What Is Red Teaming?

The term Red Team, as both a noun and verb, carries the connotation of a specific type of realistic, in-depth, and holistic offensive security concept. For all but a handful of government agencies and private security companies, it is nothing more than marketing tripe.

Like many other security concepts, the terms Red Team and Red Cell originated in the military. Early Red Team exercises assumed a fully militarized threat and were mostly held as table-top simulations over the course of several scripted meetings. While isolated uses of live Red Cells (what we now call penetration testing) was used to actively test defenses, the testing team’s involvement was sporadic at best. Engagement with third-party assessment teams for Red Teaming was completely unheard of until the practice was adopted by private enterprise.

Red Teaming evolved quickly as the concept spread to commercial entities. Organizations, whose employees at home and abroad faced genuine threats to their privacy and well-being, saw a way to improve on the way military planners tested the theoretical strength of their defenses. Without the ocean of public funds to spend on materials and many long meetings, civilian security leaders looked for ways to make the Red Team concept more realistic, shorter in length, and more valuable in general..

A Red Team event is much more than the sum of a collection of neatly packaged professional service components and a software-generated report. It is a thoroughly researched, bespoke exercise conducted in real time by a small team of experts against an open set of targets, including cyber/digital, humans, and physical security. If one of these targets are not in scope, it is not a Red Team engagement.

During an active event, the Red Team will systematically attack the organization as their assigned advisory role (Organized Crime or State Actor). Beyond abusing stolen keyrings, shoulder surfing for passwords, and abusing physical security control, a Red Team may decide to “abduct” an executive, physically travel to facilities abroad to steal encryption keys, or perhaps leverage previously unknown “zero-day” vulnerabilities in technical systems.

A Red Team event is a poor choice for on-the-job training. The ultimate purpose is to closely simulate an attack by a criminal syndicate or hostile state actor. Any attacker that can put together the sort of operation mirrored by Red Teaming will be above the technical level of even most senior consultants at most service firms. Inclusion of junior resources on a Red Team not only weakens the realism of the event, but also drives up the cost to the client with a bloated team roster and extra project management time.

Red Team members must be able to dream up novel attacks, executed with ruthless efficiency, which are completely unanticipated by existing security controls. Zero-day exploits, custom hardware devices, and even physical entry tools are only a few examples of the Bond-like gear routinely produced by competent Red Teams. A pile of junior resources, using commercial tools, directed by a senior resource, will simply never yield Red Team results.

Most people, even those in the security industry, will never be a part of a true Red Team event. Moreover, most private companies will never need to stage a Red Team event. Even entities who can benefit from Red Teaming will take years in between each event to digest the findings and make the fundamental changes necessary to remediate the kind vulnerabilities exposed by this sort of activity.

The few organizations that could benefit from Red Teaming may still have a hard time extracting the full potential value from the report. A Red Team event can be enormously expensive and frequently yields findings which suggest deep, fundamental security miscalculations. Without adequate security leadership, vulnerability management structure, and an appetite for organizational change, a Red Team report will sit buried on a few executives’ hard drives for all eternity. Even with all the aforementioned support pieces in place, a corporate culture, which views security as IT-centric or one that lacks organizational accountability structures, will not fully remediate the vulnerabilities laid bare in their million-dollar report.

Any organization which needs a Red Team event also needs their own three-to-five-member Red Team. This gives them more flexibility over the schedule and scope, as well as providing an especially devastating attack process from a team who does not need an in-depth debriefing on the environment or teams they will be interfacing with. During normal operating periods, this team can be tasked with performing rolling penetration tests of specific granular targets, working closely with the Blue Team, helping guide security training for the company, and responding to other very real concerns.