Red Team - Why Pen-testing is not always enough.

Updated: Aug 21

White hat hackers and black hat hackers are always competing in the field of cybersecurity.

As cyber-threats increase, so does the demand for increasingly specialized services that enable businesses to effectively prepare for real-world attacks.

While traditional security engagements such as vulnerability assessments and penetration testing can give a good picture of a company's technical security posture, they may ignore several key areas that an actual attacker could exploit.

In this sense, traditional penetration tests are effective at revealing vulnerabilities so that preventive actions may be taken, but they may not teach you how to respond to an ongoing attack by a determined opponent.

Vulnerability Assessments

A vulnerability assessment is the process of scanning a network for individual hosts so that security deficiencies can be identified and effective security measures can be deployed to protect the network. This is the simplest form of security assessment, and its main objective is to identify as many vulnerabilities in as many systems in the network as possible.

This process may reveal that, for example, there is an unpatched vulnerability in a web server or a database server that is being improperly configured.

As an example, if you were to run a vulnerability assessment over a network, you would normally try to scan as many of the hosts as possible, but wouldn't actually try exploiting any vulnerabilities at all:

Penetration Tester's

In addition to checking each host for vulnerabilities, we often need to know how they affect the whole network. Penetration tests go beyond vulnerability assessments because they let the pentester see how an attacker would affect the whole network.

This is done by taking extra steps, such as trying to take advantage of the flaws found on each system. It also lets us see if the vulnerabilities we find can be used to take over a host.

Penetration tests may start by scanning for vulnerabilities, just like a regular vulnerability assessment, but they also show how an attacker can chain vulnerabilities to reach certain goals. It still focuses on finding weaknesses and setting up ways to protect the network, but it also looks at the network as a whole ecosystem and how an attacker could benefit from how its parts work together.

Pentesters would scan all the hosts on the network for security holes and try to see if they can be exploited to show what an attacker could do to the network: By looking at how an attacker could move around our network, we also get a basic idea of how security measures could be bypassed.

However, our ability to spot a real threat actor is limited because the scope of a penetration test is usually large, and penetration testers don't care much about making a lot of noise or setting off a lot of alarms on security devices because we often only have a short amount of time to check the network.

It's not enough to do regular pen-tests

Even though the traditional security engagements we've talked about cover finding most technical vulnerabilities, there are limits to how well they can prepare a company to deal with a real attacker.

Some of these restrictions are:

  • Time constraints

  • a limited budget

  • non-disruptiveness

  • a heavy focus on IT.

Because of this, some parts of a penetration test might be very different from a real attack, such as: Penetrating tests are LOUD: Most of the time, pentesters won't try very hard to stay hidden. They don't mind being easy to spot, unlike real attackers, because they've been hired to find as many holes as possible in as many hosts as possible.

Attack vectors that aren't technical might be missed: Most of the time, attacks based on social engineering or physical break-ins are not tested.

Reduction of safety measures: During a regular penetration test, some security features might be turned off or made less strict so that the pentesting team can work faster.

Even though this seems counterintuitive, it is important to remember that pentesters only have a short amount of time to check the network. So, it's usually best for them not to waste time looking for weird ways to get around IDS/IPS, WAF, intrusion deception, or other security measures. Instead, they should focus on looking for holes in critical technology infrastructure.

On the other hand, real attackers won't follow a code of ethics, and they don't have many limits on what they can do. Advanced Persistent Threats (APT), which are highly skilled groups of attackers who are usually paid for by governments or organized crime groups, are the most dangerous threat actors today. Most of the time, they go after important infrastructure, financial institutions, and government agencies. They are called "persistent" because their activities can go on for a long time without being found on networks that have been hacked.

Red Team Engagement

Red team engagements were designed to shift the focus away from routine penetration tests and into a procedure that allows us to clearly examine our defensive team's capabilities at identifying and responding to a real threat actor. Instead of relying solely on prevention, they emphasize on detection and response, which complements traditional penetration testing.

The military uses the phrase "red teaming" to describe this tactic. To evaluate the defense team's reaction time against known enemy strategies, a group would pose as a "red team" in military drills and replicate attack techniques. It's possible to test the effectiveness of our blue team's response to real-world threat actors by simulating their tactics, techniques, and procedures (TTPs) with red teams in cybersecurity. As with all red team engagements, each begins with the establishment of specific objectives, referred to as "crown jewels" or "flags," which might range from the compromise of an important host to the theft of personally identifiable data.

Blue team members aren't told of these activities to avoid biasing their findings. For the red team, staying hidden and evading security measures like firewalls, antivirus, EDR, IPS, and others is more important than ever. Keep in mind that not all of a network's hosts will be scanned for vulnerabilities by a red team during an engagement.

