What is Red Team testing?
Red Team Testing is one of the most extensive testing methods that a business can perform on their systems. Depending on your size, you have various penetration testing requirements to meet compliance. A Red Team Test consists of many different services and approaches in order to compromise company systems. The Information Security Analyst will do everything they can with existing information to get in. These phases of a Red Team Test include:
- Information Gathering
- Social Engineering
- Email Phishing
- Phone Vishing
- SMS Smishing
- Physical Social Engineering
- Penetration Testing
Each one is an extensive test that revolves around each defense an establishment has. Not only does it test the system, but it also tests the employees. It is considered a “closed book” test, meaning the Information Security Analysts (ISAs) will not have any prior information (things like emails, IP addresses, employee information). They obtain what is available to them through the internet, network scanning, and other common attack methods.
This is a crucial first step in Red Team Testing. The ISAs will go through many sources for employee names, phone numbers, emails, and more. Some companies may not realize just how much of their information is on the Internet, especially when it comes to online resources and business directories. With a simple name and email, a bad actor can slip through the cracks using social engineering tactics.
Social Engineering: Email Phishing
Email phishing is one of the most successful attacks that a bad actor can perform. With the information gathered, a hacker can spoof an email and send it as a coworker, manager, or even a CEO. The more research they do up front, the more curated the phishing emails can be to compromise a specific person, department, or organization. A simple email can bring down institutions of any size, so it’s important to remain vigilant about not clicking any links or attachments in emails without proper inspection. These simulated phishing emails are sent to employees in the attempt to get them to click on links, open attachments, or even input credentials. They are sent spoofing things like fellow employees, vendors, and auditors in order to disguise the attack.
Social Engineering: Phone Vishing
Phone voice phishing, or vishing, is becoming more popular with hackers and scammers these days. A vishing call is when a bad actor calls and attempts to direct an employee to a malicious website. These sorts of webpages can run dangerous scripts or install malware on a computer. With simulated vishing calls, the ISAs will attempt to have an employee navigate to a phony website and/or see what they are able to coerce out of them.
Social Engineering: SMS Smishing
Smishing, or SMS phishing, has become a popular point of attack as well. SMS stands for Short Message Service, more commonly known as texting. Bad actors will attempt to get into a work or personal cell phone through malicious texts. These texts usually contain links to dangerous websites that can install malware or other dangerous programs to your phone, much like their email counterparts. Texts should be treated with as much caution as emails. In this test, ISAs will send out simulated SMS text messages to employees in an attempt to get them to click links and compromise information.
Social Engineering: Physical
Physical social engineering is a bit different than the others. In some situations, bad actors will attempt to gain physical entry into your facilities to gather sensitive information. They will pose as a contractor, vendor, or some sort of service, trying to lie their way into the back areas of the company. Depending on the opportunities presented to them onsite, they'll dumpster dive for improperly disposed sensitive company information, or even attempt to install USB drives on unmanned workstations. With this service, the ISAs will do just that—try to get into the back with any means necessary. This can take multiple days over multiple locations.
Penetration Testing: External
Penetration testing should be a familiar form of testing. Bad actors will attempt to get into your networks, servers, and applications through means of brute force. An external penetration test simulates these events with network scanning, password sprays, and other manners of hacking. These include attacking the firewall, mail servers, web servers, and more. Exploits will be manually preformed, seeing what sort of access an attacker could obtain.
Penetration Testing: Internal
Internal penetration testing is the next step from external penetration. While external penetration testing is used to breach external defenses, internal penetration is used to find what hackers could access once they have successfully gotten past those external defenses. This also takes rogue employees into consideration, current or previous. Regardless of who is in the system, this test will show what things can be taken or used against the company, and how an attacker would be able to pivot into other internal systems.
Penetration Testing: Wireless
A wireless penetration test is attempting physical access to a business’s Wi-Fi access points. Bad actors often get into networks through Wi-Fi at the physical location of the business. In the same manner, ISAs will arrive onsite and try to crack pre-shared keys (Wi-Fi passwords) while a rogue access point is set up. The rogue Wi-Fi point will look the same as the target in an attempt to get employees to connect to it. This, in turn, will present an easier opportunity for the ISAs to breach the organization’s internal network.
Red Team Testing vs. Purple Team Testing
The term “Purple Team Testing” may come up when talking about Red Team. These two tests are somewhat similar, but Purple Team is much different from a real-word simulation. Purple team puts a heavy emphasis on the business’s IT department (aka Blue Team) and other defense teams when it comes to seeing these hacks by malicious attackers (aka Red Team) in real time. The Purple Team Test involves collaboration between the Red and Blue teams during testing—this is where the “purple” comes in, considering red and blue make purple.
Different from the Red Team Test, Purple Team Testing is considered an “open book” test. This means that the organization provides information to be tested, like whitelisted IPs, employee names and emails, and other information needed for testing. Purple team consists only of network testing, where Red Team consists of network testing, social engineering, and comprehensive reconnaissance without being given those names, IPs, and other information. In Red Team Testing, the ISAs look for that information themselves to better simulate the real-world attack.
When it comes to time, considering a Red Team test is so extensive, it can take several weeks of engagement time. This is necessary to complete all the services that were listed above at the more intense level. During this time, only the main person of contact knows what’s going on while no one else knows anything. A Purple Team Test typically takes 8-24 hours of testing, depending on the extensiveness of the network. Everyone on the blue team knows what’s happening when this type of test is going on.
Finally, the results gathered from the two types of tests are quite different. The Red Team test, considering it’s so broad and in-depth, gives reports on each of the services that were done. There is also a review of how far the Red Team could get through the various testing methods. On the other hand, the Purple Team Test provides information on how well an organization's Blue Team is aware of hacking attempts in real time. Both services aim to show the effectiveness of an organization's cybersecurity program, but they go about it in very different ways.
Is Purple Team still necessary?
While it might seem excessive when it comes to your organization’s networking, a Red Team test and a Purple Team test are both great ways to make sure your entire business is secure. As said above, Red Team Testing takes an adversarial approach, while a Purple Team Test focuses on Blue Team effectiveness.
The goal of a Red Team test is to find out how the organization’s defenses respond to a threat in a real-world situation. That means that the Information Security Analysts will take on the guise of a real hacker in an attempt to break in with no prior knowledge. A Purple Team test can be performed to measure the monitoring and find weaknesses in logging. With both of these services, your organization will have a full view of overall company security.
What happens during a Red Team Test?
With the services listed above, an organization is put through rigorous testing to try to find any and all weaknesses in the system. With no prior knowledge, Information Security Analysts dig for information, perform social engineering, and try to penetrate the network. The organization is mostly unaware that these attacks are being simulated, so they should be treated like a real, malicious attack.
Much of the Red Team testing is based around a business’s employees, security awareness training, and internal and external defense systems. The information is discussed in scoping and agreed upon ahead of time with the person of contact. These services will likely be minimally disruptive, considering real attacks are almost undetectable with the way they work. It is a good fit for experienced security teams in large organizations, considering it puts them to the biggest test of all.
Information is all over the Internet and insufficient data privacy legislation isn’t helping. An organization might think that they’re safe, but realistically, anyone can be a target. It doesn’t matter if it’s big or small, public information will always be available to those who wish to do them harm. With the help of Red Team Testing, organizations will be able to find out just how much they can defend against and how to better protect their sensitive information.