Penetration testing

Red team assessment phases: Overview

Howard Poston
December 7, 2018 by
Howard Poston

Computer systems and networks contain valuable information, and hackers are out there trying to steal that data. This has led to the development of the red team assessment, a test to help an organization identify and correct vulnerabilities and flaws in their cybersecurity defenses before a hacker can find and exploit them.

To do so, an organization hires a red team to perform an assessment. The red team’s job is to think and act as a hacker does in order to find the vulnerabilities in an organization’s network that are the most likely to be exploited. Once they’ve done so, the red team reports their results to the organization.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Every red team assessment is unique, but they tend to follow a flow through seven main phases, as described in the following section.

[On-Demand Webinar — "Red Team Operations: Attack and Think Like a Criminal"]

View Webinar

Breaking down the red team assessment phases

The basic steps of a red team assessment can be broken up into seven main phases, and most red team assessments will include all phases in roughly that order. However, the specifics of the situation may mean that certain phases are skipped (as in a white-box assessment) or performed out of order (for example, if an attempt to gain access fails and the red team has to start over). The phases of a red team assessment are useful in understanding how a red team assessment works but are not set in stone.

Planning/setting objectives

The first phase of a red team assessment usually involves planning and setting objectives for the assessment. The organization being assessed may have specific wishes for the red team assessment. For example, the red team may only be required to demonstrate the ability to access sensitive information, not exfiltrate it. A common limitation is disallowing the use of social engineering as part of the assessment.

A crucial part of this phase of a red team assessment is ensuring that all parties involved are in sync regarding the “rules” of the assessment.

Once the ground rules for the assessment have been laid out, the team can start planning their strategy. Based on the specifics of the assessment, certain avenues of attack may be more or less promising for the assessment. Creating a rough plan for the assessment in advance minimizes the probability of wasted effort and unintended consequences and facilitates assignment of roles within the team.

Reconnaissance

Once the planning phase is complete, the assessment can begin in earnest. Collecting information about the target environment is vital to performing a red team assessment against it. Every organization has its own digital and physical defenses and the state and configuration of these defenses dictates how they can be circumvented or overcome. In the reconnaissance phase, a red team tester attempts to gather as much as possible about the target while minimizing the probability of being detected.

Target identification

At the end of the reconnaissance phase, the red team should have a large amount of information about the target’s digital and physical habits and defenses. In the target identification stage of the attack, the red team sifts through this information to identify potential vulnerabilities and ways to achieve their objectives. This phase also includes active information-gathering techniques like network scanning and enumeration. Usually, the team will try to identify several different avenues of attack in order to maximize the probability that their attack will be successful.

Gaining access

This stage of the assessment is when the red team makes their first significant active moves against the organization. The actions taken in the reconnaissance phase are intended to be passive or have minimal impact in order to minimize the chances of detection.

In the Gaining Access Phase, the red team takes advantage of the vulnerabilities identified in the previous phases in order to bypass or overcome the organization’s defenses. This may include exploiting software vulnerabilities, using social engineering against employees or bypassing physical defenses. The end goal of the phase is to provide the red team with a foothold inside the target’s defenses that can be expanded to achieve the objectives of the assessment.

Establishing foothold and maintaining presence

Once a red team has access to a system, a primary goal is ensuring that access continues. Depending on the attack vector used to gain access to the system, it may be difficult or impossible to maintain access using the original connection. In this phase of an assessment, the red team expands and deepens their foothold on the target network, establishing communications channels and persistence mechanisms in order to guarantee that they have a sufficient level and duration of access to achieve the objectives of the assessment.

Completing objectives

This phase of the red team assessment is fairly self-explanatory. In the first phase of the assessment, the red team and the customer negotiate the terms of the red team assessment. Typically, this involves identifying certain “flags” or pieces of information that the red team should target in order to prove that they have gained certain levels of access to the system. In this phase of the assessment, the red team takes advantage of the access gained and expanded in the previous two phases to locate and claim the agreed-upon flags on the target network or system.

Reporting

The final, and potentially most important, phase of a red team assessment is the reporting phase. A customer hiring a red team to perform an assessment is doing so in order to gain specific information and actionable guidance about vulnerabilities in their systems, not just a statement that their network is or is not vulnerable. In this phase of the assessment, it is the responsibility of the red team to clearly and comprehensively document the vulnerabilities discovered during their assessment, including how they can be verified and exploited for future testing.

How do red team assessments compare to real attacks?

Red team assessments are designed to be as similar to real attacks as possible. By using the same tools, techniques and procedures as black-hat hackers, red teams maximize the probability that they will identify and report the vulnerabilities that attackers are most likely to target in an organization’s network. However, there are a few ways in which red team assessments may not accurately mirror real attacks.

The first inconsistency is the allowable scope of the assessment. If an organization states that social engineering is out of scope of the assessment, then the red team won’t use social engineering against the target. However, hackers don’t care if an organization doesn’t want to be socially-engineered and will take advantage of any weaknesses that an organization has. A “no-holds-barred” red team assessment is the most like a real-world attack.

The other main difference between real-world attacks and red team assessments is the phases included. Obviously, hackers won’t be sending a detailed vulnerability report to the target organization. Both hackers and red teams may skip phases if the situation warrants it. If an organization has an obvious, gaping vulnerability, a hacker may skip directly to the Gaining Access phase. In a white-box assessment, red teams are given access to the system and can begin by expanding their foothold on the system.

The red team also has limited time to perform the assessment, while hackers typically don’t, so they may focus more on targets of opportunity than a full-scale analysis of the system before exploitation.

Want to read more? Check out some of our other articles, such as:

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Sources

Penetration Testing - Limitations, Tutorialspoint

Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at howard@howardposton.com or via his website at https://www.howardposton.com.