Your Guide to Red Teaming Assessments

Overview

The purpose of this post is to provide a comprehensive guide specific to Red Team security assessments, describe their relation to traditional penetration testing, answer common questions that surround Red Team testing, and relay the unique security benefits Red Teaming can provide. The takeaway will be a solid understanding of the activities, methodologies, and benefits of the Packetlabs Red Team assessment service offering, what you should expect from a Red Team engagement, and other related information to increase your awareness about the Red Team assessment process.

Advanced persistent threats (APT) and nation-state threat actors are highly motivated. They employ covert tactics and techniques to infiltrate an organization and steal information or cause damage. In 2023, IBM research found the average cost of a data breach was $7.4 M CAD per incident, up from 2018 when the average was roughly $4M CAD. Also, for some organizations, the potential consequences of cyberattacks stretch far beyond financial losses. 

Cyberattacks can lead to operational downtime of critical infrastructure and data loss that can severely impact business continuity, human health, and national security. Red Teaming is the most extensive type of security assessment that seeks to address the risk embodied by organizations that are most likely to be the target of APT adversaries.

Who Will Benefit From This Guide?

This guide will benefit an organization’s leaders such as CEOs, CTOs, and CISOs, as well as other senior team leaders including security engineers, network engineers, and administrators. This guide can also help to inform other IT professionals such as MSPs, IaaS, PaaS, and SaaS providers.

• C-level executives that deal with IT security (CISOs/CSOs/VP of security)

• Other high-level management (CEO/Business Owner/ Business Executive)

• Managed Service Providers (MSP)

• Cybersecurity Architects, Network Architects, and Network Administrators

What Is Red Teaming?

The Red Teaming process involves extensive covert reconnaissance to build a highly tailored arsenal of attack techniques to identify even the most obscure security gaps in an organization's people, processes, technology, and physical security controls. Similar to all penetration testing methodologies, the ultimate goal of Red Team assessments is to gain unauthorized access to sensitive systems and data or otherwise gain an advantageous position to cause damage using a risk-controlled methodology.

By removing many of the limitations that typically govern a penetrating test engagement, Red Teaming provides more assurance that an organization's security controls can withstand highly targeted attacks associated with advanced persistent threat (APT) adversaries. As such, Red Teaming is the ultimate test of a company's ability to detect, respond, and maintain its resilience to the most sophisticated, persistent, and targeted offensive campaigns. Perhaps most importantly, it simulates attacks from positions inside an organization’s physical premises, targets personnel directly, and leverages advanced social engineering techniques developed from direct observation of an organization's internal operations. 

To maximize value, Red Team engagements may also define specific operational goals for Red Team ethical adversaries, such as gaining domain admin access, unauthorized payroll data access, compromising critical network components, deploying ransomware on test data, or accessing credit card or sensitive PHI information.

Typical goals of a Red Team assessment include:

• Helping an organization gain hands-on experience managing a cyber breach scenario by putting your defenders to the ultimate test

• Simulating the tactics, techniques, and procedures (TTP) of advanced persistent threats and organization insiders in a risk-controlled manner

• Evaluating the likelihood of a remote compromise via phishing or physical access breach

• Evaluating a Blue Team’s detection, alerting, and response capabilities during an active cyber-breach

• Testing the effectiveness of Incident Response Plans (IRP) and Disaster Recovery Plans (DRP) to quickly and completely recover from active cyber-breaches

• Finding hidden attack paths to the most critical assets

• Identifying internal staff that are vulnerable to persistent targeted social engineering attacks

• Testing the resiliency of an organization's defenders during an emergency response

• Evaluating the resilience of defense-in-depth layered security controls in the face of a cyber breach scenario

Additional Context To Red Teaming

Red Team exercises may also involve collaboration with the target organization’s own IT security team responsible for defending the organization's assets, also known as the "Blue Team".

This collaborative approach, known as a "Purple Team" exercise, fosters direct knowledge transfer from experienced attackers to defenders, resulting in a deeper understanding of how attackers assess the target’s IT environment, what elements are more attractive to attackers, and leading to a more effective and actionable defensive security posture.

Is Your Organization Ready For A Red Team Assessment?

Red Team assessments require careful planning, cooperation, and readiness on the part of the target to ensure they are prepared to manage any potentially negative impacts while maximizing the benefits and ensuring an actionable outcome.

While Red Team assessments are a highly effective way to assess an organization's true resilience to APT cyberattacks, the reality is that some organizations aren't prepared to fully benefit from the level of sophistication and intensity that a Red Team engagement entails. 

