What is Red Teaming? Is it Worth Doing?

red teaming penetration testing

Red teaming is an advanced form of penetration testing, which is not for every organization. While it may identify vulnerabilities that exist within your environment, that is not the primary goal.

Other forms of penetration testing (e.g. application, IoT, or network to name a few) focus on identifying vulnerabilities and providing a story of how those vulnerabilities can be used to compromise your organization, but that is not the goal of red teaming. Good red teaming is not just testing the resiliency of your organization but also the ability and speed to respond to a potential breach.

An organization may wonder when they would be ready for a red teaming engagement. To get the most from the engagement, it would only be recommended for organizations that have mastered the basic hygiene items (patching, access control, logging, etc.) and are ready to hot test their response capabilities. An organization that is operating from an assumed breach or has invested in detection and response will get the most from this engagement.

How Red Teaming is Different

Red team testing, also known as adversarial simulation, is a form of penetration testing that differs quite significantly from other forms of penetration testing.

In short, red teaming has a goal to mimic the TTP (tactics, techniques, and procedures) of malicious actors. Exercising these TTP provides your organization the ability to continue to tune your detection capabilities, improve response procedures, and oftentimes identify gaps in visibility or detections that would allow for a faster response.

This engagement is typically not announced and is meant to test the full organization following your security processes and procedures.

A good red teaming engagement will take an approach of least resistance. The engagement may start with a focus on the network but may find that an application is configured insecurely and will pivot to the application layer.

This type of flow allows ethical hackers a chance to compromise components of the organization to test response, visibility, and detection capabilities. While it may be possible to limit the scope to certain types of attacks or components of the organization, it is typically best to leave it fully open, as a malicious actor will not limit the scope when trying to gain access to your organization.

The Red Teaming Process

The process for a red teaming engagement will differ quite a bit from other penetration testing activities. In those, it is announced and well known that testing is taking place but with the red team, to get the most out of it, it is not announced.

If a more open approach is desired, it would be recommended to find a purple team engagement (red team type testing with the blue team knowing), as this engagement will not provide that type of value.

Scoping

In most red team testing cases, it is usually a senior leader in the organization contracting with a firm that specializes in this type of work. Usually, no one else is aware, and scoping is agreed to in terms of total effort, type, and the number of consultants on the test. Most firms will want a three to four-week engagement on the low end to provide enough time to do reconnaissance, develop an attack strategy, and follow up with exploitation.

Testing Phase

Once the time-boxed window has been agreed upon and contracts are in place, testing can start. While it may be expected that alarms and warnings will be going off from the start, odds are it will seem like nothing is happening.

Most red team engagements start with a low and slow approach to avoid detection out of the gate and build up as the engagement moves further along. A malicious actor won’t just bombard your organization with automated tools; they will take their time to identify targets and weak areas and systematically attack those areas to avoid tipping their hand.

Completion

There are two ways that testing will be completed in the engagement. Either the time-boxed window is exhausted, or your internal blue team was able to identify the activity and attribute it back to the vendor. In the latter case, there are usually contingencies when this happens to continue to get the value out of the test.

Reporting

In both cases, the real value will come at the end of testing when the vendor provides a detailed report with timestamp information on the activities, exploits, tests, and recon that was performed. At this time, your internal security operations team can go back and review what they should have seen or identified, what they missed, and any gaps that exist in tools or logging.

Blue Teams? Purple Teams?

As touched on previously, there is a concept of purple team testing. Security likes to use colors, for some reason, to describe different groups. The red team is the attacking team, and the blue team is the defense team. The purple team, well, is a team made up of both red and blue members.

When it comes to the blue team, it is much broader than just security engineers and analysts. This encompasses everyone within the organization, as it is typically the responsibility of all employees to help defend the organization from attack. Do not confuse blue for just your security operations center; it is much more expansive than that.

Purple team testing is another unique form of penetration or offensive security testing. The key difference between purple team testing and red team testing is that the blue team fully knows what is happening at every step of the test.

The blue and red teams are working in a highly collaborative, open communication process to allow for live tuning and gap analysis. In this engagement, the red team will be conducting some TTP but informing the blue team of what they are doing, where they are coming from and expected outcomes. In some cases, if they are unsuccessful in that TTP, they will ask the blue team for help on what they are seeing, and what is getting blocked or prevented so that they can alter the attack to make it successful.

This provides a whole new level of ability to tune detection and prevention as the two teams work together.

A purple team test can be extremely beneficial for an organization that is less mature in its security detection capabilities and can accelerate the maturation process.

How Long Does a Red Teaming Test Take?

Red team testing is a budget question. Typically, the shortest a vendor will agree to for one of these types of engagements is three to four weeks. It is possible to gain a shorter period, but it is recommended to have a deep conversation on the value-added for such a short engagement and if a purple team test would be more appropriate.

Beyond that, it can last if your budget is willing to provide it. It is not uncommon to have some engagements contracted for months at a time; while there are vendors that also offer yearly subscription services that allow for testing at any point during the year without notice. Your organization’s budget is going to be the biggest limiting factor for this engagement.

Red Teaming Tools

When it comes to tools utilized for red teaming, the toolkit will often include anything used for other penetration testing types. Instead of breaking down all the unique tools that can be utilized, let’s focus on core tooling categories.

