Red team assessment phases: Overview
Computer systems and networks contain valuable information, and hackers are out there trying to steal that data. This has led to the development of the red team assessment, a test to help an organization identify and correct vulnerabilities and flaws in their cybersecurity defenses before a hacker can find and exploit them.
To do so, an organization hires a red team to perform an assessment. The red team’s job is to think and act as a hacker does in order to find the vulnerabilities in an organization’s network that are the most likely to be exploited. Once they’ve done so, the red team reports their results to the organization.
FREE role-guided training plans
Every red team assessment is unique, but they tend to follow a flow through seven main phases, as described in the following section.
[On-Demand Webinar — "Red Team Operations: Attack and Think Like a Criminal"]
Breaking down the red team assessment phases
The basic steps of a red team assessment can be broken up into seven main phases, and most red team assessments will include all phases in roughly that order. However, the specifics of the situation may mean that certain phases are skipped (as in a white-box assessment) or performed out of order (for example, if an attempt to gain access fails and the red team has to start over). The phases of a red team assessment are useful in understanding how a red team assessment works but are not set in stone.
Planning/setting objectives
The first phase of a red team assessment usually involves planning and setting objectives for the assessment. The organization being assessed may have specific wishes for the red team assessment. For example, the red team may only be required to demonstrate the ability to access sensitive information, not exfiltrate it. A common limitation is disallowing the use of social engineering as part of the assessment.
A crucial part of this phase of a red team assessment is ensuring that all parties involved are in sync regarding the “rules” of the assessment.
Once the ground rules for the assessment have been laid out, the team can start planning their strategy. Based on the specifics of the assessment, certain avenues of attack may be more or less promising for the assessment. Creating a rough plan for the assessment in advance minimizes the probability of wasted effort and unintended consequences and facilitates assignment of roles within the team.
Reconnaissance
Once the planning phase is complete, the assessment can begin in earnest. Collecting information about the target environment is vital to performing a red team assessment against it. Every organization has its own digital and physical defenses and the state and configuration of these defenses dictates how they can be circumvented or overcome. In the reconnaissance phase, a red team tester attempts to gather as much as possible about the target while minimizing the probability of being detected.
Target identification
At the end of the reconnaissance phase, the red team should have a large amount of information about the target’s digital and physical habits and defenses. In the target identification stage of the attack, the red team sifts through this information to identify potential vulnerabilities and ways to achieve their objectives. This phase also includes active information-gathering techniques like network scanning and enumeration. Usually, the team will try to identify several different avenues of attack in order to maximize the probability that their attack will be successful.
Gaining access
This stage of the assessment is when the red team makes their first significant active moves against the organization. The actions taken in the reconnaissance phase are intended to be passive or have minimal impact in order to minimize the chances of detection.
In the Gaining Access Phase, the red team takes advantage of the vulnerabilities identified in the previous phases in order to bypass or overcome the organization’s defenses. This may include exploiting software vulnerabilities, using social engineering against employees or bypassing physical defenses. The end goal of the phase is to provide the red team with a foothold inside the target’s defenses that can be expanded to achieve the objectives of the assessment.
Establishing foothold and maintaining presence
Once a red team has access to a system, a primary goal is ensuring that access continues. Depending on the attack vector used to gain access to the system, it may be difficult or impossible to maintain access using the original connection. In this phase of an assessment, the red team expands and deepens their foothold on the target network, establishing communications channels and persistence mechanisms in order to guarantee that they have a sufficient level and duration of access to achieve the objectives of the assessment.
Completing objectives
This phase of the red team assessment is fairly self-explanatory. In the first phase of the assessment, the red team and the customer negotiate the terms of the red team assessment. Typically, this involves identifying certain “flags” or pieces of information that the red team should target in order to prove that they have gained certain levels of access to the system. In this phase of the assessment, the red team takes advantage of the access gained and expanded in the previous two phases to locate and claim the agreed-upon flags on the target network or system.
Reporting
The final, and potentially most important, phase of a red team assessment is the reporting phase. A customer hiring a red team to perform an assessment is doing so in order to gain specific information and actionable guidance about vulnerabilities in their systems, not just a statement that their network is or is not vulnerable. In this phase of the assessment, it is the responsibility of the red team to clearly and comprehensively document the vulnerabilities discovered during their assessment, including how they can be verified and exploited for future testing.
How do red team assessments compare to real attacks?
Red team assessments are designed to be as similar to real attacks as possible. By using the same tools, techniques and procedures as black-hat hackers, red teams maximize the probability that they will identify and report the vulnerabilities that attackers are most likely to target in an organization’s network. However, there are a few ways in which red team assessments may not accurately mirror real attacks.
The first inconsistency is the allowable scope of the assessment. If an organization states that social engineering is out of scope of the assessment, then the red team won’t use social engineering against the target. However, hackers don’t care if an organization doesn’t want to be socially-engineered and will take advantage of any weaknesses that an organization has. A “no-holds-barred” red team assessment is the most like a real-world attack.
The other main difference between real-world attacks and red team assessments is the phases included. Obviously, hackers won’t be sending a detailed vulnerability report to the target organization. Both hackers and red teams may skip phases if the situation warrants it. If an organization has an obvious, gaping vulnerability, a hacker may skip directly to the Gaining Access phase. In a white-box assessment, red teams are given access to the system and can begin by expanding their foothold on the system.
The red team also has limited time to perform the assessment, while hackers typically don’t, so they may focus more on targets of opportunity than a full-scale analysis of the system before exploitation.
Want to read more? Check out some of our other articles, such as:
- Red Team Assessment Phases: Reconnaissance
- Red Team Assessment Phases: Target Identification
- Everything You Need To Know About Red Teaming in 2018
What should you learn next?
Sources
Penetration Testing - Limitations, Tutorialspoint