How to ‘Win’ a Red Team Exercise

What is a red team exercise?

Organizations that conduct red team exercises use penetration testing tactics to assess vulnerabilities and discover weak points in their cybersecurity preparation. Usually, this involves two teams – one red (the protagonists) and one blue (the incident responders who must pinpoint, evaluate, and respond to the actions of the red team).

We have already discussed the importance of Red Team exercises at length, but what tactics can red teams employ to improve their organizations’ protection? Despite our somewhat dramatic headline, and with the exception of watercooler bragging rights, there’s no real winning and losing for the teams in these exercises. The only real winners are the organizations who conduct them and who develop a more robust security posture as a result.

The more you learn about your organization’s weaknesses, the better your ability to improve them. Red team exercises are also an effective way to identify how well different teams (IT, HR, Development, etc.) currently work together in times of crisis. These exercises should stimulate ​​healthy competition across your IT security team, so remember secrecy is paramount – don’t let the blue team know what’s coming. A real protagonist won’t, and it’s the only way to get a true assessment of your level of attack readiness.

Following the ground rules

You can’t ‘win’ anything if you generate a fist full of red cards. First of all, and possibly most importantly, decide what is off-limits and what is out of scope. It could be your director’s company emails, private areas of your network containing research and development materials, or the payroll department; but there are invariably areas of business operations that will be excluded from any exercise. Specify it, and stick to it.

Clearly define your goal, which will give you your target outcome and a clear objective for your team. This will, by necessity, be broad as red team exercises shouldn’t focus on a single system or application. The team will need to investigate multiple systems and possible methods of attack, to allow for opportunist attacks. It should, however, be specific enough to drive the purpose of an exercise. Perhaps the reds will try to access a specific part of your network without permission, attempt to clone login credentials, use social engineering to persuade colleagues to share private information, send harmless malware to someone on a free (supplier branded) data stick, intercept communications to map a network, or any one of many possible routes to a breach.

A good scenario should be specific enough to ensure that the reds know the exact area of attack and the constraints of the exercise. One of your team may have ideas for simulating a DDoS attack, but that’s out of scope if your mission is to test vulnerabilities to phishing scams.

Make sure you’ve got support from your C-suite, that they understand the value of red teaming, and are prepared for any potential outcome of the exercise. Part of ‘winning’ may be finding out the digital security concerns of your CEO and starting there, certainly if this is the first time you are conducting an exercise. It can also be invaluable to work collaboratively with other members of your organization’s management staff. They will have insight into how different departments operate and what functions are performed in various situations; this information can help you build realistic scenarios that test different aspects of your organization’s response in realistic ways. Talk to accounts, HR, any teams needing remote access, and other potential points of weakness. After creating this initial draft, go back through it again so everyone agrees on what they mean and how they relate to one another before finalizing them. Any plan should also include details on how members of the red team should interact with internal departments and other staff involved.

Create a detailed scenario. Get your team in sync. If you’re part of the red team, and in the immortal words of Gold Five, “Stay on target.”

Picking the reds

Choose the right people for your team. Look for people with the relevant penetration testing knowledge who want the responsibility or who are looking for promotion, they’re your team leaders.

Red teaming groups tend to be small, so it’s important to try and get a good mix of relevant skills and perspectives in your group. Make sure that everyone has something unique to offer, but is also comfortable with red teaming as a process – and won’t object to being labeled as “the bad guys.”

Don’t choose too many or too few people for your exercise. Obviously, this depends on your team size, but people need to be able to take part and have the capacity to still do their regular work.

Look for the weak points

Despite what we said earlier, the goal of the red team is to beat the blue team and vice versa. As such, the reds will need to employ some of the best tactics possible to find and dodge your company’s defenses. Your own cybersecurity team will hopefully already have some insight into vulnerable areas. It’s not “cheating” to ask your red team colleagues what they think is weak. Any bad actor (or blue) will be doing exactly the same thing, and finding weaknesses in your cyber defense is entirely the point of the exercise. Consider unpatched software, misconfigured tools, or other known or unknown risks. Talk about the possible soft spots, and hit them. That’s the aim of the game.

