What is a red team, you ask? Well, in industry parlance a “red team” is any external, contract, specialised security group that offers independent, targeted assessment of an organisation’s security posture and potential vulnerabilities. More specifically, red-team activity is conducted by Qualified Security Assessors (QSAs) who have been hired by an organisation to perform vulnerability assessment, review security management processes, proactively detect and report security weaknesses, and participate in training sessions and other activities to improve the security of the organisation.
As Red Team members are required to have certain skills sets and experience in the field, the organisation must ensure that each member possesses a minimum standard of skill and experience to perform their role. Every Red Team member should possess: Possessing strong IT Security Awareness – a basic prerequisite for any QSAs. A high level of Computer Security Awareness is essential as any vulnerability that is discovered needs to be shown to the team member that it can be exploited. Possessing good Computer Work Experience – demonstrates the quality of the Red Team member’s technical skill set and knowledge in the field. The more work experience a Red Team member has, the more likely it is that they will have the knowledge to exploit vulnerabilities and the more time it will take for them to prepare a counter-mitigation strategy if successful.
So what exactly is a red team and how do they benefit organisations? For organisations that do not currently have a cyber security control system (CSCS) or do not have a large amount of personnel with knowledge and skills in this area it is clear that utilising a combination of these techniques will be of great value. Red Team exercises allow a rapid collection of outside observers who can detect and report on any vulnerabilities that may exist within the organisation. Most organisations recognise the importance of proactive security management and have put in place policies and procedures to minimise the risk of their systems being compromised. However, the sheer volume of threat information and the complexity of the cyberspace make it increasingly difficult to find and deploy effective CSCS programmes. Red Team attacks show how organisations can use the expertise of a specialized group to help them find and develop CSCS programmes that have been designed to counter the myriad of different forms of attack that are now so prevalent.
What Is A Red Team?
Red Team attacks are also very useful because many of the vulnerabilities that are found are not obvious or are hidden away. For example, if a website’s login mechanism requires that users supply a cookie to access the site, then a hacker could use this to login to the website using a user name other than the one that is normally used to access the site. A well trained Red Team would have extensive knowledge of the workings of the website and will be able to quickly identify this, fix the problem and further strengthen the security controls of the website. If a website’s CSCS programme does not contain a comprehensive methodology to identify and respond to attacks, then a simple awareness exercise (for example where a cookie is randomly set to the same value each time the website is visited) is useless. More sophisticated systems may be able to respond to attacks more thoroughly, but even simple controls can be penetrated by a sophisticated group.
Another reason why companies are investing in CSCS penetration testing and the companies that run them is because of the phishing attacks that can occur when employees visit websites. A phishing attack occurs when an employee in a company or position of employment inserts security clearance documents into a website without the permission of the website owners or users. A phishing attack can have severe consequences for the organisation if it is not dealt with immediately – leading to the compromise of confidential information and the exposure of the organisation’s trade secrets to unscrupulous companies and individuals.
Because the internet has become so widely used, the potential for people to carry out attacks using the internet is increasing. Employees that go online and interact with company or organisation networks pose a greater risk of being targeted by attackers because they do not have physical access to the devices they are carrying out their operations on. As a result, any weaknesses that can be exploited online can be exploited for the benefit of the attacker. The methods that can be used to carry out these attacks using the internet include: using fake email addresses to send email to network security systems; planting viruses on systems; using command shells and other software to get admin access; and listening to telephone conversations to obtain data.