Red Teaming: How good is your resilience and detection?
How successful could attackers be in a given threat scenario? And how much would you detect? A Red Teaming assessment provides the answer.
The supreme discipline: Red Teaming
A realistic simulation of a real attack to challenge your cyber defense.
Red Teaming is the perfect solution when you have a concrete threat scenario in mind and want to know the likelihood of it occurring and what parts of the attack your Cyber Defense Center (the Blue Team) would detect.
Since Red Teaming does not inform the Blue Team in advance, such an assessment is not very effective without a well-developed Blue Team. Newly established SOCs or CDCs are still busy with day-to-day operations and typically (not without reason) view such a predictive outcome less as an aid and more as an exposure. However, to benefit from Red Teaming, it is not helpful to look for culprits, but for solutions.
How do we proceed with Red Teaming
Â
First, we jointly define a realistic and well-founded scenario with clearly defined goals (flags) that well depicts a concrete threat, is actionable, and promises insight.
Based on this scenario, we gather relevant threat intelligence. These are methods, tactics and procedures (TTP), how real attackers act or would act in this scenario. In addition, we evaluate information about your organization such as business units, locations, employees and infrastructure. For this purpose, we use OSINT and HUMINT sources as well as internal information. From this information, we create an attack plan and prepare the individual steps. Since we attack real production systems, the tasks of the so-called white team are critical to success: good preparation, a coordinated attack plan, defined rules of the game and escalation procedures, as well as close coordination in regular meetings.
Then the actual attack starts. Our Red Team tries to get closer to the defined goal step by step using various methods. Depending on the scenario, this may require several attempts and pauses, for example if an alarm has been triggered. An adjustment of the attack plan or assistance from you may also be necessary if the Red Team reaches an impasse.
After execution and reporting, the Read Team discloses all activities to the Blue Team in a replay workshop. Together, we constructively discuss which activities were identified and where improvement actions should be planned.
The overall result of Red Teaming is to answer not only the question of whether the examined threat could occur. Above all, it provides valuable information on how to improve the resilience and detection capabilities of your Blue Team. After a Red Teaming, however, there will still be undiscovered vulnerabilities because, in contrast to an IT stress test, the Red Team is only looking for one path to the target.
Background information and characteristics
Preparation
- Meeting to agree on the scope
- Kick-off meeting
Execution
- Workshop for scenario definition
- Threat intelligence (HUMINT / OSINT)
- Attack planning and preparation
- Execution of the attack with hacking, if necessary on-site inspection and social engineering
- Regular status meetings
Evaluation
- Preparation of a detailed report
- Replay workshop with the Blue Team
- Management presentation
When conducting security assessments, HvS follows common industry standards. For realistic assessments, it is obvious to use the Mitre Att&ck Framework, which describes the generic approach of real attackers.
It consists of the following phases: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact.
The focus on individual phases depends on the scenario. However, we recommend that you do not run through the entire attack chain straight away, but rather carry out several smaller assessments. This reduces the project risks and the Blue Team must expect an attack at any time... real attackers don't just strike every three years.
- Lateral movement from DMZ to internal network
- C2 channel on client and internal reconnaissance
- Would Ransomware group X be successful with its standard approach at your site?
- Can an internal employee make an illegal financial transaction?
The European Central Bank has published the TIBER-EU Framework, which describes a comprehensive approach to conducting Red Teaming assessments within the financial industry. The German Bundesbank has adapted this framework as the TIBER-DE Framework.
It is motivated by the fact that attacks against the financial system have increased in recent years. While many organizations conduct assessments themselves, but focus on their core business processes and crown jewels, TIBER focuses on critical functions of the global financial system and tries to shed light on the impact of attacks on individual institutions.
Apart from the specific objective, the framework describes a very professional approach on how to design Red Teaming and includes success factors and risks as well as many tips on how to proceed. A TIBER test is conducted by a large project team consisting of a White Team, a Threat Intelligence Team, a Red Team, a Blue Team and management representatives.
Â
The core phases of a TIBER test are: Scope definition, creation of a targeted threat intelligence report (TTIR), creation of a Red Team test plan, execution of the defined scenarios, creation of a test report, a replay workshop and creation of an action plan.
Our entire HvS approach to Red Teaming is inspired by the TIBER framework. However, as long as you are not obligated to TIBER, we always recommend conducting a Red Teaming as you can customize the content to meet your needs.
If you are interested in a TIBER test, feel free to contact us and we will be happy to explain our approach.
More information on the TIBER-EU Framework can be found at the ECB: https://www.ecb.europa.eu/paym/cyber-resilience/tiber-eu/html/index.en.html and information about TIBER-DE at the Bundesbank: https://www.bundesbank.de/de/aufgaben/unbarer-zahlungsverkehr/serviceangebot/tiber-de/tiber-de-816986