ll end up in jail.
So proper planning and coordination with the customer should be done from the very beginning of the engagement. The client should provide a GOJF card with details on the scope, all expected activities, dates, names of consultants, and points of contacts and should be signed by all parties involved; If a shared building is in scope, then you should even include the building owner and ideally law enforcement.
5. How has the remote workforce changed red teaming objectives?
Not so long ago, I’m talking almost pre-COVID-19, most network security was focused on edge protection using firewalls, WAFs, UTM, etc. Not only that, but many people still think that once inside the network, things are much safer.
Things are becoming more complicated than that, starting with the BYOD [Bring Your Own Device] trend, the rush movement to the Cloud, and now COVID-19 forced millions of workers to work remotely, network boundaries are quite blurred. The “perimeter” is dead, and the discussion of a trusted vs. untrusted network became almost nonsense. The whole internet is your network now, and organizations are going to have to figure out how to operate without trusting the network at all.
As a result, there has never been a better time for threat actors to target the human assets as a way into an organization, as people have always been the weakest link to exploit in the information security chain. We have great stories of successful compromises during red team exercises by tailgating into customer’s offices and getting access to their data centers. But now that people are staying at home and servers and applications have been moved to the cloud, I would strongly recommend budgeting for a red teaming and let the Cloud Penetration Testing and Social Engineering phases be the star of this “Mission Impossible” show.
Why Should You Choose VerSprite for a Red Team Engagement?
When considering a red team engagement, it’s important to know that the service provider has the necessary experience to perform a controlled attack that provides actionable feedback to your organization. With our team’s unique and creative tactics, criminal mindset, in-house developed tools, expertise, and certifications, VerSprite’s red team professionals can challenge organizations to provide mitigation solutions that will ultimately strengthen your overall security posture.
When used in this fashion, red teaming becomes a vital tool to secure the cyber, physical, and employee attack vectors that criminals rely on to breach organizations. Schedule a call with our professionals for more information on how VerSprite’s Red Teaming services can help you. Contact VerSprite →