Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing, or pentesting, is the simulation of a cyberattack to assess a network’s security to find weaknesses that can then be fixed before threat actors exploit them. Pentesting is done externally, unlike many approaches to security, such as vulnerability scanning, which uses technology tools from within the network to seek out potential problems. Ethical hackers attack the network to see where they can gain entry and what they can exploit in terms of vulnerabilities, misconfigurations and back-doors that weren't closed after contractors were given temporary access.
Earn two pentesting certifications at once!
Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.
Red team members, compared to penetration testers, make full use of a plethora of pentesting techniques and more. They incorporate attempts, within a predefined set of parameters agreed on by the client, to physically enter the building, such as finding unlocked windows, outside doors that don't close all the way, or even breaking in and checking to make sure the key code for the alarm isn't something like 1-2-3-4. They also harness social engineering tricks like dropping malicious thumb drives in the parking lot to see if employees pick them up and plug them into their computers to see who they belong to. Another ploy is walking in the front door in a UPS costume with a package and asking someone with keycard access to hold the door to a restricted area.
Matt Lorentzen, principal consultant at Cyberis, has spent much of his career in the pentesting world.
Most recently, he has involved himself in what is known as intelligence-led penetration testing, which is a form of red teaming. It is guided by real-world threat intelligence about the attacks against various organizational sectors. The purpose of red teaming is to determine where the threshold of detection is. i.e., how far the pentester can reach within the network before being detected.
Some clients want to see whether you can get into their systems and what files and databases you can get into. Other people tell you the exact things they are concerned about, such as sensitive files or network infrastructure areas covered by compliance mandates. And in other cases, people want the pentester to emulate the types of attacks they are seeing to determine how easy it might be for attackers to find a route into the enterprise.
Purple teaming
Red teams are those pretending to be hackers, and blue teams are those defending the organization. Lorentzen likes this approach but admits that this approach sometimes has limitations as it assumes all attacks are externally based. In reality, the number of attacks arising from the actions of disgruntled or compromised employees or contractors is rising. Thus, purple teaming is becoming more common, where the red team and blue team members work in tandem and collaborate in real-time to find and exploit weaknesses.
“There are numerous routes that somebody can use to become embedded in an organization, including getting a job as a means of infiltrating IT,” said Lorentzen.
But insider threats are one of many options. Another purple team exercise might involve the red team finding a vulnerability accessible by a high-placed insider and passing that data onto the blue team. They, in turn, terminate network access privileges or use that vulnerability to get up to other mischief.
Banks, for example, are interested in attack paths attackers can use to reach their Swift infrastructure and extract funds. But other industries have different needs. It is all about what they most want to protect.
Dual pentesting certifications
Cloud attacks mean a broader attack surface
The cloud has brought a great many benefits to IT. From a cybersecurity perspective, though, it introduced greater complexity, broadened attack surfaces, and significantly increased the number of potential points of entry.
“The perimeter that we spent a lot of time building has now largely disappeared in order to facilitate agility and freedom of movement,” said Lorentzen.
That has resulted in environments where people often don’t know exactly where all their data and systems reside. Data pockets and silos may be in hidden spots that people are unaware of. Hackers can exploit these areas as they are typically poorly protected, may be misconfigured, and are likely to be unpatched.
Similarly, cloud or mobile settings can render some security technologies unfeasible in certain settings. Take the case of multi-factor authentication (MFA) and a strong password policy. Both are difficult or impossible to implement across an entire student population, for example, or in government systems that face outward to the citizenry. There are just too many people and too many non-tech savvy individuals that you have to expect weak credentials, repeated passwords, post-it note passwords on PCs, heavy pushback on MFA, or complete unwillingness to take any security precautions.
“For schools specifically, you have to accept the fact that children are going to choose weaker credentials for a number of reasons,” said Lorentzen. “But you can compensate in other ways, such as by policing the types of permissions people have and who has administrative access. That’s a good way to slow attackers down even if they manage to phish a user credential.”
Another safeguard in school environments is geo-location. There is no reason, for example, why an American student should be logging in from another country. There may be ways for hackers to get around such safeguards. Nevertheless, it is another layer an attacker needs to go through.
Listen to Matt Lorentzen's insights on red team evolution on Infosec's Cyber Work Podcast.
Become a Certified Ethical Hacker, guaranteed!
Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.
Pentesting and red teaming continue to evolve
Recent refinements such as intelligence-driven red team pentesting and purple team collaboration tactics have helped organizations face the many challenges posed by today’s broadening attack surfaces. But threat actors continue to develop new techniques to penetrate enterprise defenses. Therefore, pentesting and the testing of security readiness must continue to evolve to address changing threat vectors.
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
In this Series
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
- Exploiting NFS share [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness
Penetration testing