Strengthening Cybersecurity With Red Team Engagements

Author: Vimal Mani, CISA, CISM, Six Sigma Black Belt
Date Published: 13 January 2022
Related: AI Uses by Blue Teams Security | Digital | English

These days, cyberadversaries are coming up with different kinds of capabilities and objectives behind each of their new cyberattacks, which has forced organizations to do a deeper, more introspective evaluation of their existing cyberdefense mechanisms. The SolarWinds attack is an example of the kind of targeted attack that can affect hundreds of enterprises worldwide.¹ Red, blue and purple teams are often used for strengthening the cyberdefense mechanisms of organizations against these advanced attacks.² In particular, red team exercises are a useful method of gauging the effectiveness of a variety of cybersecurity controls.

What Are Red, Blue and Purple Teams?

Red teams consist of consultants and team members who wear the hats of adversaries and try to emulate real-life cyberattack scenarios on client organizations based on mutual agreements.

An organization’s in-house IT security and security operations center (SOC) team members who fight against cyberattacks are considered blue team members. Blue team members need to ensure that the critical information assets owned by the organization are secured from various kinds of targeted attacks against it that may be targeted by adversaries and red team members who mimic the adversaries.

A purple team is a team of cybersecurity professionals playing the roles of both the red team and blue team in an ongoing and integrated manner to provide reliable cyberassurance to organizations that employ them. As a red team, they collect the intelligence on tactics, techniques and procedures (TTPs) used by adversaries. Then, as a blue team, they analyze the TTPs and configure, tune and improve the incident detection and response capability of the organizations who employ them.

Setting Up a Rainbow Team

Enterprises should consider setting up a cybersecurity team staffed by red, blue and purple team members who work together to improve the enterprise’s cyberresilience capabilities using their offensive, defensive and mixed cybersecurity skills. In addition to red, blue and purple teams, global enterprises have introduced the concept of yellow, orange, green, black and white teams, all of which work together using their respective skills and capabilities to strengthen the enterprise’s cyberresilience; these are called rainbow teams.³ Each team’s role is outlined here:

Red team—Members launch well-planned and designed cyberattacks against organizations which are monitored and managed by blue teams.
Blue team—Members monitor, detect and react to cyberthreats.
Purple team (red team and blue team)—Members have offensive testing capabilities and the ability to respond to various cyberthreats. They cooperate with the blue team to improve the enterprise’s cybersecurity posture.
Yellow team—Members work on designing, building and putting into production all security-tested systems. They fix the vulnerabilities unearthed by the red team.
Orange team (red team and yellow team)—Members train the yellow team on the TTPs used by hackers and help them design, build and put into production all security-tested systems.
Green team (blue team and yellow team)—Members integrate security principles early in the system development life cycle, facilitate the integration of new systems within the threat detection and prevention program, and advance the knowledge of the blue team.
Black team—Members provide updated cyberthreat intelligence collected from various sources to all the teams engaged in security testing and threat prevention activities.
White team—Members orchestrate the whole cybersecurity testing process, including establishing rules of engagement (ROE) and defining the security testing methodology to be used by all teams with a focus on achieving compliance. This team drives the strategy and governance related to the work of the other teams.

The outcome of these exercises can help an enterprise measure its cyberresilience and its ability to defend against a variety of cyberattacks.

What Is a Red Team Exercise?

A red team exercise is a formally approved, planned, risk-managed and objective-driven cybersecurity assessment that simulates targeted attacks against an enterprise, with the goal of overpowering its existing cybersecurity controls and penetrating its IT network. Red team exercises use the same TTPs employed by real-life adversaries such as hackers. The outcome of these exercises can help an enterprise measure its cyberresilience and its ability to defend against a variety of cyberattacks. The objective of a red team exercise is not just to identify vulnerabilities that can be exploited, but to actually exploit those vulnerabilities and showcase the failure of the enterprise’s cybersecurity controls. Figure 1 depicts the desired layers of cybersecurity controls in an enterprise.

