As you might expect given our name, Red Teaming is our flagship service and we are well-versed in its nuances and its perceptions. Throughout the 8 plus years providing this service, we find ourselves often educating clients against a pattern of misconceptions about Red Teaming. We hope this article helps in some way to address some of those misconceptions.
A properly planned and executed Red Team Operation will involve testing security controls for real-world, specific threats against an organization (target) and the commensurate tactics, techniques and procedures (TTPs) that bad actors would realistically use against that organization. The key takeaway here is building an operational plan that involves commensurate TTPs going after organizational specific threats. Essentially, that means that every Red Team Engagement is custom built to be scalable, up or down, according to the organization's size/needs and is not exhaustively expensive or overly complex.
Speaking of complexity… suitable candidates for Red Teaming often dismiss Red Teaming because they, "don't need THAT level of security." Which brings us to our next misconception that Red Teaming leverages Hollywood-level level tactics too complex and irrelevant to most needs.
This is somewhat related to the previous one — nowadays, folks understand what Penetration Testing is and sets out to do. To many, however, Red Team Engagements seems like something out of a Mission Impossible movie. This is probably due to Red Teaming's multi-blended nature involving many flavors of Penetration Testing (network, application, mobile, device), Social Engineering (onsite, telephone, email/SMS, chat), and Physical Intrusion (lock picking, camera evasion, alarm bypass). While Red Teaming is a break away from traditional Pen Testing, it isn't and doesn't have to be overly complex.
What is absolutely paramount to each and every Red Team Test is that the operation is carried out by leveraging TTPs that is commensurate to that which bad actors would most likely use. That said, not all Red Team Operations will involve highly tactical TTPs, some may and some may not. In short, the key takeaway here is the Red Team Operational plan should balance TTPs used by Red Team Operators and those likely used by bad actors; this is particularly noticeable during Social Engineering and Physical Intrusion.
On the topic of Physical Intrusion and Social Engineering… the next misconception about Red Team Operations is that they really only consist of blended Penetration Testing.
There is far more to Red Teaming than just advanced, multi-blended Penetration Testing. A Red Team Operation must test all aspects of an organization. We at RedTeam Security have formulated the Red Team paradigm and communicate it in the following facets:
Technology — comprehensive testing of the technical landscape, such as Application Pen Testing, Wireless Pen Testing, Network Penetration Testing, Mobile Pen Testing, Device Pen Testing, etc.
People — involves testing of how staff adheres to company policy and security awareness best practice by using fictitious scenarios designed to entice them to divulge confidential information and permit physical access to restricted areas via: Onsite/Physical Social Engineering, Email Social Engineering, Telephone Social Engineering, Text/Chat/SMS Social Engineering.
Physical — fully testing the physical security controls of physical facilities (offices, warehouses, substations, data centers) intended to secure physical and digital assets via: lock picking, camera evasion, alarm bypass, physical bypass (mantrap, fences, turnstile), RFID cloning, network port hijacking, secure door bypass, APT drop boxing (PlugBot), etc.