Many Organizations Aren't Ready

If an IT security team is not properly prepared to monitor, detect and defend against Red Teaming tactics, the real benefits of a Red Team assessment– to evaluate, practice, and enhance the skills of IT defenders– will not be realized by the target organization. While traditional penetration testing is coverage-based, meaning an engagement aims to cover the widest range of vulnerabilities across the target organization's infrastructure, Red Teaming takes a depth-based approach.

The aim of depth-based security testing is to focus efforts on specific areas of an organization such as personnel, departments, physical premises, or processes that have direct access to sensitive data.

Special Considerations For Red Team Targets

Due to the intense nature of Red Team assessments, targets need to consider several important factors before the start of an engagement.

Some special considerations for Red Team targets include:

• Clear Objectives: Clearly define the objectives of the Red Team engagement. This includes selecting which assets, systems, or data the Red Team should focus on to ensure the assessment aligns with the target organization's specific security concerns.

• Engagement Scope: Determine the scope and duration of the Red Team assessment. Decide whether the Red Team should have access to the physical premises and direct access to personnel, and identify any areas that should be off-limits. 

• Provide Testers With Formal Authorization: Because Red Team assessments involve pentesters working covertly within the target organization's physical premises, they must be provided with documented evidence that their activities have been authorized. If a pentester is confronted by personnel, security guards, or law enforcement, the "get-out-of-jail-free" evidence can help de-escalate the situation.  

• Legal And Ethical Considerations: Address any legal and ethical considerations related to the Red Team assessment. Ensure that the engagement adheres to relevant regulations and does not cause harm to the organization, its personnel, stakeholders, or potentially harm bystanders.

• Post-Engagement Activities: Plan for post-engagement activities, including a debriefing session with the Red Team to discuss findings, recommendations, and lessons learned. Use the assessment results as a roadmap for enhancing the organization's security posture.

The Importance Of Red Teaming Assessments

In today's threat landscape, adversaries are becoming more sophisticated, making it essential for high-risk organizations to thoroughly assess their security posture from the perspective of an APT adversary. Cybersecurity researchers have uncovered daunting statistics that relay the true risk of being caught unprepared for a cyber attack:  

• Companies are experiencing 31% more cyberattacks, with that percentage growing by the year

• 70% of SMB owners report not feeling ready for a cyberattack if one hits

• Globally, 72% of both state and local governments attacked by ransomware had had their data encrypted

• 40% of polled CEOs reported that hybrid work IT infrastructures were the most difficult aspects of cybersecurity to implement

• 47% of healthcare breaches originate from third-party insiders and 43% of all security breaches are perpetrated by insider threats

Red Teaming is an advanced type of security assessment that is tailored to organizations that have already employed traditional Penetration Testing to specifically identify non-technical IT security vulnerabilities. As such, Red Team pentesting is an important component of a high-assurance cybersecurity strategy. It provides the most realistic evaluation of an organization's security readiness, empowering them to identify and mitigate risks before real attackers exploit them. Organizations that hold high-severity risk require the deepest insight into potential security gaps across their entire organization, including highly targeted social engineering attacks, attacks launched from insider positions, and attempts to breach physical security controls. 

Red Teaming also promises to provide target organizations with tangible experience detecting, and responding to cyberattacks in order to assess their true ability to quickly and completely recover and improve disaster recovery plans with actionable insights. Red Teaming offers an organization the opportunity to evaluate its defenses against a "no holds barred " offensive campaign that uses more "outside the box" techniques than a traditional pentest. 

The combination of this in-depth and targeted approach to security testing is important for organizations that are highly likely to experience attacks from nation-state threat actors or Advanced Persistent Threats (APT) who are willing to spend significant time and resources to covertly infiltrate an organization in order to steal data, reap financial gains, or cause irreparable damage. 

Benefits of a Red Team assessment include:

• Identifying the risk and susceptibility of attack against confidential information, denial of service (DOS) attacks, ransomware, attacks that seek to destroy data, and more

• Identifying security weaknesses in an organization's technology, processes, and people

• Assessing an organization’s ability to detect, respond, and prevent second-stage attacks that occur after an initial breach

• Identifying critical personnel or whole departments that are susceptible to targeted depth-based attack campaigns

• Developing first-hand experience to enhance the capabilities of defending against advanced adversarial attacks

How Is Red Teaming Different From Other Cybersecurity Assessments?

Red Teaming extends the testing scope to include a wider set of attack scenarios that more rigorously test an organization’s processes, people, and physical security to covertly gain unauthorized access. Traditional penetration testing focuses primarily on the technical aspects of cybersecurity vulnerabilities within an organization and typically follows a predefined methodology that can be conducted remotely. 

Although Red Teaming does test an organization’s technology such as public-facing IP addresses, the wider scope of Red Teaming attack techniques means that tactics and techniques specially designed for covert infiltration are used to test defenses. Overall, Red Teamingen encompasses a broader range of attacks, including social engineering, physical security breaches, and advanced persistent threat (APT) simulations, and involves testing activities that take place on an organization's premises.

