This approach is a practical demonstration before a management committee that aims to illustrate what a computer attacker can do to their systems. This offensive approach to information systems security is now considered an important part of any security assessment prior to the implementation of improvements to the existing protection measures.
PENTESTING AND RED TEAM TESTING, WHAT IS THE DIFFERENCE?
Penetration testing (known as pentesting) is the most common offensive approach used today. Pentesting is used to quickly provide a hands-on assessment of the security level of any given restricted area. The process includes the following aspects: detection of technical vulnerabilities; evaluation of the potential for exploitation; and the reporting of the risks posed by the vulnerabilities identified.
Red Team exercises provide a more comprehensive approach to testing: Red Team testing is used to assess overall security at an organisational level. The aim is to detect the presence of both technical and non-technical vulnerabilities and to assess the detection and response capabilities of the defensive teams (known as the Blue Team.
PENTEST PENETRATION TESTING: HOW DO THEY WORK
There are numerous well-established guides and reference frameworks which explain intrusion testing. Each is adapted to a specific methodology in use today (OSSTMM, OWASP, NIST, PASSI etc.). The methodology included in each guide follows the same broad pattern: the intrusion tests are defined by a precise testing scope and follow one or several different attack scenarios. Different requirements are set for each scenario in order to ensure the information collected by the testing is relevant and to ensure that the testing is appropriate for the conditions set at the outset (time-frame, available resources).
For example, the test may start with a “black box” phase in which the testers will simulate an attacker who has no specific information about the target, followed by a “grey box” phase, in which the testers will simulate an attacker who has managed to obtain certain key information prior to the attack, such as a user account with access rights to the system being tested. The tests are carried out accordingly based on a set sequence including distinct vulnerability scanning and exploitation phases. The latter phase is used to determine the flaw discovered and, if necessary, to extend the scope of the testing.
It should be noted that during penetration testing, for the sake of efficiency, pentesters do not waste time hiding their actions and staying under the radar like a real attacker would during an attack.
RED TEAM MISSIONS: HOW DO THEY WORK
The methodology and reference frameworks
The use of Red Team testing is a much more recent development than pentesting. The key reference frameworks are likewise in their infancy and need time to develop. One of the first reference materials published was “Cyber Red Teaming – Organisational, technical and legal implications in a military context ” published by the NATO Cooperative Cyber Defence Centre of Excellence in 2015. It was intended for military use and is not readily applicable to other contexts.
At the end of 2017, Nederlandsche Bank (the Dutch Central Bank) published “TIBER: Threat Intelligence Based Ethical Red teaming ” which was further developed in 2018 by the ECB (European Central Bank) to form TIBER-EU. This one appears to have become the main reference material in relation to Red team testing. Although initially created for use in the banking sector, the method is applicable to other sectors. It is principally intended for use by large corporate organisations.
One of the characteristics of the material is that there is a focus on conducting information research (Threat Intelligence) from the outset, as well as a focus on the importance of entrusting the implementation of the testing to teams external to the audited organisation. Objective: to avoid any potential bias relating to the information or a link that an internal team may have over a third-party team. The TIBER-EU methodology assumes that the participants carrying out the information seeking phases and those responsible for the offensive phases are distinct sub-groups.
This is not necessarily ideal when one is attempting to ensure that the data sought is the most relevant for carrying out the attack, nor is it ideal when attempting to ensure that the offensive team keeps in mind all the information gathered during the execution of the attack. The methodology also involves specific deliverables, including a re-run of the exercise scenario, in which the offensive team (Red Team) and the defensive team (Blue Team) work collaboratively to review the actions taken by each throughout the process.
In cooperation with CREST, the Bank of England has recently published the CBEST Threat Intelligence-Led Assessments, a methodology that is more oriented towards the banking sector than the original TIBER-EU, and particularly adapted to British legislation.
Each Red Team exercise is therefore carried out using one or more of these methodologies specifically adapted to the needs and requirements of the client concerned. They are defined having due regard to critical objectives similar to those that would motivate a real attacker to target the organisation concerned. This could include the acquisition of confidential data relating to a sensitive project, accessing one or more critical functions or the deployment of ransomware.
Like a real attacker, a Red Team mission commences with an information research phase focused on the client in order to better define the most likely attack strategy. Details relating to the technologies used by the target organisation and stakeholders who have access to the objectives are among the information sought, notably through OSINT (Open Source INTelligence: Open source information). Based on the information obtained, one or more attack scenarios are then developed by the Red Team.
In order to better simulate the reality of malicious behaviour, scenarios may include physical intrusion as well as social engineering techniques such as phishing. Strategies that incorporate an optimal compromise between efficiency, complexity and risk of being detected are preferred. Once the scenario is prepared, the attack phase begins. This phase usually includes one or more initial intrusions, followed by information gathering, vulnerability scanning, lateral movement and privilege elevation. During this phase, the offensive team often conceals their actions in order to remain invisible to the defensive team. Depending on the response of the defence team or those targeted by the attacks, the strategy is then adjusted accordingly in an effort to pursue the agreed objectives.
Where necessary, certain phases of the testing can be omitted or amended to take into account client instructions, time constraints and budget concerns. For example, the team could eliminate the information research phase by using an intrusion scenario provided by the client. However doing so is not without risk. An attack strategy should closely resemble the strategy implemented by a real attacker. Although not ideal, it is also possible to bypass the initial intrusion and assume that an attacker has already breached the system. The scenario then starts directly from within the local network. But in this scenario it is impossible to test the external defences and associated detection measures used by the organisation concerned.
Another option is to have both the offensive and defensive teams work together throughout the exercise. This collaborative work between Blue and Red participants is commonly referred to as Purple Team. This allows defensive teams to progress faster but at the expense of realism, which is generally biased by the inter-team interactions. In-house Red Teams are often involved in this type of practice, which, particularly for large corporations with considerable cybersecurity concerns, can be carried out on an ongoing basis, in addition to occasional Red Team exercises in the strictest sense of the word.
The principal result of the penetration test is a report that allows the client to understand the assessment of their security level for the area or system concerned. The report includes a list of vulnerabilities detected, as well as recommendations for future remedial actions. For each vulnerability, pentesters carry out an evaluation according to the CVSSv3 standard. The degree of criticality and the risks associated with the operation are clearly specified. The client is therefore able to define an action plan prioritising the remedial measures to be taken in order to improve their security.
For Red Team exercises, the report includes all information deemed relevant that was gathered during the information gathering phase; a detailed description of the attack including key successes and failures; the possible indicators of compromise (IOC) through which the attack should have been detected, the exploitation chains according to the MITRE ATT&CK reference database, as well as a list of the vulnerabilities detected, as stated in ordinary penetration test reports. A meeting with representatives from both the offensive and defensive teams is also carried out to review all aspects of the attack that may have been detected or blocked by the defensive team. The aim of this meeting is to learn as much as possible from the exercise undertaken.