In this blog, we are going to look at red team engagements. We will answer the question of what is a red team engagement, clarify how they work, and cover what type of organizations we recommend them to. Usually, this type of assessment isn’t going to be the best course of action for an organization looking to conduct their first security assessment or just looking to check a box for compliance purposes. In a future blog, we will explore the advantages and disadvantages of red team engagements, but for this first blog we will just stick with the basics.
Unfortunately, the term “red team engagement” has become a bit of a buzzword in the information security arena and depending on who you ask, it can have a variety of different definitions. In its simplest form, a red team engagement is an assessment where the penetration testing team has a block of time to use whatever tactics are necessary to attempt to gain a foothold on your network, elevate permissions, and gain access to the sensitive information you are trying to protect. This can include trying to physically break into your office and connect a system to your network (similar to a physical penetration test). This can also include trying to hack into your wireless from the parking lot (like a wireless penetration test) or sending emails with a malicious link to gain access (i.e. social engineering). Once an initial foothold is obtained, the test is very similar to an internal penetration test, and the attack team will try to gain domain administrator permissions and, ultimately, the sensitive information on your network.
Typically, a red team engagement is scoped according to the size of your organization. For small organizations, the attack team may have a week to see how far they can get. For larger organizations, this could be multiple weeks, depending on the budget and number of locations that need to be tested. While a red team engagement by definition includes all attack vectors, there are times where an organization will declare one vector (for example, physically breaking into the building) off limits. While this lowers the realism of the assessment and may prevent the attack team from demonstrating how a real attacker may break into the organization, sometimes it is necessary.
Who Do We Recommend Red Team Engagements To?
In general, red team engagements are best for organizations that have an information security program on the higher end of the maturity scale. Maybe they have had security testing and penetration tests performed for many years, and are generally scoring pretty high across the board. Or maybe the organization wants to get a more holistic view of their risk or provide their network defenders an opportunity to practice against a realistic adversary. These are all opportunities for a red team engagement.
Unfortunately, a red team engagement is not likely going to meet compliance requirements, unless it is scoped as such. In a red team engagement, because time is limited, the attack team is going to focus on what they think will give them the best chance of success. Therefore, if they are able to break into the company and plant a device on your network, they are unlikely to back-track and completely evaluate the security of your wireless network. With that being said, there is the potential to add time to the assessment and make sure it includes a comprehensive penetration test for all in-scope areas that are required for compliance after the primary red team engagement, but this will increase the overall cost of the assessment.
We recommend red team engagements for companies that have a mature information security program in place, have had penetration testing performed in the past, are not expecting the engagement to meet compliance needs, or want to get a realistic idea of how they might respond to a real attacker. If this sounds like a good fit for you, or if you just want to discuss further, feel free to reach out to us.