Red teaming is the act of testing, attacking, and penetrating computer networks, applications, and systems. Red teamers are ethical hackers hired by organizations to battle-test their security architecture. The ultimate goal of the red team is to find—and sometimes induce—problems and vulnerabilities in a computer and exploit them.

Why Is Red Teaming Important?

For an organization that needs to protect sensitive data and systems, red teaming involves hiring cybersecurity operators to test, attack, and penetrate its security architecture before malicious hackers do. The comparative cost of getting friendlies to simulate an attack is exponentially less than if attackers do.

So, red teamers essentially play the role of outside hackers; only their intents are not malicious. Instead, the operators use hacking tricks, tools, and techniques to find and exploit vulnerabilities. They also document the process, so the company can use the lessons learned to improve its overall security architecture.

Red teaming is important because companies (and even individuals) with secrets cannot afford to let adversaries get the keys to the kingdom. At the very least, a breach could result in revenue loss, fines from compliance agencies, loss of clients’ trust, and public embarrassment. At worst, an adversarial breach could result in bankruptcy, the irrecoverable collapse of a corporation, and identity theft affecting millions of customers.

What Is an Example of Red Teaming?

Red teaming is highly scenario-focused. For example, a music production company may hire red team operators to test safeguards for preventing leaks. Operators craft scenarios involving people who have access to data drives containing artistes’ intellectual property.

A goal in this scenario may be to test attacks that are most effective at compromising access privileges to those files. Another goal might be to test how easily an attacker can move laterally from one entry point and exfiltrate stolen master recordings.

What Are the Objectives of the Red Team?

The red team sets out to find and exploit as many vulnerabilities as possible in a short time, without getting caught. While the actual objectives in a cybersecurity exercise will vary between organizations, red teams generally have the following objectives:

  • Model real-world threats.
  • Identify network and software weaknesses.
  • Identify areas to improve.
  • Rate the effectiveness of security protocols.

How Does Red Teaming Work?

Red teaming starts when a company (or individual) hires cybersecurity operators to test and evaluate their defenses. Once hired, the job goes through four engagement stages: planning, execution, sanitization, and reporting.

Planning Stage

In the planning stage, the client and the red team define the goals and scope of engagement. This is where they define authorized targets (as well as assets excluded from the exercise), the environment (physical and digital), duration of engagement, costs, and other logistics. Both sides also create the rules of engagement that will guide the exercise.

Execution Stage

team meeting during a sporting game match

The execution stage is where the red team operators use all they can to find and exploit vulnerabilities. They must do this covertly and avoid getting busted by their targets’ existing countermeasures or security protocols. Red teamers use various tactics in the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) matrix.

The ATT&CK matrix includes frameworks attackers use to access, persist, and move through security architectures, as well as how they collect data and maintain communication with the compromised architecture following an attack.

Some techniques they may employ include wardriving attacks, social engineering, phishing, network sniffing, credentials dumping, and port scanning.

Sanitization Stage

This is the cleanup period. Here, red team operators tie up loose ends and erase traces of their attack. For example, accessing certain directories may leave logs and metadata. The red team’s goal in the sanitization stage is to clear these logs and scrub metadata.

In addition, they also reverse changes they made to the security architecture during the execution stage. That includes resetting security controls, revoking access privileges, closing bypasses or backdoors, removing malware, and restoring changes to files or scripts.

Art often imitates life. Sanitization is important because red team operators want to avoid paving the road for malicious hackers before the defense team can patch things up.

Reporting Stage

In this stage, the red team prepares a document describing their actions and results. The report further includes observations, empirical findings, and recommendations for patching vulnerabilities. It may also feature directives for securing exploited architecture and protocols.

The format of red team reports usually follows a template. Most reports outline the goals, scope, and rules of engagement; logs of actions and results; outcomes; conditions that made those outcomes possible; and the attack diagram. There is usually a section for rating the security risks of authorized targets and security assets too.

What Comes Next After the Red Team?

Corporations often hire red teams to battle-test security systems within a defined scope or scenario. Following a red team engagement, the defense team (i.e. the blue team) use the lessons learned to improve their security capabilities against known and zero-day threats. But attackers don’t wait around. Given the changing state of cybersecurity and rapidly evolving threats, the work of testing and improving security architecture is never truly finished.