Over the last few weeks, Safe-T has provided a basic introduction to the tools and operating systems that you’ll use as a member or leader of a red team. Now, let’s contextualize them – how would you use these tools in the context of an actual security exercise?
Performing a security exercise isn’t just about the tools you’ll use. There’s also scope and technique to consider, as well as safety. You don’t want your attack to succeed too well and end up deleting real data or disrupting customer experiences, after all.
For this article, let’s pretend it’s your first red team test. How can you prepare yourself so that you, your team, and your company experience the best results?
Design a Red Team Exercise Like a Game, and You’ll Win
First of all, pat yourselves on the back. By conducting any kind of security testing at all, you’ve placed yourself in rarified company. Only 25% of organizations perform any kind of proactive security testing. By simply committing to a test, you are by de facto one of the most secure companies around.
With that said, a red team exercise is more than a security audit, and it’s more than a simple vulnerability scan. It’s a full-fledged simulation of an attack on your company. That means you need to set up rules that make your attack as realistic as possible. Here are some do’s and don’ts.
DON’T Let Defenders Over-Prepare
If you give the defending blue team too much information, they’ll being to prepare for your attack in ways that don’t reflect your real-world preparedness. The blue team should have little warning of the exercise. Attackers don’t operate on a schedule, and neither should you. If you’re planning a realistic red team exercise, the most information you should provide the blue team is “the exercise will take place during the week of January 7th.” Ideally, your organization should be as secure at 3:00 AM on a weekday as it is at noon on Monday.
DO Use Every Means at Your Disposal
Real-world attackers will be clever, creative, and dedicated when it comes to attacking your organization – so your red team should be free to act in similar ways. For example, up to 30% of cyberattacks are accomplished with the help of insider threats. So, if you find that Metasploit wasn’t able to find you a vulnerable endpoint, it should still be perfectly in-bounds for you to send a phishing email to a co-worker and see if you can social-engineer their password from them.
DON’T Start by attacking production environments
This should go without saying, but it’s probably in your best interest not to try to mess with the production environment as part of a red team exercise. The red team and the blue team should begin by defining a clear goal – say a set of dummy information, a sandbox, or a well-defended test environment – as the target for the red team. This lets the red team get the most out of the experience without the risk of ruining someone else’s day.
DO Make Life Easier for You Blue Team – By Using Safe-T
It wouldn’t be a red team exercise without a bit of challenge. Safe-T makes life easier for blue teams – and security teams at large – by adding strong authentication across your entire environment and including innovations such as zero trust networks. These features mitigate several aspects of commonly-used penetration tools, meaning that your red team will need to be that much more creative during their next exercise. For more information, contact Safe-T today!