The key differences between Red Team pentesting and traditional pentesting are:

• Depth-based Scope: Red Teaming makes a more intensive assessment of physical, and human security aspects, whereas traditional pentesting typically concentrates on technical vulnerabilities and applies a coverage-based scope.

• Approach: Red Teaming adopts a covert adversarial approach, mimicking the strategy of highly targeted APT attack campaigns, while traditional pentesting takes a more structured approach.

• Goals: Traditional pentesting focuses on identifying and fixing technical vulnerabilities, while Red Teaming aims to uncover systemic weaknesses in an organization's processes, people, and physical controls to assess the effectiveness of an organization's security.

• Engagement Duration: Red Team engagements are often longer and may be ongoing over an extended period. They typically involve multiple phases and iterations to ensure a deep evaluation of an organization's priority targets.

• Reporting: Red Team reports include a narrative of the overall attack path, including the tactics used, the potential impact, and recommendations for improving security posture against social engineering and physical security controls while traditional Pentesting reports focus on detailing technical vulnerabilities discovered, their severity, and recommendations for remediation.

• Resource And Skill Requirements: Red Team assessments typically require a higher level of skill and expertise in various domains, including social engineering, physical security, and advanced attack techniques. By contrast, traditional penetration testing primarily requires technical expertise in specific areas of cybersecurity, such as network or application security.

Red Team assessments include more targeted TTP to exploit a target organization and involve direct engagement with an organization’s physical premises and its members. Some Red Team tactics and techniques that are not typically employed during a traditional penetration test include:

• Lockpicking and other physical techniques

• Covert interaction with personnel at the target organization

• Dropping or installing physical devices on the target's premises to gain remote access

• Using targeted social engineering techniques as an entry point to gaining remote access to the target's networks

How Does Red Teaming Support Regulatory Compliance?

While Red Teaming's primary focus is on enhancing an IT security team's defensive capabilities, it can also play a significant role in supporting regulatory compliance efforts and demonstrates an organization's commitment to IT security and due diligence. Regulatory frameworks and compliance standards, such as the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standard (PCI DSS), require organizations to safeguard sensitive data against potential threats. 

Red Teaming assessments can identify vulnerabilities and weaknesses that could lead to non-compliance with these regulations and prepare organizations to respond to cyber incidents in a manner that aligns with compliance requirements actions by practicing their incident detection and response capabilities under realistic conditions. 

Which Cybersecurity Frameworks Are Used In Our Methodology?

Packetlabs' security testing methodology is based on industry standards and is primarily aligned with the MITRE ATT@CK for Enterprise framework to ensure our security assessments closely simulate the real-world TTP of known cyber adversaries including advanced persistent threats (APT). NIST Technical Guide to Information Security Testing and Assessment (SP 800-115) also factors into our testing methodology, providing guidance on planning, executing, and analyzing the results of penetration testing efforts.

What Is Included In An Assessment?

Our Red Teaming service offering encompasses two distinct approaches designed to comprehensively evaluate your organization's security posture. The first approach involves a timed endeavor - our expert team seeks to gain access to a predefined objective or goal from an external attack position. This approach simulates real-world cyber attack scenarios, and can identify vulnerabilities and potential entry points in perimeter defenses.

The second approach is a split strategy that provides a more comprehensive assessment by employing an assumed breach scenario that assumes a successful intrusion has occurred. This post-breach simulation follows a designated time frame, during which we analyze an organization's "Defense In Depth" capabilities by seeking unauthorized access, elevated privileges, and lateral movement from the initial entry points. 

By combining both timed and split approaches, our Red Team service not only identifies vulnerabilities but also provides insights into potential threat impact, enabling your organization to enhance its security measures and response protocols effectively.

The core activities of the Packetlabs Red Teaming methodology are:

1. Planning: Planning the engagement's timeline of activities, initializing required pentesting infrastructure, and performing initial reconnaissance to gather information

2. External Penetration: The goal of this phase is to breach the external attack surface to gain initial access to the target organization's network. This includes the use of social engineering tactics such as email phishing and vishing, physical device planting, physical access attacks, and attacking externally exposed services such as wireless networks and public IP addresses

3. Internal Reconnaissance: Gathering information about the internal network through discovery of host endpoints to identify IP addresses and services that can be attacked

4. Lateral Movement: Identifying misconfigurations and vulnerabilities within the target's internal network and exploiting privilege escalation vulnerabilities while attempting to successfully evade detection by network defenders

5. Action on Objectives: Attempting to gain access to agreed-upon objectives, evaluate the effectiveness of existing security controls such as backup solutions, firewalls, anti-malware and other endpoint security products, and intrusion detection and prevention systems.

