Red teaming gives you a realistic assessment of what would happen if a determined attacker targeted your defenses with an intent of stealing sensitive information, extorting you with ransomware, or disrupting your business. This gives your security team the actionable insights you need to pre-empt attacks and protect your assets.
In this guide, you’ll learn what red teaming is, why it’s important, how to do it effectively, and how it works in coordination with other pre-emptive security strategies.
Red teaming simulates threats from real-world attackers, deploying the tactics, techniques, and procedures (TTPs) that actual hackers use. This tests the effectiveness of your defenses, exposes vulnerabilities, and gives you the actionable insights you need to implement mitigations. Red teams typically are hired to conduct attacks without giving advanced knowledge to defending security personnel, known as “blue teams”. Red teams and blue teams occasionally cooperate, known as “purple teaming”.
Alongside vulnerability scanning and penetration testing (pentesting), red teaming represents one of the major categories of offensive security, designed to proactively uncover vulnerabilities and pre-empt attacks before breaches occur. Whereas scans and pentesting take a comprehensive approach to exposing vulnerabilities on your attack surface, red teaming exploits the weaknesses real attackers are most likely to exploit. Red teams also normally attack without giving advance knowledge to security defenders, not necessarily true of other offensive security methods.
Like pentesters, red teams use a systematic approach to probing vulnerabilities. The process begins with reconnaissance efforts to gather intelligence on target attack surfaces, defenses, and weaknesses. Armed with this information, red teams seek to gain initial access to systems and then escalate privileges to achieve objectives such as exfiltrating data, injecting malicious code, or seizing command. Red team attacks conclude with reports itemizing findings and recommending remediations. This may be followed by retesting using red teaming or additional offensive security methods to verify fixes.
Red teaming methods can be used to probe any part of your digital environment, including apps, including web apps, mobile apps, desktop apps, AI and LLM apps, internal networks, external networks, APIs, and human vulnerabilities to social engineering. Red team attacks can concentrate on gaining initial access to systems, exploiting inside access, or both.
Red teaming tests help security teams fortify security posture and achieve compliance by testing elements such as perimeter defenses, employee ability to detect phishing emails, access controls, and security team incident response. Red team results provide insights defense teams can use to implement security policies and pursue continuous, ongoing improvements.
Red teaming is a mindset as well as a skill set. Red teams must be able to view attack surfaces from the perspective of both defenders and attackers, identifying prized assets, pinpointing weaknesses, anticipating defenses, and planning counters.
Red team members should be able to think strategically and creatively. They must be problem solvers, capable of thinking outside the box and preparing for worst-case scenarios and contingencies. They must have a professional attitude, able to plan calmly, lay frustration aside with a cool head, and persist in seeking solutions. A good red team member is like a good military strategist or chess player.
To simulate adversaries, red teams use systematic methodologies and strategic tools to map attack surfaces and select effective techniques, tactics, and procedures. Like hackers, red teamers can use automated tools to map attack surfaces, including:
To leverage these tools through effective techniques, tactics, and procedures, red teams use standard frameworks such as MITRE ATT&CK. ATT&CK categorizes attack methods systematically by breaking the stages of a hack down into phases and listing the techniques, tactics, and procedures relevant to each phase, along with their corresponding mitigations.
For example, ATT&CK currently identifies ten major techniques for conducting reconnaissance on targets and eleven for gaining access to targeted systems. Altogether, the framework provides a comprehensive game plan for how to access systems, escalate privileges, move laterally to access files and functionality, and launch attacks. Using this type of framework, red teams can simulate most attacks an adversary is likely to use.
Security teams and companies adopt red teaming for a variety of sound strategic reasons. Red teaming helps identify vulnerabilities, test security capabilities, validate controls, and build a more security-conscious company culture.