For a true attacker, the only thing they care about is finding a single path to their desired destination. There goal would be to compromise the intranet server while communicating with as few hosts as possible, While the blue team's ability to notice and respond to the attack can really be evaluated: it's vital to keep in mind that such exercises should never be aimed at making the red team "defeat" the blue team, but rather preparing the blue team so they can handle a real-life threat. Their detection skills could be improved by making adjustments or adding additional security measures.

In addition, red team engagements make regular penetration tests more effective since they consider a variety of attack surfaces:

  1. Technical Infrastructure: Like a normal penetration test, a red team will try to find technical flaws, but they will put a lot more focus on being stealthy and avoiding detection.

  2. Social engineering is when people are tricked into giving out information that should be kept private through phishing campaigns, phone calls, or social media.

  3. Physical Intrusion: Getting into restricted areas of a building by picking locks, cloning RFID chips, or finding weaknesses in electronic access control devices.

Depending on the resources available, there are different ways to run the red team exercise:

  1. Full Engagement: Recreate an attacker's entire process, from the first time they break in until they reach their final goals.

  2. Assumed Breach: Assume that the attacker has already taken control of some assets and work from there to reach the goals. For example, the red team could get access to a user's credentials or even a workstation on the internal network.

  3. Exercise for the table: A tabletop game where the red and blue teams talk about different scenarios to see how they would respond to different threats in theory. Perfect for situations where it might be hard to do live simulations.

Teams and Functions of an Engagement

A red team engagement involves many different things and people. Everyone will have their own way of thinking about and talking to the engagement staff, but each engagement can be split into three groups, or "cells." Here is a quick table with a picture of each team and a short description of what they do.

Definitions are sourced from

Red Cell - A red cell is the component that makes up the offensive portion of a red team engagement that simulates a given target's strategic and tactical responses.

Blue Cell - The blue cell is the opposite side of red. It includes all the components defending a target network. The blue cell is typically comprised of blue team members, defenders, internal staff, and an organisation's management.

White Cell- Serves as referee between red cell activities and blue cell responses during an engagement. Controls the engagement environment/network. Coordinates activities required to achieve engagement goals. Correlates red cell activities with defensive actions. Ensures the engagement is conducted without bias to either side.

These teams or cells can be broken down further into an engagement hierarchy.

Because this is a post for the red team, we will discuss what they need to do. Detailed roles and responsibilities of the red team members are shown below.

  • Red Team - Lead Plans and organises engagements at a high level—delegates, assistant lead, and operators engagement assignments.

  • Red Team Assistant Lead - Assists the team lead in overseeing engagement operations and operators. Can also assist in writing engagement plans and documentation if needed.

  • Red Team Operator - Executes assignments delegated by team leads. Interpret and analyse engagement plans from team leads.

As is the case with most red team functions, each team and company will have its own structure and roles for each team member. The above table is just an example of what each role usually involves.

Engagement Structure

The red team's main job is to act like the enemy. Even though it's not required, it's often used to figure out what a real enemy would do in an environment with their tools and methods. Different cyber kill chains can be used by the red team to sum up and evaluate the steps and procedures of an engagement. The blue team often uses cyber kill chains to map an opponent's behavior and stop them from moving. The red team can use this idea to map the tactics, techniques, and procedures (TTPs) of an enemy to the parts of an engagement. Many groups that make rules and set standards have put out their cyber kill chain.

Each kill chain has about the same structure, though some are more detailed or have different goals.

Here are a few examples of common cyber kill chains.

  • Lockheed Martin Cyber Kill Chain

  • Unified Kill Chain

  • Varonis Cyber Kill Chain

  • Active Directory Attack Cycle

  • MITRE ATT&CK Framework

The "Lockheed Martin Cyber Kill Chain" is more standard than others, and both red and blue teams use it a lot. Unlike other kill chains, it doesn't give a detailed explanation of how things move inside. You can think of this "kill chain" as a list of all the actions and behaviors that are happening.

The components of the kill chain are listed in the table below.

  • Reconnaissance - Obtain information on the targetHarvesting emails, OSINT.

  • Weaponization - Combine the objective with an exploit. Commonly results in a deliverable payload.Exploit with backdoor, malicious office document

  • Delivery - How will the weaponized function be delivered to the targetEmail, web, USB

  • Exploitation - Exploit the target's system to execute codeMS17-010, Zero-Logon, etc.

  • Installation- Install malware or other tooling Mimikatz, Rubeus, etc.

  • Command & Control - Control the compromised asset from a remote central controllerEmpire, Cobalt Strike, etc.

  • Actions on Objectives - Any end objectives: ransomware, data exfiltration, etc.Conti, LockBit2.0, etc.

Through reading this post, I hope you gain a better understanding of Red Team and how it performs and operates.

I encourage you to check out my website to read more articles like this on a variety of topics related to information technology

Thank you

Meni Tasa

30 views0 comments