This blog post is part of the “All You Need to Know About Red Teaming” series by the IBM Security Randori team. The Randori platform combines attack surface management (ASM) and continuous automated red teaming (CART) to improve your security posture.
“No battle plan survives contact with the enemy,” wrote military theorist, Helmuth von Moltke, who believed in developing a series of options for battle instead of a single plan. Today, cybersecurity teams continue to learn this lesson the hard way. According to an IBM Security X-Force study, the time to execute ransomware attacks dropped by 94% over the last few years—with attackers moving faster. What previously took them months to achieve, now takes mere days.
To shut down vulnerabilities and improve resiliency, organizations need to test their security operations before threat actors do. Red team operations are arguably one of the best ways to do so.
What is red teaming?
Red teaming can be defined as the process of testing your cybersecurity effectiveness through the removal of defender bias by applying an adversarial lens to your organization.
Red teaming occurs when ethical hackers are authorized by your organization to emulate real attackers’ tactics, techniques and procedures (TTPs) against your own systems.
It is a security risk assessment service that your organization can use to proactively identify and remediate IT security gaps and weaknesses.
A red team leverages attack simulation methodology. They simulate the actions of sophisticated attackers (or advanced persistent threats) to determine how well your organization’s people, processes and technologies could resist an attack that aims to achieve a specific objective.
Vulnerability assessments and penetration testing are two other security testing services designed to look into all known vulnerabilities within your network and test for ways to exploit them. In short, vulnerability assessments and penetration tests are useful for identifying technical flaws, while red team exercises provide actionable insights into the state of your overall IT security posture.
The importance of red teaming
By conducting red-teaming exercises, your organization can see how well your defenses would withstand a real-world cyberattack.
As Eric McIntyre, VP of Product and Hacker Operations Center for IBM Security Randori, explains: “When you have a red team activity, you get to see the feedback loop of how far an attacker is going to get in your network before it starts triggering some of your defenses. Or where attackers find holes in your defenses and where you can improve the defenses that you have.”
Benefits of red teaming
An effective way to figure out what is and is not working when it comes to controls, solutions and even personnel is to pit them against a dedicated adversary.
Red teaming offers a powerful way to assess your organization’s overall cybersecurity performance. It gives you and other security leaders a true-to-life assessment of how secure your organization is. Red teaming can help your business do the following:
Identify and assess vulnerabilities
Evaluate security investments
Test threat detection and response capabilities
Encourage a culture of continuous improvement
Prepare for unknown security risks
Stay one step ahead of attackers
Penetration testing vs. red teaming
Red teaming and penetration testing (often called pen testing) are terms that are often used interchangeably but are completely different.
The main objective of penetration tests is to identify exploitable vulnerabilities and gain access to a system. On the other hand, in a red-team exercise, the goal is to access specific systems or data by emulating a real-world adversary and using tactics and techniques throughout the attack chain, including privilege escalation and exfiltration.
The following table marks other functional differences between pen testing and red teaming:
Identify exploitable vulnerabilities and gain access to a system.
Access specific systems or data by emulating a real-world adversary.
Short: One day to a few weeks.
Longer: Several weeks to more than a month.
Commercially available pen-testing tools.
Wide variety of tools, tactics and techniques, including custom tools and previously unknown exploits.
Defenders know a pen test is taking place.
Defenders are unaware a red team exercise is underway.
Known and unknown vulnerabilities.
Test targets are narrow and pre-defined, such as whether a firewall configuration is effective or not.
Test targets can cross multiple domains, such as exfiltrating sensitive data.
Security system is tested independently in a pen test.
Systems targeted simultaneously in a red team exercise.
Pen testers don’t engage in post-breach activity.
Red teamers engage in post-breach activity.
Compromise an organization’s environment.
Act like real attackers and exfiltrate data to launch further attacks.
Identify exploitable vulnerabilities and provide technical recommendations.
Evaluate overall cybersecurity posture and provide recommendations for improvement.
Scroll to view full table
Difference between red teams, blue teams and purple teams
Red teams are offensive security professionals that test an organization’s security by mimicking the tools and techniques used by real-world attackers. The red team attempts to bypass the blue team’s defenses while avoiding detection.
Blue teams are internal IT security teams that defend an organization from attackers, including red teamers, and are constantly working to improve their organization’s cybersecurity. Their everyday tasks include monitoring systems for signs of intrusion, investigating alerts and responding to incidents.
Purple teams are not actually teams at all, but rather a cooperative mindset that exists between red teamers and blue teamers. While both red team and blue team members work to improve their organization’s security, they don’t always share their insights with one another. The role of the purple team is to encourage efficient communication and collaboration between the two teams to allow for the continuous improvement of both teams and the organization’s cybersecurity.
Tools and techniques in red-teaming engagements
Red teams will try to use the same tools and techniques employed by real-world attackers. However, unlike cybercriminals, red teamers don’t cause actual damage. Instead, they expose cracks in an organization’s security measures.
Some common red-teaming tools and techniques include the following:
Social engineering: Uses tactics like phishing, smishing and vishing to obtain sensitive information or gain access to corporate systems from unsuspecting employees.
Physical security testing: Tests an organization’s physical security controls, including surveillance systems and alarms.
Application penetration testing: Tests web apps to find security issues arising from coding errors like SQL injection vulnerabilities.
Network sniffing: Monitors network traffic for information about an environment, like configuration details and user credentials.
Tainting shared content: Adds content to a network drive or another shared storage location that contains malware programs or exploits code. When opened by an unsuspecting user, the malicious part of the content executes, potentially allowing the attacker to move laterally.
Brute forcing credentials: Systematically guesses passwords, for example, by trying credentials from breach dumps or lists of commonly used passwords.
Continuous automated red teaming (CART) is a game changer
Red teaming is a core driver of resilience, but it can also pose serious challenges to security teams. Two of the biggest challenges are the cost and length of time it takes to conduct a red-team exercise. This means that, at a typical organization, red-team engagements tend to happen periodically at best, which only provides insight into your organization’s cybersecurity at one point in time. The problem is that your security posture might be strong at the time of testing, but it may not remain that way.
Conducting continuous, automated testing in real-time is the only way to truly understand your organization from an attacker’s perspective.
How IBM Security® Randori is making automated red teaming more accessible
IBM Security® Randori offers a CART solution called Randori Attack Targeted. With this software, organizations can continuously assess their security posture like an in-house red team would. This allows companies to test their defenses accurately, proactively and, most importantly, on an ongoing basis to build resiliency and see what’s working and what isn’t.
IBM Security® Randori Attack Targeted is designed to work with or without an existing in-house red team. Backed by some of the world’s leading offensive security experts, Randori Attack Targeted gives security leaders a way to gain visibility into how their defenses are performing, enabling even mid-sized organizations to secure enterprise-level security.