A primary function of red teaming is identifying weaknesses in defenses that may lay concealed even after other security measures have been implemented. Conventional defenses often focus on particular areas of an attack surface, such as endpoints or apps, while overlooking weaknesses targeted by experienced attackers, such as data security. This can leave blind spots that are evident to adversaries but invisible to security teams. Red teaming can expose these hidden vulnerabilities and provide invaluable intelligence on how to mitigate them.
Red teaming gives security teams a real-time opportunity to test the effectiveness of incident response capabilities. Security professionals prepare detailed plans for detecting, analyzing, containing, eradicating, and recovering from threats. But all professional sports teams plan before games, and one still loses every time. As Mike Tyson said, “Everyone has a plan until they get punched in the mouth.” An effective incident response plan must be tested against real-time adversaries to verify that it yields desired results.
Red teaming tests security controls as well as security teams. Effective security controls depend on a combination of sound administrative policies, strong technical safeguards, and in many cases, physical security measures to prevent unauthorized access to facilities and devices. Red team tests provide opportunities to probe all these levels of defense. Additionally, security leaders and stakeholders can test whether they’re getting their return on investment on measures they’ve previously implemented.
A significant number of security breaches involve some type of human failure, whether through simple mistakes or malicious insiders. No technological measure can safeguard against human factors without a strong security culture. Red teaming gives companies a chance to test whether networks and apps are vulnerable to social engineering and insider threats. Additionally, a red team test can be a wake-up call that raises awareness and reinforces adherence to security policies and best practices.
Red team engagements look different to targets than to red team members. While a designated contact point at the target company will be aware that a red teaming test is being planned, most other personnel will have no warning. Security teams may first start to notice scattered, puzzling anomalies without realizing they’re being systematically coordinated. As the attack escalates, surprise, concern, and stress may increase as security realizes a larger assault is underway. Defenders may have to work overtime to implement responses.
After eventually learning it was a planned test, security teams may experience a range of responses, from relief to anger to embarrassment to shifting blame. Ultimately, when the smoke clears, this should lead to recognition of the need for positive change and implementation of hard-won insights.
Meanwhile, red team members experience the engagement from a different perspective, guided by a systematic attack plan. While red teams have the advantage of planning and surprise, attackers also may experience a variety of emotions, ranging from a competitive drive to succeed to frustration and self-doubt when attacks don’t work to empathy for targets undergoing successful attacks. But at the end of the day, everyone is one the same team, and the goal is to use the engagement to help the client improve their security posture.
Red teams may work in parallel with designated blue teams on the client side. A neutral white team may help coordinate communication and plan rules of engagement. Red teaming attacks should be planned so that they don’t disrupt the business operations of the target to a counterproductive degree.
Red team attacks unfold in planned stages:
Completion of this process may lead to retesting to check the effectiveness of implemented remediations. Here’s a breakdown of what each step involves.
In the scoping phase, red team leaders work with the designated point of contact on the client’s side to define the scope of the test. This includes identifying objectives and identifying target attack surfaces. It also requires establishing guardrails by restricting which attack methods the red team is allowed to use, which assets are off-limits, and what attack rules of engagement are allowed. The red team must get a formal letter of authorization from the client’s representative to ensure everything has been cleared. These steps help ensure that the test achieves the desired outcome without unduly disrupting the target’s business operations.
During the reconnaissance phase, attackers gather intelligence about targets using methods similar to those available to real adversaries. Open-source intelligence (OSINT) methods can uncover a significant amount of information using resources such as company websites, domain names, IP ranges, and social media profiles of company personnel. Active probes can flesh out OSINT intelligence using tools such as network scanners, service scanners, virtual reconnaissance tools, and social engineering tools. Depending on the complexity of the test, reconnaissance may be conducted rapidly or it may be a prolonged process involving well-planned social engineering.
The initial compromise phase gives the red team their first inside access to the target system. This may be obtained through means such as phishing, injection of malicious content, exploitation of compromised supply chains, leveraging a bug in a public-facing network, connecting to insecure Wi-Fi networks, or half a dozen other methods identified by MITRE. Initial compromise gives red teams a base to begin attacking the target from inside.
