What is Red Teaming?

What are the Different Phases of a Red Team Test?

Red team tests take place in set phases, with certain activities taking place within each phase. Due to the nature of the test, these stages are not announced or shared between the red and blue teams but instead mark an evolution of the exercise from beginning to end.

Reconnaissance and Information Gathering

This first phase of the exercise is conducted solely by the red team, where they conduct extensive research into the target organisation. Primary probing and information gathering is performed, primarily through open-source information sources such as public records, the company website, technical scans, and even the social media of the business or key employees.

The aim of this phase is to identify potential vulnerabilities and security gaps that could be used as entry points. This phase typically takes between 1-4 weeks, although it can take longer if the organisation is of significant size. Activities conducted here often have a very low chance of detection.

Vulnerability Testing and Leveraging

Next, the red team begins to identify and test potential vulnerabilities found during the reconnaissance stage, with the aim of finding a vulnerability they can viably exploit – vulnerabilities that have a greater potential for exploitation and impact are prioritised. Tests are conducted such as network scans, misconfiguration testing, and social engineering feasibility assessments. This phase is usually shorter in duration, taking between 1-3 weeks, but can take longer if a viable vulnerability is not found. Once again, the chance of detection by the blue team remains low.

Exploitation

With concrete vulnerabilities identified, the red team then attempts to exploit said vulnerabilities to gain unauthorised access to the organisation’s systems, physical premises, or sensitive information that can be further exploited. Exploitation could involve technical exploits, social engineering, or actual physical security breaches. The duration of this phase is between 1-2 weeks and is often more intense than previous stages as the red team seeks viable paths to exploit. Due to the nature of these activities, the chance of detection is escalated. The phase concludes once access has been achieved – if it isn’t, they return to the previous stage.

Access and Escalation 

With a confirmed route of access gained through exploitation, the red team now commences with accessing the network or physical components of the business. The red team’s focus is to gain and establish persistent, long-term access that they could feasibly use to escalate broader privileges within the organisation. The ultimate goal is to gain as comprehensive access as they possibly can without detection – this typically takes between 1-4 weeks, with the duration shortened if detected by the blue team.

Exercise Completion and Review

After the exercise concludes, either through complete access being gained or by detection and prevention by the blue team, all actors then conduct a review of the exercise. The red team presents their findings including the vulnerabilities and weaknesses they exploited within the test. Collaborative sessions are then held to discuss the results and determine actionable recommendations to improve the business’ cyber security posture.

What Tools, Tactics and Procedures are Used by Red Teams?

The red team can use a full complement of TTPs (tools, tactics and procedures) to best emulate a real-world cyber-attack. These include both digital and physical infiltration techniques, including:

Social Engineering Attacks – Attempts to manipulate or deceive individuals into granting access or revealing sensitive information. Examples include phishing and impersonation.

Custom Hardware – Specially designed hardware that can help attackers gain access into systems or premises including network implant devices, RF and wireless attack tools, or items that allow physical access bypass.

Physical Facility Exploitation – Physical infiltration of the premises of the business, specifically restricted areas that may allow access to hardware, systems or information.

Web Application Exploitation – Exploiting vulnerabilities within web-based applications to gain access or compromise systems. Examples include SQL injection.

Custom Malware – Custom-designed malware can be used for a multitude of purposes throughout the testing stage, from helping to provide systems access to privilege escalation or exfiltration.

Wireless Network Exploitation – Gaining access to devices, networks or data through attacks on a wireless network.

Infrastructure Exploitation – Gaining access to an organisation’s cloud infrastructure to compromise cloud-stored assets or systems.

Why and When Should Organisations Use Red Team Exercises?

Organisations should carry out red team exercises if they need a comprehensive testing solution to not only test their security systems but assess their cyber security posture as a whole.