Penetration Testing vs. Red Teaming

In addition to red teaming, enterprises may conduct a variety of other security assessments, such as vulnerability analysis and penetration testing (pen testing). The objective of vulnerability analysis is to identify potential vulnerabilities in a targeted system. Automated tools are available for this type of analysis. The objective of pen testing is to find and exploit vulnerabilities in a targeted system. The objective of a red team assessment is to test the enterprise’s incident detection and response capabilities. Figure 2 depicts the major differences between red teaming and conventional pen testing.

Planning and Delivering a Red Team Exercise

Red team exercises can be planned and delivered based on the cyber kill chain.⁴ Figure 3 depicts an example of the various phases of a cyberattack on Society for Worldwide Interbank Financial Telecommunication (SWIFT) infrastructure driven by this cyber kill chain framework.

To plan and deliver red team engagements in an effective manner, enterprises should consult best practices; several guidelines and frameworks are available.^5, ^6, ^7, ⁸ Most global enterprises hire specialist service providers to carry out red team exercises; some do it internally, which may not achieve the desired results. Hence, it is advisable to hire an independent third-party security consultant to plan and execute the three phases of red teaming:

Establishing the scope of the exercise and the ROE
Executing the exercise
Reporting

Scope and ROE

The third-party consultant, along with the client, defines the attack scenarios to be considered and the ROE. As an example, figure 4 uses the COVID-19 pandemic and the business disruptions it created to outline the scenarios for a red team exercise specific to the banking sector.

Next, the client and the consultant need to discuss and agree on the ROE. These rules define the agreed-on targets and how they will be attacked, the boundaries of the exercise and the processes that must be followed, the permissions required to carry out the engagement and the legal responsibility in the event of unexpected system outages, business disruptions or financial losses resulting from team members’ negligence. This ROE document must be signed by representatives of both the client enterprise and the third-party consultant, and it should be preserved in a secure manner for future reference. The ROE must be established before initiating the red team exercise, as they help an enterprise determine the acceptable level of risk that may be introduced during the exercise. In addition, the ROE should answer the following critical questions:

What are the objectives of the exercise?
What is the scope of the exercise?
How long will the exercise be conducted to achieve the desired results?
What are the desired results of the exercise?
Who is responsible if any business disruptions occur due to the execution of the exercise?
Who will play the roles of the blue and purple teams in the incident response process?

Execution
After finalizing the attack scenarios and ROE, execution of the engagement can begin. The exercise is carried out in the following stages:

Information gathering and weapons development—The red team gathers critical information such as IP addresses, domains, details about the network infrastructure and email addresses through open-source intelligence (OSINT) gathering and other means. Based on the intelligence gathered, the team develops attack weapons such as malware and supporting exploits.
Launch of the attack—The red team accesses and infects the enterprise’s information systems by breaking the physical perimeter and gaining physical access, by tricking employees into installing malware via phishing attacks, or by exploiting a vulnerability in the network perimeter (e.g., a vulnerable web server).
Foothold and persistence—The red team gains remote access to the remote command and control server established by them from the infected information systems.
Lateral movement and privilege escalation—The red team acquires more controls of the infected information systems.
Achievement of objectives—The red team executes preestablished objectives, such as data exfiltration, without disturbing ongoing business operations.

Reporting
At the end of the red team exercise, a detailed assessment of the enterprise’s cybersecurity posture and cyberresilience is issued. The report should include details such as:

Scope of the red team engagement
Executed scenarios
How, when and where each attack scenario was conducted
Explanation of the cyber kill chain methodology adopted and TTPs executed
Timeline of activities performed
Tools or software used
Exploited vulnerabilities
Infected systems
Data exfiltrated
Recommendations for improvements
Overall conclusion about the enterprise’s cyberresilience
Detailed conclusions about each attack scenario performed
Conclusions regarding critical information assets or functions

Most red team assessments identify a number of weaknesses in the design and implementation of a variety of cybersecurity controls.