Most red teamers will utilize a combination of commercial solutions, open-source solutions, and custom solutions.

When engaging a firm for red teaming activities, asking about the custom tools that have been developed can be an indicator of expertise and the number of engagements.

Investing in creating custom tools can be expensive and time-consuming so a firm doing a few engagements a year may not invest much to develop their tools.

The main categories of tools are as follows:

Reconnaissance

This can be active, passive, or open-source intelligence. This includes mapping IP addresses and domains but can include gathering information on employees, vendors, and service providers. These tools are used to gather the information that can help with identifying the focus for exploitation or delivery of payloads at a later stage.

Exploitation Payload Development

These tools are focused on building the payloads or exploits that will be deployed at a later stage of the engagement. This can include exploits in social, phishing, or exploitation of vulnerabilities that exists within the organization’s infrastructure.

Exploitation Delivery

As the name suggests, these tools are used to conduct the actual attack and deliver the payloads. These tools are usually used once a foothold or pivot point is attained within the network or to create a persistent access point.

Privilege Escalation

Once a foothold has been established with persistent access, these tools will be used to elevate privilege to allow for further access within the organization.

Command and Control

To assist with persistent access or to deliver additional payloads as needed, a command-and-control tool may be used to communicate with red team assets outside of the organization’s assets.

Exfiltration

These tools will be used as part of the attempt to remove data or mimic the removal of data from the network. These tools may work in conjunction with the command-and-control tools.

Who Benefits Most?

Red teaming activities are not for every organization. There is a certain level of maturity needed to get the most from the engagement.

However, there is one instance where that maturity may not be needed, and that is to attain additional budget and to communicate through active testing the exposure that your organization has.

In this case, it is critical to communicate expectations to the board and executives, that the organization will most likely be compromised, and will have limited detective and preventative controls in place. With open communication with leadership, it is possible to leverage this testing to show that the organization needs to further invest in security controls to limit the impact of an incident.

Beyond that use case, the other organizations that benefit are mature organizations that want to move beyond a tabletop response exercise. This is a great option to fully test response playbooks and procedures within the blue team.

Not only will it test the ability to detect, but it may very well test the ability to identify all access points, move that access, and keep the malicious actor out. Again, the focus is less on identifying vulnerabilities and more on identifying and testing the ability to respond to a breach incident.

How Much Does Red Team Testing Cost?

Red teaming is not a cheap service. Even if contracting with one consultant for a smaller (3-week) engagement, it can still cost a fair bit.

Many factors come into play for this type of engagement. A few are length, number of consultants, the experience of those consultants, and vendor experience. These factors can have a large impact on the hourly rate as this service is typically delivered by very seasoned or experienced consultants. Due to this, the hourly rate will typically be higher than other penetration testing services.  

So, how much will cost?

When asked about this in the past, it has always been the recommendation to budget for no less than $50,000 per engagement.

It is certainly possible to get the test for less than that, but, if your budget for this cost is on the low end, it should provide room to get a quality test. Of course, this is just the low end, and it is certainly possible to see the engagement go into the mid-six figures.

NOTE: See here for our full breakdown of red team penetration testing costs.

Does Red Teaming Vary from One Vendor to the Next?

The short answer is yes, the service will differ drastically from one vendor to the next. The approach, tools used, and even pricing will vary from one vendor to another. Keep in mind that these are vendors that have invested a great deal in purchasing days and zero-day vulnerability information to develop exploitation kits and payloads.

They have also invested a great deal to build a large, highly skilled team of consultants to act like malicious actors. In this case, the hourly rate will be elevated, but the product will also be elevated.

The key concept to keep in mind with red teaming is that investment in intellectual property and custom tools is extremely vital in providing strong service to your organization. These tools will vary from one organization to another so understanding areas of expertise and tools developed will help to identify if the vendor has the right expertise in your organization’s tech stack.

Another area that is not a one-size-fits-all, is related to the type of red teaming activities that are in scope. Physical and social engineering red team activities are not performed by every organization. Some vendors specialize in just these types of activities, as it does require special skills and tools, along with nerves of steel.

If these engagements are what your organization is looking for, engage with a vendor that specializes in these types of engagements.

How to Choose a Red Teaming Service?

When picking the provider for your service, it is important to not just focus on price or hourly rate. While the total price may be of concern and getting more time for the same price sounds like a good plan, it can backfire.

Experience, tools, and intellectual property are extremely important to provide high-quality results in the engagement. This is because the service is a high-skill service; remember you want them to act like malicious actors to test your response capabilities.

So, what can an organization do to help make sure a fair price is being attained? The biggest thing you can do is price vendors, talk to them about their skills and primary areas of operation, and be transparent with them about quotes you are getting from other vendors.

This will help with keeping pricing in check to a certain degree, but it may not always work. Some of the better vendors will not budge much on total cost or hourly rate, as they have plenty of work to keep their teams busy, because they are known for these services. While it may not be the answer every organization wants to hear, you pay for what you get in this service.

Practice caution if a vendor is significantly cheaper than other big-name vendors. They may just be providing you with a network penetration test labeled as a red teaming exercise.


Published by Nathaniel Cole
CISO and Security leader with experience as a business and technical leader across multiple industries. After 15 years in security, I have a track record of building, deploying and managing modern security programs that not only transform technical s...
    
Copyright © 2022 Network Assured