What methodologies are commonly used in Red Team exercises?

The Red Team methodology allows cybersecurity professionals to simulate attacks against companies and contribute to improving their resilience to real incidents.

In team sports such as soccer or basketball, it is common for coaches to pit their starting teams against their substitutes in preparation for championships to ensure that they are ready to beat their real opponents when the time comes.

This sports strategy is reflected in the cybersecurity field through Red Team exercises, an offensive cybersecurity service that allows companies to undergo simulated attacks to improve their detection and response capabilities and successfully prepare to deal with real incidents.

As with other exercises such as advanced penetration testing, the Red Team methodology has a series of phases ranging from intelligence gathering to analysis of the results.

All phases of the Red Team methodology must be carried out with stealth, avoiding raising alarms in the organization’s defensive systems. In addition, it is also valuable to use the MITRE ATT&CK framework as a reference methodology for classifying attack techniques.

In the following, we will explain the keys to the Red Team methodology and the benefits that this service can bring to companies.

What are Red Team exercises?

A Red Team exercise aims to simulate the behavior of an adversary or malicious actor whose purpose is to compromise an organization in its broadest definition. That is, to attack and undermine:

• Corporate technology.
• The people who are part of the organization.
• The procedures carried out by the company.

Unlike other cybersecurity services, Red Team’s exercises are carried out with the utmost discretion since their mission is to make the professionals in charge of the organization’s defense believe that they are facing a real attack.

For this reason, only the managers are aware of the exercise. They are in charge of establishing the objectives to be met and the characteristics of the scenario on which the Red Team members will work.

Phases of the Red Team methodology

To systematize the tasks to be performed, the Red Team methodology is used, consisting of seven major phases:

1. Intelligence. All the information that may be useful for the Red Team exercise must be gathered, and from it, intelligence of great added value must be generated.
2. Detection of weaknesses. The organization’s infrastructure vulnerabilities and weaknesses in its security perimeter are analyzed.
3. Exploitation. Based on the information from the two previous phases, we exploit the weaknesses detected and take control of corporate assets.
4. Lateral movement. The Red Team proceeds to move around the company’s internal network undetected.
5. Privilege escalation. Red Team professionals gain full control of the company’s infrastructure through privilege escalation.
6. Persistence. Cybersecurity experts install backdoors that allow them to ensure their persistence in the corporate network and achieve the agreed objectives: encrypt or exfiltrate data, deploy ransomware, carry out a DDoS attack…
7. Analysis. All the information generated during the Red Team exercise is systematized and analyzed to:
   • Evaluate the capabilities of:
     • Detection
     • Containment
     • Recovery
   • Develop an improvement plan for the company to improve its resilience to cyber-attacks.

What are the Red Team scenarios?

We mentioned earlier a key element of the Red Team methodology: scenarios. But what exactly are they, and why are they so important? Red Team scenarios describe how a Red Team exercise should be carried out, from the attack’s origin to the final objective, including all the intermediate or additional milestones (flags) that it would be desirable to achieve.

When designing a Red Team scenario, it is essential to determine the malicious actor that the professionals will simulate (remote attacker, competitor, disgruntled employee, etc.), the intrusion vectors to be used and the objectives of the exercise. In other words, Red Team scenarios are a roadmap agreed in advance between the organization and the cybersecurity professionals.

A common Red Team scenario might be to intrude into corporate systems from the perimeter or with credentials from a compromised vendor. It is common for companies to choose to undergo a ransomware simulation, as attacks using this kind of malware have become a constant in recent years.

Red Team’s catalog of scenarios is very broad: physical intrusion, theft of corporate equipment, supply chain attacks, social engineering…). In addition, it is common to set additional flags such as access to confidential information, exfiltration of strategic information, blocking the backup system or compromising the cloud infrastructure.

Tactics and techniques of the Red Team methodology

When employing the Red Team methodology, it is possible to use tactics, techniques, and procedures (TTP) that are well-known to be used by real-world adversaries. However, opting for more novel tactics and methods is also possible. In any case, the ultimate goal is always to help the organization improve its defensive posture by:

• Identifying opportunities to improve detection and response capabilities.
• Training security personnel to respond to real incidents.

For this purpose, the MITRE ATT&CK framework is commonly used to classify offensive actions and map detection capabilities. In addition, the Red Team’s own experience accumulated by the team conducting the exercise plays an essential role in enriching the Red Team methodology.

In the case of Tarlogic’s BlackArrow team, all the expertise accumulated over the years by its professionals in OpSec and evasion of detection measures has allowed it to have its own Red Team methodology, which is effective in meeting the objectives of the exercises and strengthening the resilience of the companies.

Benefits of Red Team exercises for companies

Taking into account what we have pointed out throughout the article, we can conclude that conducting Red Team exercises allows organizations to:

• Prepare for real attacks.
• Gain a real understanding of the true risk of attacks and security incidents.
• Detect weaknesses in attack detection and containment capabilities.
• Comply with new regulatory frameworks such as TIBER-EU and the DORA regulation, which incorporate the Red Team
• Exercises (TLPT) as a tool to assess organizations’ resilience.

In short, companies wishing to increase their resilience to cyber-attacks should commission Red Team exercises for teams with extensive experience and a Red Team methodology that has been perfected thanks to the knowledge accumulated by implementing this type of exercise. In this way, they will be able to assess their detection and response capabilities and have an improvement plan that will enable them to strengthen their security posture.