Improvement of Cyberresilience

Red team exercises need to be conducted periodically to help enterprises ensure that their rainbow teams are ready to defend against and respond to dynamically emerging cyberattacks. Most red team assessments identify a number of weaknesses in the design and implementation of a variety of cybersecurity controls. Based on the findings reported by red teams, rainbow team members should discuss countermeasures to mitigate these weaknesses. Having the support of senior management is critical, and the outcome of the red team assessment should be reviewed and discussed by technology and management teams to identify areas that need improvement. In general, red team assessments help enterprises:

Identify exploitable IT systems and facilities
Identify techniques used by hackers to compromise security controls
Identify gaps in existing security controls that can be compromised by adversaries
Assess the effectiveness of the enterprise’s incident response and management capabilities
Identify the cyberrisk to critical business information assets and their susceptibility to attack
Assess the enterprise’s ability to detect, respond to and prevent attacks from sophisticated advanced persistent threat (APT) groups⁹
Improve blue teams’ capabilities and function with more effective monitoring, prevention and detection mechanisms

Conclusion

Periodically carrying out red team exercises enables enterprises to assess their ability to defend against newly emerging cyberattacks. Given the increased number of staff working remotely due to the COVID-19 pandemic, it is more important than ever that enterprises protect their information and communications technology (ICT) supply chains and network architecture from cyberattacks. Red teaming helps identify potential gaps and weaknesses before adversaries can exploit them. Performing a red team exercise once per year can be highly beneficial, especially if it is well aligned with the enterprise’s overall cybersecurity program and risk posture. Cybersecurity leaders should leverage the collective experience and capabilities of their rainbow team members and, on an ongoing basis, identify and implement the TTPs and training required to improve those capabilities. The result will be greater improvements in the enterprise’s cybersecurity posture.

Endnotes

¹ Tung, L.; “SolarWinds Attack Hit 100 Companies and Took Months of Planning, Says White House,” ZDNet, 18 February 2021, https://www.zdnet.com/article/solarwinds-attack-hit-100-companies-and-took-months-of-planning-says-white-house/
² CISOMAG, “Bolstering Cybersecurity Posture With Red, Blue and Purple Teams,” 9 July 2020, https://cisomag.eccouncil.org/red-blue-purple-teams/
³ Gill, A.; “WTF Is Rainbow Teaming?” ZeroSec, https://blog.zsec.uk/colouredteams/
⁴ Lockheed Martin, “The Cyber Kill Chain,” https://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill-chain.html
⁵ Association of Banks in Singapore (ABS), “Red Team: Adversarial Attack Simulation Exercises: Guidelines for the Financial Industry in Singapore,” November 2018, https://abs.org.sg/docs/library/abs-red-team-adversarial-attack-simulation-exercises-guidelines-v1-06766a69f299c69658b7dff00006ed795.pdf
⁶ Saudi Arabian Monetary Agency (SAMA), “Financial Entities Ethical Red-Teaming,” May 2019, https://www.sama.gov.sa/ar-sa/Laws/BankingRules/Financial_Entities_Ethical_Red_Teaming_Framework-AR.pdf
⁷ European Central Bank, “What Is TIBER-EU?” https://www.ecb.europa.eu/paym/cyber-resilience/tiber-eu/html/index.en.html
⁸ CREST, “CBEST,” https://www.crest-approved.org/schemes/cbest/index.html
⁹ MITRE ATT&CK, “Groups,” https://attack.mitre.org/groups/

Vimal Mani | CISA, CISM, SIX SIGMA BL ACK BELT

Is the head of the information security department at Bank of Sharjah. He is responsible for the bank’s end-to-end cybersecurity program, coordinating cybersecurity efforts within the banking operations spread across the Middle East. Mani is also responsible for coordinating bankwide cybersecurity strategy and standards; leading periodic security risk assessment efforts, incident investigations and resolution; and coordinating the bank’s security awareness and training programs. He is an active member of the ISACA^® Dubai (UAE) Chapter. He can be reached at vimal.consultant@gmail.com.