In a previous blog, we explored what Red Team engagements are and what types of organizations we would recommend them to. If you have not yet checked that blog out, give it a quick read here. In this blog, we are going to dive a little deeper into the subject and cover some of the advantages and disadvantages of red team engagements. Hopefully by the end of this blog, you will have a good understanding of whether a red team engagement is a good fit for your organization. With that in mind, let’s jump in.
Advantages of a Red Team Engagement
In any penetration test we offer, our ultimate goal is to emulate a real world attack as much as possible. This is why we use many of the same tools an attacker would use when targeting your network. However, during a traditional penetration test we are balancing this with some constraints, such as a limited assessment time window and a requirement to get full coverage of all in-scope systems. Full system coverage is important from both a risk perspective (you need to know about all your risks, not just some of them) and a compliance perspective. As such, our typical penetration tests are not a true representation of an actual attack for a few reasons.
First, because we need to ensure we get full coverage in a limited assessment window, we are going to be louder than an attacker would usually be. This includes full vulnerability scans and port scans that would likely not occur in a real attack scenario. By comparison, in a red team engagement our engineers are tasked with trying to get in while being as quiet as possible to avoid detection, emulating a true attack. In a similar vein, if we are doing a traditional social engineering engagement, we are trying to identify the threshold at which your employees are susceptible. Because of this, we will start with a more sophisticated attack and then progressively dumb it down, trying to identify the level at which an attacker would be caught. However, in a red team engagement, this is also not going to be the case. The engineers are likely to use only one, very sophisticated attack and stop as soon as one person falls victim, providing credentials or a foothold on the internal network.
Second, in a traditional penetration test we are bound by the scope. This means that the engineers conducting the assessment are really limited to only one specific attack vector, such as network-level or social engineering. We will not be trying to break in physically, using social engineering, or attacking the wireless network if those things aren’t explicitly included in the scope of the assessment. An attacker is obviously not bound by an agreed upon scope, and therefore, will likely probe each of these areas to find the easiest method for them to gain access without getting caught. Additionally, sometimes the scope of an assessment will only focus on a main location and neglect to consider the security of regional offices that may have a less mature security program. But if an attacker gains access to that regional office, there is likely a site-to-site VPN that essentially makes it the same as if they were on the main internal network.
The third and final reason is that a traditional penetration test uses a gray-box approach. Although we try to collect as little information as possible to try and emulate an attacker, there are some things that both sides know about each other going in. First, they know the IP addresses we will be coming from. Second, we will all be on the same page about the schedule and when each activity is going to happen. Finally, we ask for target IP addresses to make sure we are assessing all the systems (coverage we mentioned above). In a red team engagement, we try to avoid this to the maximum extent possible. There obviously has to be one person in your organization who approves an assessment and knows it is happening, but we will try to keep the information to a bare minimum so that you can test your organization’s incident detection and response capabilities.
In summary, the main advantages of a red team engagement is that it is the closest thing to a real world attacker trying to break into your network. As such, it allows you to better understand the risk of this sort of thing happening, and if it does, will your team know about it and how will they respond. This can even go so far as allowing your IR team to conduct forensic analysis to determine what we gained access to (which we can confirm or deny), providing the most realistic test of your overall security posture.
Disadvantages of Red Team Engagements
The biggest disadvantage of a red team engagement is coverage. In a red team engagement, the attack team has one goal: gain access to your sensitive information via any means available. As a result, and to emulate a real world attack, they are going to try to find a way in that will prevent them from being caught. It is entirely possible that they would start with social engineering, have success, and then move right into an internal penetration test to target and obtain access to sensitive information without ever testing any of the other aspects of your perimeter security (external, wireless, physical, etc.). Because of this, we would never recommend doing a red team engagement without traditional penetration testing already in place. A red team engagement is a great way to find the answer to “What is my overall risk? Can this really happen?” However, it is equally important to know the answers to “How might my wireless network be compromised by an attacker?” and “What are all the ways an attacker may gain access?”
The second major disadvantage of a red team engagement is that is likely not going to meet compliance requirements. This is primarily due to coverage. We may not identify and enumerate all in-scope targets, and therefore may not test all the devices on your external perimeter. Similarly, even if we do identify all the hosts, we are likely not going to launch a full vulnerability scan or note every weakness with each of the targets, missing many potential findings that would be reported in a traditional penetration test. In addition to coverage, a red team engagement may not meet compliance requirements because you will be actively defending our efforts. Certain compliance requirements, like PCI, require that our IP addresses be whitelisted in IPS/WAF to allow us to give a thorough test.
In summary, we covered the advantages and disadvantages of red team engagements. On one hand, they are the closest thing to a real world attack you can get. As a result, you can truly understand your risk and whether you can sleep peacefully at night. Additionally, you can see how your team will respond to an actual attack. However, this has some costs. You will not get full coverage of your organization from any specific attack vector, because the test team’s goal is to find the best way in without being caught. Finally, a red team engagement alone is likely not going to meet any compliance requirements you have. Now that you have a better understanding of what a red team engagement is, do you think it is a good fit for you? If so, reach out so we can get started.