Red Teams: Understanding Cybersecurity’s Ethical Hackers

Ethical Hackers evaluate system vulnerabilities using advanced analytics and tools. Cybersecurity has always been spoken about in martial language. When we talk about hackers attempting to breach systems, we use terms such as “attackers” and “defenders.” The interaction occurring between those attackers and defenders is often cast as a “battle” or “war,” with a multitude of relevant tactics and strategies.

And, in today’s era, actual cyber-warfare has become a critical issue for global governments and the organizations targeted by state actors.

It’s not surprising, then, that one of the most effective cybersecurity methodologies has its roots in military wargaming.

Read Also: Rapid7 Announces Availability of Enhanced Endpoint Telemetry for InsightIDR

That practice, called red teaming, can be simply described as ethical hacking undertaken to gain visibility into the strength or weakness of an organization’s security posture. Red teams — composed of groups of cybersecurity experts — are tasked with penetrating computer systems during simulated attack exercises. By doing so, they can uncover vulnerabilities in hardware, software or methodology that pose a serious risk to the organization.

Red teams provide an invaluable service for security staff: Allowing them to see through the eyes of their adversaries. The perspective gained through these exercises can play a critical role in overcoming cultural bias, while also allowing problem-solving capabilities to be sharpened.

The Two Types of Red Teams

While most red teamers are experts, they don’t always originate from the same place. Some teams are internal, which means that they are composed of people who have roles at the company holding the exercise. External teams, meanwhile, are typically consultants and hold exercises with many different clients (often working on multiple projects simultaneously).

Both internal and external teams bring their own strengths to the table. Internal teams are more familiar with the environments they are attempting to evaluate, and may have more time and/or budget to devote to the exercise. This knowledge can help the team focus on the most relevant scenarios and speed up the remediation process. External teams, on the other hand, may have deeper expertise and may also benefit from having “a fresh set of eyes” on existing problems.

How Red Team Exercises Work with Ethical Hackers

Red team exercises begin by defining a starting point and an objective. Starting points are assigned by defining the knowledge the simulated attacker has about the security environment or the access they possess. One example would be an infected endpoint. It’s also possible to do these exercises blind, with no presupposed knowledge or access, except that which can be publicly searched for. The objective is an asset for the adversary to target — often a “crown jewel” server containing critical business data.

Other variables in play during a red team exercise include the tactics or techniques used by the attacker, the scope of the simulated attack and the degree to which defenders are aware of the attack. In some cases, exercises may be focused on non-critical areas of infrastructure to avoid disruption to production.

Red teams are typically composed of people with a deep and varied skill set. These can include technical chops (knowledge of Web App Security, Active Directory, bypass techniques etc.) and “real world” adversarial skills (social engineering).

Red teams will often use a mix of known tools and custom tools to remotely control compromised machines, exploit vulnerabilities, move laterally through networks and “steal” critical assets.

It’s important to distinguish between red team exercises and penetration tests. While they share the same general principle, penetration tests are typically shorter in duration, target one part of an organization, focus on vulnerabilities rather than goals and are less reliant on stealth.

The Benefits of Red Teaming

Red teams play a key role in maintaining security for one simple reason: It’s difficult to understand the true state of organizational defenses without running simulated attacks. These exercises shine a light on vulnerabilities that could otherwise go undetected and provide a window into how prospective attackers view the environment. In this sense, it allows defenders to shed their reactive posture and take the initiative in securing their systems.

Once red teams identify key vulnerabilities, remediation and/or mitigation can begin, allowing organizations to more effectively manage risk.

Yet while conventional red teaming plays an important role in keeping a strong security posture, the practice is not without limitations.

The Problems with Manual Red Teams

As mentioned, red teams are composed of security experts who work internally or as third-party consultants. Yet the very nature of this setup creates disadvantages.

Manual red teaming requires significant resources. Hiring consultants — or peeling away internal staff to stage exercises — requires a substantial time/money investment.

This means that most red team exercises are staged episodically, often quarterly or even yearly. Yet computer systems, now more than ever, are dynamic. Changes to an infrastructure can create new vulnerabilities, and the periods between red team tests can allow these gaps to go undetected.

There is, however, a technological solution to this problem of imperfect protection: Automated red teaming.

Recommended: The Grayhat Cybersecurity Conference is set for the Halloween Weekend

The Power of an Automated Red Team

Breach and attack simulation (BAS) platforms take the benefits of red teaming and scale them to their full potential by providing continuous coverage.

These platforms work by launching non-stop simulated attacks in a controlled environment, much like a manual red team. The difference is that BAS software harnesses the power of automation to work continuously, so organizations no longer have to go weeks or months without visibility into their systems. Once vulnerabilities are identified, a BAS solution will offer prioritized remediation guidance, allowing for any security holes to be quickly filled.

Choosing the right platform, however, is vitally important. You need a fully automated BAS product, a platform that extends the power of automated red teaming into hybrid environments, providing protection within Amazon Web Services (AWS).

Given the growth and increasing complexity of cloud computing — and the need to migrate to the cloud securely — BAS platforms that protect in multiple environments are especially helpful to today’s organizations.

In Conclusion

Red teams have historically played a crucial role in the cybersecurity sphere. Yet inherent limitations have curtailed their ability to provide continuous protection.

Automated red teaming (in the form of BAS platforms) help organizations shake free from the limits of point-in-time testing — and enjoy constant vigilance against attackers.