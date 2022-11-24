The likelihood of getting hacked is steadily increasing regardless of how much money is spent on cybersecurity. With a constantly evolving threat landscape as new ransomware and extortion attacks are reported daily, in addition to nation states targeting personal information and intellectual property for nefarious purposes.

The causes are manifold and complex. IT infrastructures are becoming increasingly more complex, with the latest software development programmes introducing new vulnerabilities. Hackers are becoming more sophisticated and better organised, with new APTs (advanced persistent threats) () discovered regularly. The situation is made worse by government-sponsored cyber espionage looking for anything that can be used for economic or political advantage.

Most companies and organisations look to solve the problem by purchasing additional security software for specific purposes – but these individual products do not always offer comprehensive protection and can sometimes create additional problems, by expanding the organisation’s IT estate and creating new responsibilities for IT teams, but also by potentially leaving gaps between the solutions. Vulnerabilities, gaps and poor business processes enable cyber criminals to compromise IT infrastructures; and conventional cyber defensive applications cannot cope alone.

Time to think like a hacker

A tried and tested approach is to identify weaknesses and remediate them before they can be exploited. A ‘red team’ is the best way to do this.

Red team is a term derived from military war gaming, intended to emulate an attacker and probe defences. In such war games, the defensive side is called the blue team, whereas purple teaming describes the attempt to align the two groups; that is, to use the methods discovered by the red team to enable the blue team to improve defences.

A red team in cybersecurity tries to breach a company’s security defences to find and demonstrate how real hackers might attack and compromise the organisation. Members of red teams think and act like hackers, and are highly skilled and should be deployed in a focussed way. Very large enterprises sometimes have permanent in-house red teams, but most firms are unable to afford this and do not have dedicated resources.

Purple teaming in cybersecurity is the collaboration of both the red and the blue teams to improve the outcome of the overall engagement. By working together to identify weaknesses, the teams help to build a robust defensive plan, including detection and remediation effort, to improve overall cybersecurity posture.

Red teaming it is important to note that goes far beyond the traditional scope of penetration testing (pentesting). Pentesting seeks out known vulnerabilities, while red teaming attempts actual exploitation through predetermined scenarios that include testing the people, processes, and technology, and how well all three components can work together. Often weaknesses in operational procedures, as well as locating exploitable vulnerabilities in the IT infrastructure, are discovered.

One of the most powerful ways of ensuring effective cybersecurity defence is the purple teaming process as it delivers a holistic overview of the organisation and has proven many times to be a worthwhile investment.

Examples of red team successes

In the public domain, there are few published examples of red team successes since the results are primarily relevant, and often proprietary, to the organisation/company being tested. Google, however, has provided an illustration of one of its own red team attacks against itself.

The attackers sent a fake gift to employees – a Google-branded plasma globe that could be plugged into a computer. This delivered a system back door, and enough employees were compromised for the attackers to gain access. Through this initial access the red team moved laterally toward their key target: Google Glass blueprints. The red team accessed and downloaded the blueprints to prove their success.[i]

Another example comes from Commissum’s own team. We were asked to target the CEO of a FTSE 100 firm and tasked with stealing data . Our first phishing attempt against staff failed. However, we followed up on the phone, where the red team claimed to be internal security staff trying to check laptops. This attack was successful and the ‘attackers’ gained remote access to laptops. Once inside, a misconfiguration allowed them to take over an administrator account – which then gave them direct access to the CEO’s emails.

An everyday red team scenario

We employ a red team methodology based loosely on Lockheed Martin’s seven-link cyber intrusion kill chain model (another term adapted from military usage).

The model has eight phases: planning, reconnaissance, initial attack, establish foothold, endpoint exploitation, lateral movement, achieving objectives, and reporting. The eighth is often out of scope for a genuine kill chain but is perhaps the most important for a red team exercise to be a success. This comprises a report on the red team operation, allowing the customer and its security team to understand and remediate any weaknesses in security posture before they can be exploited by real adversarial hackers.

For most companies, the best approach to red teaming is to use a readymade team from a specialist provider. Often the most affordable approach, red team specialists from a provider will bring enormous, accredited experience. And bringing external eyes to the problem will provide a completely new and unique approach to a company’s cybersecurity stance and exploitable weaknesses.