6. Reporting: Compiling all evidence and notes into a detailed report that outlines findings coupled with control recommendations

Who Conducts Packetlabs' Red Team Assessments?

Red Team Assessments are carried out by highly skilled and specialized professionals known as "Red Teamers." These individuals have extensive experience and expertise in ethical hacking, penetration testing, and simulating real-world cyber threats. Red Teamers possess a deep understanding of attacker TTPs, enabling them to replicate the strategies of actual adversaries during the engagement.

All Packetlabs Red Team members hold a minimum of Offensive Security Certified Professional (OSCP) certifications that demonstrate their proficiency in offensive security and ethical hacking. Other commonly-held certifications for Packetlabs' Red Teamers include:

• Offensive Security Certified Professional (OSCP): A rigorous certification that demonstrates practical hands-on penetration testing skills, including exploit development and network penetration testing.

• CREST Registered Tester (CRT): A certification widely recognized in the UK and internationally, emphasizing penetration testing skills.

• Certified Red Team Operator (CRTO): A relatively new certification focusing specifically on red teaming skills and techniques such as adversary simulation, command & control, engagement planning and reporting

• OffSec Exploit Developer (OSED): A certification that verify the expertise necessary to write offensive shellcode and develop custom exploits from scratch

• OffSec Experienced Pentester (OSEP): This certification verifies the skills required for attacking security hardened IT systems

• OffSec Web Expert (OSWE): An advanced web application security certification that teaches the skills needed to conduct white box penetration tests against all forms of web apps

• OffSec Wireless Professional (OSWP): Is a foundational certification for auditing wireless in 802.11 devices and networks to identify vulnerabilities and execute organized attacks devices

Why Choose Packetlabs For Your Next Red Team Assessment? 

Whether you are looking to complete a Red Teaming assessment to manage risk, protect your data, comply with regulatory compliance standards, or as a requirement for cyber insurance, selecting the right company is crucial. When choosing a partner security consultant many things should be considered such as reputation, trust, size of the entity, their degree of experience and professionalism (including certification requirements and statuses), and specialized skills that apply specifically to the target organization's environment.

Packetlabs is a SOC II Type 2 accredited organization meaning that the sensitive information provided by our clients and collected from our pentesting campaigns is secured with the highest cybersecurity standards. Packetlabs' advanced capabilities go far beyond industry standards: conduct 100% of our testing activities in-house and do not outsource to external third parties, alongside having been rated an average 9.5/10 NPS score by our customers upon project completion. We’re committed to the highest standards for communication– and that includes a strict dedication to your right to security and privacy. 

All Packetlabs testers are certified with a minimum Offensive Security Certified Professional (OSCP) certification and many of our testers hold several additional highly regarded Red Teaming specific and other IT security industry certifications. Our exceptionally trained team and a robust testing methodology, go beyond checkboxes to really understand your unique penetration testing needs. With our consultative approach, we ensure that our clients understand our reports and assessments and go the extra mile to provide support when helping our clients plan the next steps in their journey toward a stronger security posture and a bulletproof cybersecurity strategy. 

What Is Included In A Report?

Similar to other forms of penetration testing and security assessment, Red Teaming engagements include a full report of all vulnerabilities identified during an engagement, categorized according to their severity. Reports include a full executive summary of the engagement's objectives and key findings as well as a timeline of activities conducted by the Packetlabs and technical findings including any collected evidence and explanations about how each vulnerability was uncovered. 

Finally, each report also includes recommendations and mitigation advisory to support a continuous improvement of the target organization's cybersecurity operations. Packetlabs engagements also include optional access to our Penetration Testing as a Service cloud platform for convenient project management, reporting, and communication.

Packetlabs Portal

The Packetlabs Portal is a cloud-based reporting and workflow management platform that provides real-time insights into a Red Team Security Assessment. 

Our solution provides real-time vulnerability information, supports a Purple Team approach to engagement, and improves collaboration between the target’s IT security teams, managers, and other stakeholders. The Portal allows managers and stakeholders to directly monitor the progress of a Red Team assessment, quickly view findings, organize and prioritize remediation efforts, and communicate with Packetlabs directly to request retests after an engagement is complete.

The Packetlabs Portal features include:

• Secure access to current ongoing and past reports

• Real-time insights and assessment progress monitoring

• Direct and instant communication capabilities including requesting retests

• Increased collaboration between testing teams

• Convenient accessibility for all stakeholders

• Integration with JIRA and ServiceNow project management platforms

Next Steps

Are you ready to unlock the benefits of Red Teaming assessments?

Our team is always just one call or email away: our specialized experts can answer any further questions you may have, and can start the process of kickstarting the most proactive security assessment of your organization’s most mission-critical people, processes, premises, and technology.