Think Like An Attacker: How a Red Team Operates

Seasoned red teamers explain the value-add of a red team, how it operates, and how to maximize its effectiveness.

If you want to stop an attacker, you have to think like an attacker.
Thats the general mindset of someone on the red team, a group of people within an organization responsible for, well, attacking it. Their goal is to act like the adversary and figure out different ways to break into a company so it can strengthen its defenses.
The whole idea is, the red team is designed to make the blue team better, explains John Sawyer, associate director of services and red team leader at IOActive. Its the devils advocate within an organization; the group responsible for finding gaps the business may not notice.
Red teaming is markedly different from penetration testing, though the two are often confused, he continues. In the early days of pen testing, it resembled modern-day red teaming.
When we talk about ethical hacking and pen testing in the late 90s, it was no-holds-barred kind of penetration testing, says Sawyer. As pen testing became mainstream, it also became commoditized. Now, instead of testing the system as a whole, one-off pen tests target specific parts of the ecosystem: Web application tests, social engineering tests, network tests.
At its core, pen testing is trying to find as many vulnerabilities as you can, usually within a specific timeline, says Josh Schwartz, director of offensive engineering at Oath. Pen testers are given a target system, product, or source code, and try to find as many bugs as they can. While pen tests are still useful, they dont test the business to the extent that a red team does.
A red team considers the full ecosystem, Sawyer says, and its ultimate goal is to figure out how a determined threat actor would break in. Instead of solely trying to breach a Web application, red teamers might combine multiple attack vectors – a combination of external attacks, maybe a social engineering phone call, trying to gain access to a physical office.
The main function of red teaming is adversary simulation, says Schwartz. You are simulating, as realistically as possible, a dedicated adversary that would be trying to accomplish some goal. Its always going to be unique to the target. If youre going to get the maximum value out of having a red teaming function, you probably want to go for maximum impact.

Smooth Operators
Red team operations start with gathering open-source intelligence, or OSINT, on the organization and building a threat profile, says Tyler Robinson, head of offensive services and managing senior security analyst with InGuardians. The team considers every aspect of their target company: its industry, monetary value, its risk factors, its worst-case scenario.
As Schwartz puts it: What does the apocalypse look like for your company?
A chat with the organization can unearth valuable intel: insight into the business, where their crown jewels are, what they value. For a financial institution this might be reputation and money; for a healthcare firm it might be health data and sensitive patient data.
Its worth noting an organization using a red team likely has a mature security posture, says Sawyer. The red team assumes security controls are in place, a SOC is monitoring these controls, and an incident response plan exists in the event of a breach. If the company has never done a penetration test, he adds, its likely not ready to get hit with a red team.
When its time to plot the offensive, Robinson considers the ways someone could physically break in. This could involve a Google Maps scan to scope out entrances, or YouTube and Instagram to check for employee badges. Red teams will also investigate Web applications and do password sprays to see if the company is vulnerable. All we need is one foothold, he says.
Red teams will also scour the Dark Web to learn the latest hacker tools and tactics, how they work, and whats new and being used in the wild. What the red team does is identical to what they find. We try to maintain that edge, he says. Constant retooling, constant battling.
The team ends up chaining together a small series of attacks – low-level vulnerabilities, misconfigurations – and use those to own the entire domain without the business knowing they were there, he says. Typically, few employees know when a red team is live.
Sawyers team recently worked with a financial trading organization. They combined a variety of social engineering and physical attacks, along with external network testing, to break in. Red teamers went on site, dressed like the employees, and arrived with badges similar to theirs in order to bypass physical security controls, he explains.
Once inside, they could gain access to offices and connect to their machines and networks. That was in coordination with other activities we had, he says, noting that they also leveraged phishing and phone calls to break the targets defenses.
Robinsons red team team was recently able to take over the network of a major organization by breaking into a printer. We owned a very large financial organization through a single printer, he emphasizes, adding how this illustrates the need for organizations to focus on the basics of security, including securing all networked devices. Theres a lot of money going toward next-gen tools, he says, but the real value is in the fundamentals of proper configuration.
Red and blue teams may work together in some engagements to provide visibility into the red teams actions. For example, if the red team launches a phishing attack, the blue team could view whether someone opened a malicious attachment, and whether it was blocked. After a test, the two can discuss which actions led to which consequences.
We want to ultimately say that while we found these ways to get in, we really think by improving these places we were able to get in, youll have more complete protection, Sawyer says.
Red Team Recruitment: How to Hire
Our rule of thumb is theres always three operators in a red team, says Robinson. Sawyer says a red team needs at least two people to be effective, though many range from two to five. While a large company might have 12-25 people, says Schwartz, only three or four will work on a single operation.
Each red team is made up of different skill sets to maximize the groups effectiveness.
It helps to have at least one person knowledgeable in physical security; someone who can understand the safeguards around the business, pick locks, bypass door codes and security cameras. You might also have social engineers who can send phishing emails, call up the organization, or appear on-site pretending to be an employee or delivery person.
And, of course, you need technical chops. Sawyer points to a range of valuable skills to have on a red team: Web exploitation, hardware expertise, reverse engineering, understanding of Windows and Active Directory, post-exploitation, and gaining access to sensitive data.
Its also interesting to pull in subject matter experts based on the target, Schwartz says. If youre outsourcing a red team, it could help to bring an employee onto their project and make them part of the attack group. People generally want to be part of those types of activities because theyre educational, he adds.
In-House vs. Outsourcing
More and more companies are starting to realize if they limit themselves to the core fundamentals of security, theyre waiting for something bad to happen in order to know whether their steps are effective, says Schwartz. Red teaming can help them get ahead of that.
Security is one of those areas its tough to get funding for, says Sawyer. Its seen as a sinkhole … its hard because unless you have a breach or something is attacking you, how do you know that the stuff youre investing in is doing a good job?
How your company acquires red teaming capabilities depends on its size and budget. Many companies are building red teams in-house to improve security; some hire outside help.
There are some ways to outsource red teaming and red teaming activities, says Schwartz. Its a good way to start, he notes, and smaller businesses can buy these skills from various consulting companies and in doing so, make a case for hiring an internal red team.
The main reason behind building a red team internally is because as it grows and improves along with defenses. As security improves, so do the skills of red teamers. Offensive experts and defenders can attack one another, playing a cat-and-mouse game that improves enterprise security, he continues. Internal teams are also easier to justify from a privacy perspective.
Overall, the pros argue a full red team can help prepare for modern attackers who will scour your business for vulnerabilities and exploit them – but theyll help you stop real adversaries.
The difference between a red team and an adversary is, the red team tells you what they did after they did it, Schwartz says.
Related Content:
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
As Tech Drives the Business, So Do CISOs
5 Steps to Success for New CISOs
8 Keys to a Successful Penetration Test

Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the
conference
and
to register.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Think Like An Attacker: How a Red Team Operates