What is red teaming?

Today, cyberattacks move faster than ever. According to the IBM X-Force Threat Intelligence Index, the time it takes to execute ransomware attacks has dropped by 94% over the last few years, from 68 days in 2019 to less than four days in 2023.

Red team operations give organizations a way to proactively uncover, understand and fix security risks before threat actors can exploit them. Red teams adopt an adversarial lens, which can help them identify the security vulnerabilities that real attackers are most likely to exploit.

The proactive, adversarial approach of red teaming allows security teams to strengthen security systems and protect sensitive data even in the face of heightened cyberthreats.

Red teaming work is a type of ethical hacking in which security experts emulate the tactics, techniques and procedures (TTPs) of real attackers.

Ethical hackers have the same skills and use the same tools as malicious hackers, but their goal is to improve network security. Red team members and other ethical hackers follow a strict code of conduct. They get permission from organizations before hacking them, and they don’t do any real harm to a network or its users.

Instead, red teams use attack simulations to understand how malicious hackers can cause real damage to a system. During a read teaming exercise, the red team members behave as if they are real-world adversaries. They leverage various hacking methodologies, threat emulation tools and other tactics to mimic sophisticated attackers and advanced persistent threats.

These simulated attacks help determine how well an organization’s risk management systems—people, processes and technologies—might resist and respond to different types of cyberattacks.

Red team exercises are usually time-bound. A test might last anywhere from a few weeks to a month or more. Each test typically begins with research of the target system, including public information, open-source intelligence and active reconnaissance.

Next, the red team launches simulated attacks against various points in the system’s attack surface, exploring different attack vectors. Common targets include:

• AI systems and machine learning models
• Datasets that support AI and ML applications
• Workstations and mobile devices
• Cryptographic systems
• Endpoint detection and response (EDR) systems
• Extended detection and response (XDR) systems
• Firewalls
• Intrusion detection systems (IDSs)
• Security orchestration, automation and response (SOAR) systems
• Web applications and web servers

During these simulated attacks, red teams often face off against blue teams, who act as the system’s defenders. The red teams try to get around the blue team’s defenses, noting how they do so. The red team also records any vulnerabilities that it finds and what it can do with them. 

Red teaming exercises end with a final readout, where the red team meets with the IT and security teams to share its findings and make recommendations on vulnerability remediation.

Red team activities employ the same tools and techniques used by real-world attackers to probe an organization’s security measures.

Some common red teaming tools and techniques include:

• Social engineering: Uses tactics such as phishing, smishing, vishing, spear phishing and whale phishing to obtain sensitive information or gain access to corporate systems from unsuspecting employees.
  
  
• Physical security testing: Tests of an organization’s physical security controls, including surveillance systems and alarms.
  
  
• Application penetration testing: Tests web apps to find security issues that arise from coding errors, such as SQL injection vulnerabilities.
  
  
• Network sniffing: Monitors network traffic for information about an IT system such as configuration details and user credentials.
  
  
• Tainting shared content: Adds content onto a network drive or another shared storage location that contains malware or other dangerous code. When opened by an unsuspecting user, the malicious code runs, enabling the attacker to move laterally.
  
  
• Brute forcing credentials: Systematically guesses passwords by trying credentials from previous breaches, testing lists of commonly used passwords or by using automated scripts.

Red teaming can help strengthen organizational security posture and promote resilience, but it can also pose serious challenges to security teams. Two of the biggest challenges are the cost and length of time that it takes to conduct a red team exercise.

At a typical organization, red team engagements tend to happen periodically at best, which only provides insight into an organization’s cybersecurity at one point in time. The problem is that the business’s security posture might be strong at the time of testing, but it might not remain that way.

Continuous automated red teaming (CART) solutions enable organizations to continuously assess security posture in real time. CART solutions use automation to discover assets, prioritize vulnerabilities and conduct attacks using tools and exploits developed and maintained by industry experts.

By automating much of the process, CART can make red teaming more accessible and free up security professionals to focus on interesting and novel testing.

Red teaming exercises help organizations get an attacker’s perspective on their systems. This perspective enables the organization to see how well its defenses would withstand a real-world cyberattack.

A simulated attack pits security controls, solutions and even personnel against a dedicated but nondestructive adversary to determine what is—or isn't—working. Red teaming can give security leaders a true-to-life assessment of how secure their organization is.

Red teaming can help an organization:

• Identify and assess vulnerabilities in both the attack surface—points where a system might be penetrated—and attack paths—the steps that might be followed as an attack commences.
  
  
• Evaluate how current security investments—including threat detection, prevention and response capabilities—perform against real-world threats.
  
  
• Identify and prepare for previously unknown or unexpected security risks.
  
  
•  Prioritize improvements to security systems.

Red teams, blue teams and purple teams work together to improve IT security. Red teams conduct mock attacks, blue teams take on a defensive role and purple teams facilitate collaboration between the two. 

Red teaming and penetration testing—also called "pen testing"—are distinct but overlapping methods of evaluating system security. 

Similar to red teaming, penetration tests use hacking techniques to identify exploitable vulnerabilities in a system. The key difference is that red-teaming is more scenario-based.

Red-team exercises often occur within a specific time frame, and they often pit an offensive red team against a defensive blue team. The goal is to emulate the behavior of a real-world adversary.

Pen tests are more akin to a traditional security assessment. Pen testers use different hacking techniques against a system or asset to see which ones work and which ones don’t.

Pen tests can help organizations identify potentially exploitable vulnerabilities in a system. Red teaming can help organizations understand how their systems—including defense measures and security controls—perform in the context of real-world cyberattacks.

It is worth noting that pen tests and red teaming are just two of the ways that ethical hackers can help improve organizational security posture. Ethical hackers might also conduct vulnerability assessments, malware analysis and other information security services.