Don’t just focus on external threat detection – also consider your organization’s internal threat landscape. Breaches often come from human error. Create a list of possible problem areas that could cause a digital security issue, ideally ranked in order of priority. Red team exercises should encompass your whole cybersecurity landscape. Use rumours of shadow IT installations to see if these provide undocumented access points to the infrastructure. Delve deep and try to include things, like old servers, that might be overlooked. Doing so will give you a place to start.

Customization and personalization

This mostly applies to phishing exercises, however, a bit of research on LinkedIn can easily tell you who someone’s manager is so there’s no harm in taking a look at your company structure and addressing emails from higher-placed colleagues to your target accordingly. The more professional you can make communication, with the appearance of coming from a reputable source, the better. Personalization often circumnavigates suspicion.

By the same token, using emails apparently sent from the departmental software your company uses, or might not use but is common (like Microsoft Team, using Sage to address the accounts dept., or Figma to target creatives) is an appropriately sneaky approach. Bad actors do this all the time, and catching people out while using the tools black hat hackers have in their toolbox, is the point of the exercise. The more personal, and the more graphically professional, the better. ‘Similar’ company URLs and using topical subdomains make for a compelling argument for the unwary to click on a link.

The other side of the coin

If you’re in the blue team you have to think like the attacker. Where would you hit first if you wanted to breach your organization’s defenses? You’re going to be looking for change, so take a good look at your digital landscape and create a baseline of network activity so that you can more easily spot unusual or suspicious behavior. We have some free tools that might be of help to you:

Imperva Snapshot™
A totally free cloud data security posture assessment tool for Amazon RDS. Imperva Snapshot™ analyzes a temporary, restored copy of your database, with detailed results in a matter of minutes.

Scuba Database Vulnerability Scanner
Scan for security vulnerabilities and configuration flaws to find database risks. Totally free, with over 2,300 tests and a graphical dashboard of results and mitigation recommendations.

Imperva Classifier
This data classification tool can uncover sensitive data that may be at risk in your organization’s database. Completely free, with 250 search rules, Classifier displays results in a clear web-based dashboard.

Try these out and they’ll probably show you some gaps in your defenses. If you’ve not done so already, make sure that all your perimeter security methods – like firewalls, malware protection, and antivirus software – are all correctly configured and patches are up-to-date. If you don’t do so already, consider employing the principle of least privilege (POLP). This limits users’ access rights to read, write, and execute only what is needed to do their jobs, and nothing more, to prevent their lateral movement across the network should a breach happen. You could also use micro-segmentation to divide perimeters into small zones, giving separate access to every part of the network.

It’s not just about stopping an attack. Keep in mind that a big part of ‘winning’ for the blue team is also the speed of response, how efficiently you isolate the incident, and how quickly you restore any “lost” systems or data. Having recovery plans and contingencies in place already will make for much smoother and faster mitigation. Here’s what to include in your cybersecurity disaster recovery plan.

The final scores

Create a solid report at the end of your red team exercise to get buy-in on your next steps. To be sure it’s effective, make sure it is clear, easy to read, concise, and well organized so that the people reading it can easily follow future recommendations. Having a clear template will make this much easier. Make it actionable, with concrete suggestions that are specific enough so that they can be implemented by those who will implement them, but not so specific that non-technical stakeholders can’t understand them.

Keep it timely and relevant. Red teams often produce reports after the exercise has already occurred; this means there may already be other information, for example in email chains, about what happened during the exercise. Make sure the report is timely enough so that it stands as the definitive version of results without anyone getting swamped in preconceptions.

Being good at being bad

Red team exercises take a lot of careful planning and may require some additional budget, but the results will be worth it. These exercises will help you to identify your organization’s security blind spots and prevent future attacks with real-world simulation testing. You may even experience a drop in cyber insurance premiums as a result. Good luck.