Pictured is Dhruv Bisani, Eurofins Cyber Security’s (Commissum) Head of Red Team, who writes of red teaming as a defence tactic against hackers.
The chances of getting hacked are steadily on the rise, no matter how much the outlay on cybersecurity. The type of security threats are constantly evolving with daily reports of new ransomware and extortion attacks, as well as threats from opposing countries stealing personal details and intellectual property for nefarious purposes.
There are numerous and complex reasons for this; the increasing intricacy of IT infrastructures, with current software development programmes that invite new vulnerabilities. Furthermore, new advanced persistent threats (APTs) are being discovered daily thanks to cyber crime becoming more sophisticated and better organised than ever. In addition, state-sponsored cyber espionage, looking for anything that can be leveraged for economic or political gain, exacerbates the problem.
While most businesses buy additional security software for targeted purposes in an attempt to resolve the issue, these disparate products do not necessarily provide blanket protection and can introduce more problems sometimes, by increasing the organisation’s IT estate and creating additional maintenance tasks for IT teams, and also by leaving potential gaps between the solutions. Vulnerabilities, gaps and poor business processes are where malicious cyber criminals can exploit IT systems. Here, standard cyber defence applications cannot cope alone.
Your company through the eyes of a hacker
Finding your own weaknesses and then resolving them, before they can be compromised by hackers is a solution. The best way to go about this? Deploy a red team.
‘Red team’, a term taken from military war gaming emulates an attacker and probe defences. In such war games, the defence is termed the blue team. Aligning the two groups is the purple team that uses the methods discovered by the red team to allow the blue team to improve defences. The red team tries to breach an organisation’s security defences to discover and demonstrate the ways in which cyber criminals might attack and compromise the company. Red team operators are highly skilled and should be deployed in a focused way; thinking and acting like hackers. Very large organisations sometimes have red teams permanently on retainer, but most businesses, unable to afford cannot afford this luxury, often do not have dedicated resources.
In cybersecurity, purple teaming describes the collaboration of both the red and the blue teams to improve the outcome of the overall engagement. By working together to identify weaknesses, helping to build a robust plan for the organisation, including detection and remediation efforts, they can improve the company’s overall cybersecurity posture.
It is important to understand that red teaming far exceeds the traditional boundaries of penetration testing (pentesting). Whereas pentesting sources known vulnerabilities, red teaming attempts actual exploitation through predetermined scenarios that include testing the people, processes, and technology, and how well all three components can work together. In this way, weaknesses in operational procedures, as well as locating exploitable vulnerabilities in the IT infrastructure, are often discovered.
The purple teaming process is one of the most effective methods of securing a powerful cybersecurity defence as they provide a holistic overview of the organisation and have proven themselves to be a worthwhile investment on many occasions.
Red team success cases
Examples of red team successes are few and far between in the public domain, since the results are primarily relevant, and often proprietary, to the company being tested. However, Google has provided an illustration of one of its own red team attacks against itself. Hackers sent a fake gift to employees – a Google-branded plasma globe that could be plugged into a computer. Doing so, opened a system back door, compromising enough employees for the attackers to gain access. This initial access allowed the red team to move laterally toward their key target: Google Glass blueprints. The red team, by accessing and downloading the blueprints, proved their success.
A further example comes from our own team. We were tasked with hacking data from the CEO of a FTSE 100 firm. An initial phishing attempt against employees failed. This was followed by a telephone call where the red team impersonated internal security staff trying to check laptops. This attack was successful and the ‘attackers’ gained remote access to laptops. Once inside, a misconfiguration permitted them to take over an administrator account – which subsequently gave them direct access to the CEO’s emails.
A standard red team scenario
We employ a red team methodology that is loosely based on another term adapted from military usage – Lockheed Martin’s seven-link cyber intrusion kill chain model. The model has eight stages: planning, reconnaissance, initial attack, establish foothold, endpoint exploitation, lateral movement, achieving objectives, and reporting. The eighth is often out of scope for a genuine kill chain but is perhaps the most important for a red team exercise to be a success. This comprises a report on the red team operation, allowing the customer and its security team to understand and remediate any weaknesses in security posture before they can be exploited by real adversarial cyber criminals
For most organisations, the best approach to red teaming is to use a ready-made team from a specialist provider. Not only is this the most affordable approach, red team specialists from a provider also bring with them enormous, accredited experience. Last but not least, bringing outside eyes to the problem will provide a completely new and unique approach to a company’s cybersecurity stance and cybersecurity weaknesses.
About the author
Dhruv Bisani is the Red Team Practice Operations Lead at Eurofins Cyber Security, with over six years of industry experience. Dhruv specialises in red team testing and has led and delivered red team engagements across several industries such as financial services, retail and private sector clients, including supporting projects under the UK CBEST scheme which is mandated by the Bank of England for top tier UK banks. He manages and delivers several types of penetration testing engagements including applications testing, wireless testing, API testing and phishing exercises. Visit https://www.eurofins-cybersecurity.com/.