Once inside the target system, red teams work to escalate privileges and move laterally in order to access unauthorized files and functionality. Escalating privileges deploys techniques such as bypassing permissions controls, manipulating session tokens to impersonate other users, changing passwords of compromised accounts, and many other methods.
As privileges escalate, red teamers gain ability to move laterally and deepen their access to files and functionality through means such as taking over administrative accounts, opening access to a remote system, and transferring tools or files into or out of the target system.
In the process of escalating privileges and moving laterally, red team intruders take steps to maintain access while remaining undetected. This sets the stage for the main prong of the attack.
At this point, the red team is inside the target system in position to achieve objectives of value to attackers. Common objectives of real adversaries include collecting and exfiltrating data, seizing remote control and command over target systems, or encrypting data for ransomware attacks. Red teaming rules of engagement should be designed to prevent successful attacks from causing real damage.
The red team concludes its tests by providing actionable insights to the client. A report is generated summarizing findings on vulnerabilities, prioritizing their severity, and recommending remediations. The client then may request assistance in implementing remediations or conducting follow-up tests to verify their effectiveness.
The success of red teaming tests depends on the qualities of team members. Red teamers should possess independent thinking, diverse skills, a realistic approach, and collaboration aptitude.
Red team members need the independent mindedness to think outside the box, explore creative solutions, and take initiative on implementation. At the same time, they should have the objectivity to see things from both attacking and defending viewpoints and assess the viability of possible actions.
A red team depends on members possessing a wide-ranging knowledge of offensive techniques, tactics, and procedures as well as experience with required technology tools. This may require assembling a diverse team from a deep talent pool, which is why Cobalt’s team includes over 450 experienced testers.
Red team testers should have a realistic approach to emulating attacks. This requires understanding the motivations of potential attackers as well as the techniques they use. Likewise, it requires insight into how the target’s business works and what assets would be valuable to attackers.
Red team participants need to be good team players. This requires strong communication and collaboration skills rooted in a solid work ethic. This should be supported by experience working with the communication and collaboration tools the team will be using.
Red teaming works in tandem with other offensive security methods, particularly penetration testing and vulnerability assessments. Red teams also may work in knowing or unknowing tandem with target blue teams tasked with responding to attacks. To put red teaming in perspective, it’s important to understand the distinctions between these methodologies as well as their interrelationships.
Where red teaming seeks to simulate a realistic attack, pentesting probes the target’s entire attack surface or some priority component, such as a particular app or a specific attack method. Additionally, red teams work without the knowledge of the target, while pentesters usually work with target cooperation, except when conducting specific tests that exclude this. This gives pentesting a broader scope than red teaming as well as a more theoretical mindset.
This makes the two methodologies complementary. Pentests may provide red teams with insights into which vulnerabilities should be probed, while red teaming can provide pentesters with insights into blind spots that have been overlooked. Red teams also can verify the effectiveness of remediations recommended by pentesters.
Where red teaming drills deep into targeted vulnerabilities, vulnerability assessments take a broad scope by cataloging potential attack avenues of attack, using automated tools and manual methods to identify weak points. This provides red teams and pentesters with data on vulnerabilities that need testing.
Red teams play offense where blue teams play defense. With or without the red team’s knowledge, depending on the nature of the test and whether it includes purple or white team elements, blue teams seek to detect attacks, respond in real-time, contain attackers, and neutralize threats. Meanwhile, the red team seeks to counter the blue team’s attempts to respond.
Effectively, the red team and blue team seek to thwart each other’s efforts in the interests of their mutual client. Ironically, a red team achieves its goal if it loses to the blue team, indicating security defenses are working. But even when the red team’s attack proves successful, this provides valuable intelligence to the client.
To learn more about red teaming, penetration testing, vulnerability assessments, and related topics, visit the Cobalt Offensive Security Learning Center.