In my former life, I was a member of an institutional Red Team at a Fortune 500 organization with several colleagues and friends who are/were members of Red Teams at other Fortune 500s. While White Oak Security provides some pretty incredible services, Red Teaming being one of them, we wanted to shed some light on a common thread among our shared experiences – that most organizations struggle to understand how to apply Red Teaming against their own business and frequently misunderstand the intent of a Red Team.
This blog post intends to help disambiguate the most common offensive security roles that we observe at large organizations and provide talking points for members and leaders of Red Teams when explaining how their role differs from the rest.
In Cyber Intel circles, they refer to the “bad guys” as an Adversary or Threat Actors, which are malicious individuals or groups who intend to commit harm against organizations and/or people. Depending on the motivations and sophistication of Threat Actor groups, they may have a specific industry sector that they target or they may attack multiple industries more broadly. Although we may all be familiar with the “bad guys”, we don’t necessarily know if they can breach our organizations.
Consider the following threat model (below) that most corporations face:
For those of us who aren’t indoctrinated, these categories of cyber security Threat Actors are grouped according to sophistication and prevalence. As they increase in sophistication, they’re less noisy and less likely to be caught by your detection capabilities. Although they generally have different motivations from each other, there can be some bleed-over between the groups in terms of individual actors.
This is the operating space for a Red Team: The Adversary or Threat. Your neighborhood friendly adversary! You may see interchangeable terms like “Adversary Simulation” or “Threat Emulation” as explanations for the function of a Red Team, and that Red Teams utilize “Adversarial Tactics” or “Attack Simulations”. These are all correct: the purpose of your Red Team is to simulate threats against your organization, and as a result Red Teams can be said to be Threat Focused, not Risk Focused.
Red Teams perform assessments that are generally referred to as an operation, red team operations or RTOs. These operations are well-defined scenarios that utilize adversarial tactics against their organization to achieve a goal or set of goals. The result of a Red Team Operation (RTO) feeds into defense (Blue Team) improvements, organizational awareness, and strategic decision making.
There are generally two types of operations that internal Red Teams perform, Continuous and Strategic.
Continuous operations generally run at a weekly, biweekly, or monthly cadence. Common examples of continuous operations include Cyber Kill Chain (CKC) and Account Takeover (ATO) attacks. These operations generate metrics that a business can use to track Blue Team (Detection and Response) improvements over time.
Strategic operations are much more open-ended, longer-running, and objective oriented. These operations can cover other areas of the business that are generally not considered during initial foothold simulations of the CKC.
A couple red team example scenarios I’ve seen played out at other organizations are:
Most of the organizations I’ve interacted with focus more on the Strategic and less on the Continuous RTOs. Both can add significant value, but depending on the maturity of the business’s Blue Team function, it may make more sense for Red Teams to focus on Strategic RTOs before justifying the additional time and resource investment that Continuous RTOs require.
If you’re unfamiliar with the Cyber Kill Chain, I highly recommend reading up on it as it’s an important primer to understand the function of a Red Team, you can read that CKC info here. Overall, the Cyber Kill Chain is a cyberattack framework developed by Lockheed Martin, designed in part from US military attack models. It captures the essential stages used by Threat Actors to breach organizations. If you need a model to operate your Red Team, this is where you start.
Many others have written about the CKC, and I won’t do it much justice by giving my own spin in this blog. But for those who prefer the short synopsis, these are the basic stages of the CKC.
Most large organizations have two primary offensive security roles. Sometimes we see them as a combined function, but more often we see the functions divided up much more granularly. The following are common clustering of the roles we see at organizations:
As mentioned previously, depending on the size and scope of an organization we may see the above teams more granularly divided. In a former life I’ve seen Vulnerability Management divided into two teams: Enterprise and Online. Similarly, I’ve seen Penetration Testing teams divided into AppSec, Network Security and Continuous Application Scanning teams. At one colleague’s institutio, their VM and Pentest teams are actually a combined function, where team members wear several hats. Your mileage may vary (and this is by no means a recommendation for how to structure your security org, we have other blogs on that).
But the key take-away from these teams’ function is they are very risk-oriented, because risk is the language the business speaks. Taking a risk-based approach to information security is critical for organizations for two main reasons: prioritizing remediation and resolving compliance obligations.
The results of Red Teaming activities can inform companies of the risks, but are not risk-based by nature. Remember: Red Teams are Threat Focused, not Risk Focused. And simulating threats is the most effective method to defend against threats.
There’s a lot to say about how to build a Red Team, however there’s no one best-fit way to do so. In the next entry in this series, we’ll dig into the Continuous and Strategic operating models, discuss the skills and roles necessary to deliver important outcomes, and end on how to make the Red Team an effective member of your Cyber Security Organization.