How Red Teaming Helps Agencies Identify Vulnerabilities

Cybersecurity awareness month is here, and there’s no better time to talk about how state and local governments can improve their cybersecurity practices. A key component of that improvement is assessing one’s own security posture with a security assessment. After all, you can’t fill holes in your defenses if you don’t know they are there. Security assessments are particularly important for state agencies, which have been described as low-hanging fruit for attackers given their limited budgets and shortage of cyber talent.

One proven assessment strategy: red teaming.

“Red teaming is certainly a useful exercise because if you don’t have that real-world practice, you may have a false sense of security,” says Glen Deskin, head of engineering at Check Point Software Technologies. “When organizations decide to do this, it’s a matter of having the right expertise and the right process goals.”

Click the banner below for more on best practices to maintaining a strong cybersecurity posture.

What Is Red Teaming?

Red teaming is a security assessment in which an authorized group, known as a red team, poses as a cyberattackers and attempts to breach an organization’s cyberdefenses. The red team performs a real-world attack using the same tools and techniques that real bad actors use, and works to penetrate as deeply into the organization’s systems as possible. Often, red teams have permission to use any means necessary to compromise an environment in order to test the organization’s defenses as rigorously as possible.

The ultimate objective of a red-teaming assessment is to improve the defending organization’s security posture by demonstrating how attackers might breach defenses and identifying where improvements need to be made. The point of red teaming is not to inflict damage, but to expose the potential for damage.

Red teaming differs from a more traditional penetration test, which involves targeting a particular part of an organization’s environment using a specific set of standardized tools. In a penetration test, all stakeholders are aware the test is taking place, and testers look for specific vulnerabilities.

Red teaming, on the other hand, is a broader exercise. The organization sets an ultimate goal for the red team (such as accessing particular data), but often red teams don’t need to follow a predetermined attack strategy or limit themselves to one part of the defending organization’s attack surface to achieve that goal. For example, social engineering is a strategy red teams can employ, but not something that would be part of a penetration test.

That said, organizations can set parameters beforehand about how far a red team can go. Additionally, an organization’s executive team authorizes the red team exercise, but its employees responsible for defending against bad actors — the blue team — don’t need to be aware the cyberattack is just a test.    

“That’s a key point. You’re trying to do your best under a real-world circumstance,” Deskin says. “If you tell the entire user population, ‘Hey, be on the lookout for X, Y and Z,’ it doesn't provide the same results.”

How Does Red Teaming Improve Security? 

By simulating real-world scenarios, red teaming assessments can uncover attack paths and coverage gaps bad actors can exploit that might not be discovered through a standard security assessment. Red teaming also tests an organization’s IT team and its incident response capabilities. Compared with other security assessments, red teaming can identify a wider range of vulnerabilities thanks to its broader scope.

What Are the Types of Red Teams?  

Red teams can either be an external group hired by an organization to conduct the test, or they can be members of the organization being tested. Counter to red teams are blue teams, which are groups responsible for defending an organization against the mock adversaries. The blue team is often just the defending organization’s own security team, but organizations can also hire third-party blue-teaming consultants to help bolster defenses and devise security solutions.

External Red Teaming 

Organizations can use a third party to be the red team or leverage internal resources to conduct the exercise. The former is known as external red teaming, which is useful for organizations that may not have the time or internal expertise to test their own defenses effectively. A third party can also provide external validation and hold organizations accountable.

There are certain agreements that must be reached between an organization and a third-party red team, such as the extent to which the red team can infiltrate the organization’s network.

“Logistically, there are certain preparations up front that need to be made — mostly on a contractual and legal basis — if you use a third party,” Deskin says.

Internal Red Teaming

Internal red teaming tasks a group made up of an organization’s own employees with acting as adversaries in the simulated attack, instead of hiring a third party. Of course, for this strategy to be effective, an organization’s employees must have the proper skill sets to be “ethical hackers” who can put the organization’s defenses to the test.

Purple Teaming 

Purple teaming is an exercise in which the attacking red team and the defending blue team communicate and cooperate with each other instead of working as separate entities that don’t communicate. In a purple-teaming scenario, both sides share certain pieces of information with each other and provide continuous feedback while conducting and defending against the simulated attack. While both sides are aware of each other, there is still an element of the unknown with purple teaming, as the blue team ultimately doesn’t know how a red team will attack.

As with red teaming, the idea of purple teaming is to test security in a low-risk environment. The added benefit is the idea that the continuous feedback between the two teams would further strengthen both sides and enhance security.

Physical Red Teaming 

Physical red teaming follows the same principles as a digital red-teaming exercise but instead tests the physical security of a facility, including its locks, fences and barriers, surveillance cameras and alarm systems. Physical red teaming could involve tools such as devices that clone radio-frequency ID tags and other key systems.

Exercises involve physically entering an organization’s facilities with the objective of gaining access to a particular area or certain files or equipment. This can be done through a number of strategies, including lock-picking, posing as building staff to be allowed in, and breaching or finding open spots in barriers.

Physical red teaming often starts with performing reconnaissance onsite to identify weak points. Depending on the exercise, physical red teams might employ such tactics as posing as a FedEx or UPS driver to gain access, or disguise themselves as cleaners or employees once they enter the facility.

As with digital red teaming, organizations can set parameters around physical red-teaming exercises. Rules of engagement need to be established beforehand.

“If it’s a third party, you can say, ‘Hey, only go so far. I don’t want you to walk into my building, but if you get the key and can get in, tell me and then stop there,’” Deskin says. “That’s part of the upfront work of asking, what are the goals? What are we looking to achieve? How far are we going to go?”