Modern organisations are primarily focused on managing complexity introduced by digital transformation as well as data privacy and compliance requirements. Along with an expanding digital attack surface and the rise in a work-from-anywhere labour force, it’s clear that there’s been a crisis of perception amongst security teams. One faction has become overlooked—the growing sophistication of threat actors and how to stay one step ahead.
What is red teaming?
A red or purple team engagement simulates a cyberattack against a business’ security controls, wherein the red team uses the front-line intelligence from Incident Response engagements, thus creating relevant and realistic threat actor scenarios.
This carefully planned, expertly executed, and tightly controlled simulation of a real-world cyberattack on an organisation’s environment is designed to identify weaknesses in a business’ cybersecurity posture. The intelligence obtained from this exercise has proven to be exceptionally valuable in improving security teams’ cyber defences, thereby making it difficult for real-life threat actors to break through defences and cause harm. Furthermore, IBM’s Cost of a Data Breach Report 2022 found that red team testing reduced the average total cost by USD $204, 375.
Stages of red teaming
Executing a red team attack starts with threat intelligence. This includes identifying the “crown jewels”, which MITRE defined as “those cyber assets that are most critical to the accomplishment of an organisation’s mission.” In addition, the points of interest in an organisation’s environment needs to be identified, as well as the actions, objectives, and scope of the engagement. This makes the planning phase of a red teaming engagement crucial for its success.
Using the most relevant parts of the European TIBER framework, we have come up with the following three stages of red teaming:
1) Preparation
This includes defining the learning goals and flags and creating relevant threat actor scenarios for the red team. Also part of the preparation phase is the creation and signing of the legal framework, including the rules of engagement, detailing what can and cannot be done during the simulated attack.
2) Red teaming (testing)
Throughout this phase, the red team executes the scenarios defined in the previous stage. In this stage the goal is to reach the crown jewels and stay undetected. They can also identify additional vulnerabilities to target during this phase.
3) Closure
After the completion of the attack, the red team reports on their modus operandi and advises on recommendations the organisation can take to improve their security posture. A meeting will be held to go over the results and discuss the findings.
Red team threat landscape report
Creating a threat landscape report has been described an essential portion of the red teaming exercise, as it demonstrates why threat intelligence plays such an important role in what makes this engagement a success.
Every organisation has a unique set of critical functions. They place their focus on different markets, they have different objectives, and most importantly, they attract different cybercriminal groups. This makes it futile to just employ a copy-and-paste red-teaming factory line.
The threat landscape report consists of multiple chapters, including a business overview, a digital footprint, threat intelligence, threat modelling, and tactics, techniques, and procedures (TTPs). A holistic view of these chapters leads to proposed scenarios used within the red teaming exercise.
Business overview
This step begins with defining the critical functions of the organisation, analysing the business’ processes and systems. For example, the critical functions of a financial institution will most likely be transaction processing, customer data, and e-commerce. This will give insight into the cyber assets most critical to this organisation.
Digital footprint
With incident response we have noticed that exposed services are, next to phishing, a major entry vector. Hence why reporting on the digital footprint of the organisation is an important part of the threat landscape report. Odds are that during this phase we can find forgotten but exposed services that we can exploit.
Threat intelligence
Utilising knowledge and prior threat research, it is possible to map out the type of cyber threats related to this organisation.
Threat modelling
Based on threat intelligence, this modelling identifies the most common threat actor groups to decipher how relevant they are to the organisation. Groups are scored based on motivation, sophistication capability, and intent.
TTPs
Based on the relevance of the digital footprint, threat intelligence, and threat modelling, the red team can form TTPs. For example, a financial organisation can be of high risk to be targeted by the Lazarus Group. This is based on Lazarus’ high level of capability, intent, and motivation when it comes to this industry. Therefore, it would make the most sense to create a red team scenario based on a simulated Lazurus attack.
The “preparation” stage gives red teams a shared consensus of the learning goals, opening the door for the “red teaming” and “closure” phases to be executed and enabling organisations to better understand, access, and mitigate cyber risk across their environment.
Next steps
Identifying your digital attack surface is only the first step toward cyber resilience. However, limited visibility due to disparate point products can lead to security gaps. To break down siloes and enable the red team, consider a unified cybersecurity platform with broad third-party integrations.
With comprehensive visibility, a cybersecurity platform discovers the ever-changing attack surface, enabling security teams to understand and prioritise vulnerabilities, detect, and rapidly respond to threats, and apply the right security at the right time to mitigate risk. Look for a vendor supported by unparalleled threat and vulnerability insights from a global threat intelligence team to ensure security evolves with the changing threat landscape.
To learn more about unified cybersecurity platform capabilities and cyber risk management, check out the following resources: