Anatomy of a well-run red-team exercise

Red team exercises – and particularly “assume compromise” or “assume breach” exercises – generally provide the most insight into your blue-team’s readiness to face an attack.

face off boxing battle man in the middle

In "How ready are you to stop an advanced attack,", I discussed the different test methodologies involved in judging your readiness to face an advanced attack. While vulnerability assessments and pen tests have their place, red team exercises – and particularly “assume compromise” or “assume breach” exercises – generally provide the most insight into your blue-team’s readiness to face an attack.

This is not a pen test

The “assume compromise” exercise begins with the assumption that the first step of an attack, namely the compromise of some system inside your perimeter that the attacker has the ability to control, has already completed.

Given the myriad ways in which a system may become compromised – such as phishing, a watering-hole attack or a drive-by download – the premise that this might happen is clearly not far-fetched.

The red team generally mimics this initial compromise by simply bringing a system into the environment and plugging into the target network. In some circumstances, the target organization may supply a standard system and ask the red team to utilize it as a point-of-entry.

Maintaining control over the compromised system through the network perimeter may be a bit more difficult, but a good red teamer can generally find a setup that allows the compromised system to communicate out to an agreed-upon system via the internet.

Choices for such communications include Remote Access Trojans (RATs) and hidden tunnels, typically via HTTPS. For the control channel, there’s an interesting trade-off between the efficiency of carrying out the attack and the likelihood that the communication will draw attention: The more responsive control the red teamer wants over the compromised machine, the easier (at least in theory) it will be for the target organization to detect it.

Red team goal should be a nightmare scenario

Now we get to the interesting part of the exercise: The red team must be given a goal. What you choose to task the red team with will obviously have a material effect on what happens next. The goal you pick should be something that keeps you up at night:

  • If you’re a company with lots of retail locations, you might set a goal of obtaining and then pretending to exfiltrate a large number of your customers’ credit card information.
  • If you’re a pharmaceutical company, you might set a goal of acquiring and exfiltrating information about medicines you are developing.
  • If you’re a public company, you might set a goal of getting access to financial data in the window just before a quarterly earnings report.

The gist of the idea is to think big. Giving the red team a relatively constrained exercise is more akin to green-lighting a pen test. Said another way: If you give the red team an exercise like “steal user X’s password,” they might come back in four hours and hand it to you.

It’s the number of moves that the red team needs to make from the compromised system to achieve the target you have set for them that will determine how many lessons you learn from the exercise.

Don’t rush the red team

Given the advice to “think big,” you also must be realistic. You need to give the red team enough time to have a realistic chance of accomplishing the goal you set for them. Most red team exercises take at least two weeks to prosecute – the more elaborate ones may run for a couple of months.

Planning for the cost

You can probably surmise from my description above that hiring an outside team to perform this elaborate an exercise won’t be cheap. Having an in-house staff who can perform red team exercises will certainly reduce the perceived cost – as long as you don’t run the math on how much you pay them daily.

Optimizing the investment

Since the investment you make in a red team exercise is not trivial, you should plan to track the red team’s progress and consider dropping hints if they get stuck at a certain point in the attack scenario. While providing clues may feel like cheating, carefully note what the red team was not able to accomplish while helping them get unstuck, so they can get to the latter parts of the exercise. There will likely be lessons in the back half of the exercise that you would have otherwise not been able to learn.

Copyright © 2018 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.