At The North Group, Inc we have provided red team services to many clients over the years. The term “red team” or “red side operations” often refers to activities that simulate real-world physical security breaches, cyberinfrastructure breaches, and hostile surveillance with the intent to cause harm to people or businesses. Our process uses methodologies acquired from real-world experience to identify vulnerabilities and test the effectiveness of an organization’s broad spectrum of security defenses, policies, and procedures.
A red team is a group of exceedingly skilled cyber experts and physical security professionals who act as attackers and attempt to breach an organization’s security infrastructure in a controlled and safe environment.
Primary objectives of red team operations:
- Identify vulnerabilities and weaknesses in an organization’s security defenses.
- Evaluate the effectiveness of security controls and incident response processes.
- Test the organization’s security awareness and readiness for a real-world attack.
- Provide recommendations for improving the security posture of the organization.
Red team operations can be conducted in various ways, including but not limited to the following:
- Penetration Testing – A simulated cyber-attack that exploits vulnerabilities in an organization’s IT infrastructure or applications.
- Social Engineering – A simulated attack that uses human interactions to manipulate employees into revealing sensitive information or performing unauthorized actions.
- Physical Security Testing – A simulated attack that tests the effectiveness of an organization’s physical security controls, such as access controls, surveillance, and perimeter security.
The North Group, Inc‘s approach to red team operations can provide a comprehensive overview of best practices:
In recent years red team operations have become increasingly essential in the rapidly evolving threat landscape of corporate and governmental compliance for security audits. These operations simulate real-world attacks, aiming to identify and test the effectiveness of an organization’s over-readiness. This article will provide an overview of best practices on red team operations
- Plan and Prepare – The success of a red team operation depends on careful planning and preparation. Before commencing the operation, the red team should:
a. Understand the Objectives: Establishing clear objectives for the operation is crucial. For example, an excellent red team objective will align with the organization’s security goals.
b. Getting Client Authorization: The organization’s leadership should authorize the operation. Establishing written permission to perform the red team plan ensures the operation is conducted within legal and ethical boundaries.
c. Defining the Scope: The scope of the operation should be defined, considering the resources available and the potential impact on the organization’s operations.
d. Form a Red Team: The red team should consist of experienced and skilled professionals with diverse cybersecurity, intelligence tradecraft, adversarial threat management, social engineering skills, and understanding.
2. Conducting Reconnaissance – Reconnaissance is a pre-surveillance measure that gathers information about an organization, person/s of interest, target locations, and semi to non-permissive places; these operationally observed topics could include infrastructure, employees, clients, government buildings, sensitive or classified projects, and much more. The operation doesn’t start with pre-surveillance; it begins when the red team conducts “controlled” hostile surveillance to identify potential vulnerabilities and weaknesses that an adversary could exploit.
a. Use Open-Source Intelligence (OSINT): OSINT tools and techniques can provide valuable information about an organization’s IT infrastructure, employees, and suppliers. At The North Group, we call it the “everything dive.” The deep dive, or everything dive, is all the intelligence or OSINT team can find in 24-72 hours. Often, we find things like family photos on social media, or dinner plans, are quickly available for us to demonstrate exploitation value.
b. Conduct Physical Reconnaissance: A Physical survey involves visiting the organization’s premises or where the target of interest is located to identify physical security vulnerabilities. This includes weak access controls and gaps in coverage and surveillance. It is important to note that anything or any person is accessible with enough time, capital, and resources deployed. Ask us about our quantitative risk matrix that allows us to provide risk threat-based data to help clients understand what your physical security spend should be.
c. Perform Social Engineering: Social engineering involves manipulating employees, friends, and family with placement and access into your business and personal life’s inner workings. We do that through clear and convincing tradecraft practices to collect, inform the subjects of a value proposition, and influence our end state or outcome of the red team operation. When we begin this type of coordinated measure, we are looking for a person’s capacity for revealing sensitive information or desire to perform unauthorized actions. We study a subject, MICE- Money, Ideology, ability to be Coerced, and their Ego. The MICE strategy is a study game, and we first get the subject or “mark, target or person of interest” to be comfortable with seeing the red team actor or actors. Once placement and access are acceptable to the target, a good intelligence practitioner will pursue social engineering by conducting phone calls, emails, or in-person interactions over time.
3. Execute the Attack – Once an excellent red team has gathered enough information, they will brief the client in the “know” and begin the attack execution strategy. A red team operation should be executed in a controlled and safe environment to avoid disrupting the organization’s operations.
a. Finding and using the right tools: The red team should use appropriate tools and techniques for the attack. In addition, the tools for a red team operation are continuously updated to ensure they are effective against the latest physical security requirements, adversarial strategies, and technologies being leveraged in today’s threat landscape.
b. Follow the Attack Plan: The red team should follow the attack plan developed during the planning phase. The plan should be flexible enough to accommodate changes during the attack
c. Document the Attack: The red team should document the attack, including the techniques used, vulnerabilities identified, and the effectiveness of the organization’s security defenses.
4. Report the Findings – The red team should report the findings to the organization’s leadership after the attack. The report should be detailed and provide recommendations for improving the organization’s security defenses.
a. Be Clear and Concise: The report should be clear and concise, using language easily understandable by non-technical stakeholders.
b. Highlight the Risks: The report should highlight the risks identified during the attack and their potential impact on the organization’s operations.
c. Recommendations: The report should provide recommendations for improving the organization’s security defenses, including technical and non-technical measures.
Red team operations should be an essential part of an organization’s security strategy. By simulating real-world attack planning and execution, red team operations can help organizations identify vulnerabilities and weaknesses while mitigating the four areas of liability: financial, life-safety, insurance, and legal or litigation risk. Red teaming operations should be done with client support and stakeholder knowledge. The red team should be given a letter on client letterhead stating the purpose of their operations, the dates and times the team will conduct its operations, and at minimum, who is on the team. In addition, the red team operators should have the time to create the “red team” plan or playbook, and the client should not have time to prepare or mitigate the effects of the assessment beforehand. The red team operators should have enough time to effectively conduct surveillance, not just check the box; the team should be able to execute the attack in a timely but realistic execution period. Once the exercise is complete, all parties are notified of the operation’s ” completion ” for safety purposes. Building the “report the findings” is then conducted by all red team operators, actors, (knowingly or unknowingly) involved parties and client staff. A good red team provider oversees this through directed interviews and reports written by team members. By following these best practices, organizations can improve their security posture and reduce the risk of a real-world attack.
Please reach out to The North Group at firstname.lastname@example.org for questions about Red Team Operations. For more articles like this, visit our blog section.