The term ‘red teaming’ is said to be overly used in the cyber security industry, which is why the concept is often misunderstood and unclear. But for the right cyber security pro, red teaming can be an exciting profession. Red teaming assessments are objective based assessments of an organization’s security posture. Assessors are allowed to use any technique that they deem appropriate to try and determine if the objectives, defined upfront, can be accomplished. Typically, a red team’s goal is to gain unauthorized access to an organization’s environment while avoiding detection and then maintaining access for a pre-determined period of time to test an incident response team’s ability to identify and respond to threats.
Red teaming is not a job for the faint of heart as it involves travel and many hours, even days, of thinking strategically and reacting quickly to the situation at hand. Nevertheless, it’s a critical component of every vulnerability testing strategy and can help organizations accurately assess threats to IT assets, benchmark current security capabilities, justify security investments, sharpen the skills of the team and improve detective controls. Given the importance of red teaming engagements, the industry should also understand the people behind the engagements and how they operate in order to get the most value out of the engagement. I talked with NetSPI Managing Director Nabil Hannan for an inside look at red teaming culture.
Aaron Shilts (AS): Who is drawn to red teaming work?
Nabil Hannan (NH): Although having solid technical skills to be able to circumvent security controls in the software, network or infrastructure may be an important skill to have, ultimately, the personalities who are most attracted to this type of work, and end up being most successful at red teaming engagements, are people who are clever and can think outside the box. Having the ability to think quickly on one’s feet and solve problems on the fly are important attributes for people who perform these assessments.
AS: Penetration tests and red teaming assignments can cause stress and anxiety, how does this affect professionals?
NH: Although red teaming engagements can be stressful, typically the personalities who do these engagements enjoy, and even thrive on, doing this type of work, and – from my experience – rarely consider this as true “stress.” Red teaming engagements really allow assessors to go above and beyond and truly think outside the box on how to circumvent security controls in creative ways to successfully complete objectives. These creative methods can range from being able to create phishing emails (that generate excitement and make victims fall for the attack and click/respond to the phishing attack) all the way to physical security attacks where you can use condensed air cans or even something as simple as a balloon to trigger motion sensors and get access to parts of a building which require special access or clearance.
AS: What kind of tools do red teams have at their disposal?
NH: Red Teaming assessments can leverage any existing information they have at their disposal regarding vulnerabilities and weaknesses in the systems and environments they are trying to compromise. This may include penetration testing reports, automated scan reports (e.g. static application security testing (SAST), dynamic analysis security testing (DAST), interactive application security testing (IAST), network scanning), video surveillance feeds, user guides, documentation around access controls, and more. There are also many tools and gadgets that can be purchased for fairly low cost to do reconnaissance and exploits with things like WiFi antennas with extended range, RFID sniffers, and USB mice with flash storage inside them.
AS: How can leaders help balance the demands of the job while creating a sense of camaraderie among their teams?
NH: Most red teaming engagements are performed in teams of two or more. It’s important for the team to work cohesively together and help complement each other’s strengths. Building a team with a good mix of both technical and non-technical skills is important for success. Successful leaders will assign specific roles for each team member focused on harnessing their strengths, and also ensure that the team works together to brainstorm and create plans and strategies on how to accomplish specific objectives outlined in the engagement.
AS: What background or qualifications are beneficial for a red team professional?
NH: Professionals with military and law enforcement backgrounds are a valuable addition to a team because they can help navigate the legal and physical security aspects of an engagement. And it’s critical to have professionals on the team who have the resources and technical expertise to be able to identify and exploit vulnerabilities in software systems to find ways to circumvent security controls and accomplish the objectives of the engagement.
AS: Is there risk for red teams to get in trouble with the law while participating in an engagement?
NH: There have been some incidents, but they are very rare. Typically, during Red Teaming assessments, the assessors are provided with a “get out of jail free” letter that they are required to carry throughout the engagement. These letters have details provided regarding the engagement, who the sponsor is, and contact information of the client to call and confirm the rules of engagement and scope of the assessment by law enforcement. The cyber security community typically isn’t worried about their assessors getting arrested and facing criminal charges, because they were performing the work on behalf of an organization, and they have contractual languages that protect them.
Red teaming professionals certainly have their work cut out for them, as cyber security adversaries continue to evolve and find new ways to access sensitive systems and data. Let this article be a reminder to thank red team assessors next time you see them – and talk with them about how IT and security leaders can better enable them to work collaboratively, use all available resources, and use their creative, yet technical, minds to help organizations assess security threats and ultimately improve their security posture.