As an emulation of a real-world attack, a red team exercise tests and assesses an organisation’s entire cyber security function including their foundations and resilience, from their initial defences to response time. It provides the most complete test of their cyber security possible. These exercises should therefore only be taken when the organisation possesses a mature and complete cyber security function with complete red team readiness. If initial testing is required, this is better conducted through vulnerability scans or penetration tests. They can also be used as a means to gain specific cyber security certifications.

The Benefits of Red Teaming

There are a number of specific benefits to conducting red teaming exercises for the organisation and its cyber security posture:

• The internal security team gains a comprehensive awareness of any potential vulnerabilities and weaknesses across their entire attack surface, both digitally and physically, as well as how exploitable these vulnerabilities are. This can be used to implement fixes and improvements or conduct training.
• Business stakeholders learn which elements of their cyber security posture can or need to be improved on. Whether it is threat identification, system protection, attack detection, or how the internal team responds and recovers from attacks, they can assign appropriate resources to improve the relevant facet of their posture.
• When used to gain cyber security accreditations, red team exercises can also have the added benefit of improving business reputation and trust from their customers.

Red, Blue and Purple Teams

While the exercise is known as ‘red teaming’, there are usually at least two active teams working within the test.

What are Blue Teams?

The ‘blue team’ is the internal security team defending the organisation. They are tasked with detecting and responding to the attack as they would with a regular cyber-attack and often, for the purposes of testing their capability, they will not be fully aware or informed that the attack is an emulated one.

What are Purple Teams?

Some tests involve a ‘purple team’ whose objective is to form a connective bridge between the red and blue teams for a more collaborative exercise that focuses on mutual improvement. The purple team acts as part-adjudicator, part-collaborator, communicating with both teams to share applicable insights and accelerate learning while the exercise is still taking place.

The Difference Between Red Teaming and Penetration Testing

The difference between red teaming and penetration testing is, primarily, the objective of each exercise. While red teaming aims to provide a complete assessment of a cyber security posture, penetration testing is more aimed at rigorously testing a certain facet of the posture. Penetration testing has a smaller scope, and the focus lies more on rigorous, repetitive testing than emulating an attack.

How Does Red Teaming Help Create a Comprehensive Cyber Security Posture?

Red team exercises are an essential tool for testing and validating the cyber security posture of an organisation. As a simulation of a real attack, the exercise not only tests the resilience elements of a posture – namely their ability to detect, respond and recover from an attack – but also their security foundations. As a means to assess the entirety of their cyber security function, red team tests are essential for determining how effective their posture is and where improvements are needed.

How Can Six Degrees’ Red Teaming Help Build Improve Your Cyber Security Posture?

Our red teaming services are an effective way to validate that your security posture is strong and that there are no exploitable vulnerabilities or weaknesses in your attack surface.

However, it is best used as part of our complete cyber security posture process to improve your security infrastructure and capabilities as a whole.

Process

Depending on their existing infrastructure and teams, different organisations will have different needs when it comes to their cyber security. At Six Degrees we have a broad range of cyber security services that enable you to assess your security posture and then provide the help you need to secure your organisation from cyber threats and attacks.

Cyber Security Services

Strategy and Advisory

• Information Security Manager
• Cyber Security Incident Response
• vCISO

Consultancy

• Cyber Security Assessments
• Penetration Testing
• Red Teaming
• Frameworks and Certifications
• Penetration Testing as a Service
• Phishing and Scenario Testing

Managed Security Services

• Managed Detection and Alert
• Managed Detection and Response
• Managed Extended Detection and Response
• Threat Intelligence

Credentials and Partnerships

At Six Degrees we are proud of our red teaming credentials, including our offensive test-based CREST credential and CHECK Assured Service Provider credential from the National Cyber Security Centre. We also hold Specialist Security Threat Protection credentials from Microsoft and are an official sponsor of the Cyber Scheme. We believe we’re one of the most highly accredited providers in the UK. Learn more about our accreditations or about our partnerships.

Further Reading and Resources

What is Cyber Security
What is Penetration Testing
Phishing and Scenario Testing
Penetration Testing as a Service