This blog post is part of the “All You Need to Know About Red Teaming” series by the IBM Security Randori team. The Randori platform combines attack surface management (ASM) and continuous automated red teaming (CART) to improve your security posture.
“No battle plan survives contact with the enemy,” wrote military theorist, Helmuth von Moltke, who believed in developing a series of options for battle instead of a single plan. Today, cybersecurity teams continue to learn this lesson the hard way. According to an IBM Security X-Force study, the time to execute ransomware attacks dropped by 94% over the last few years—with attackers moving faster. What previously took them months to achieve, now takes mere days.
To shut down vulnerabilities and improve resiliency, organizations need to test their security operations before threat actors do. Red team operations are arguably one of the best ways to do so.
Red teaming can be defined as the process of testing your cybersecurity effectiveness through the removal of defender bias by applying an adversarial lens to your organization.
Red teaming occurs when ethical hackers are authorized by your organization to emulate real attackers’ tactics, techniques and procedures (TTPs) against your own systems.
It is a security risk assessment service that your organization can use to proactively identify and remediate IT security gaps and weaknesses.
A red team leverages attack simulation methodology. They simulate the actions of sophisticated attackers (or advanced persistent threats) to determine how well your organization’s people, processes and technologies could resist an attack that aims to achieve a specific objective.
Vulnerability assessments and penetration testing are two other security testing services designed to look into all known vulnerabilities within your network and test for ways to exploit them. In short, vulnerability assessments and penetration tests are useful for identifying technical flaws, while red team exercises provide actionable insights into the state of your overall IT security posture.
By conducting red-teaming exercises, your organization can see how well your defenses would withstand a real-world cyberattack.
As Eric McIntyre, VP of Product and Hacker Operations Center for IBM Security Randori, explains: “When you have a red team activity, you get to see the feedback loop of how far an attacker is going to get in your network before it starts triggering some of your defenses. Or where attackers find holes in your defenses and where you can improve the defenses that you have.”
An effective way to figure out what is and is not working when it comes to controls, solutions and even personnel is to pit them against a dedicated adversary.
Red teaming offers a powerful way to assess your organization’s overall cybersecurity performance. It gives you and other security leaders a true-to-life assessment of how secure your organization is. Red teaming can help your business do the following:
Red teaming and penetration testing (often called pen testing) are terms that are often used interchangeably but are completely different.
The main objective of penetration tests is to identify exploitable vulnerabilities and gain access to a system. On the other hand, in a red-team exercise, the goal is to access specific systems or data by emulating a real-world adversary and using tactics and techniques throughout the attack chain, including privilege escalation and exfiltration.
The following table marks other functional differences between pen testing and red teaming:
| Penetration testing | Red teaming | |
| Objective | Identify exploitable vulnerabilities and gain access to a system. | Access specific systems or data by emulating a real-world adversary. |
| Timeframe | Short: One day to a few weeks. | Longer: Several weeks to more than a month. |
| Toolset | Commercially available pen-testing tools. | Wide variety of tools, tactics and techniques, including custom tools and previously unknown exploits. |
| Awareness | Defenders know a pen test is taking place. | Defenders are unaware a red team exercise is underway. |
| Vulnerabilities | Known vulnerabilities. | Known and unknown vulnerabilities. |
| Scope | Test targets are narrow and pre-defined, such as whether a firewall configuration is effective or not. | Test targets can cross multiple domains, such as exfiltrating sensitive data. |
| Testing | Security system is tested independently in a pen test. | Systems targeted simultaneously in a red team exercise. |
| Post-breach activity | Pen testers don’t engage in post-breach activity. | Red teamers engage in post-breach activity. |
| Goal | Compromise an organization’s environment. | Act like real attackers and exfiltrate data to launch further attacks. |
| Results | Identify exploitable vulnerabilities and provide technical recommendations. | Evaluate overall cybersecurity posture and provide recommendations for improvement. |
Red teams are offensive security professionals that test an organization’s security by mimicking the tools and techniques used by real-world attackers. The red team attempts to bypass the blue team’s defenses while avoiding detection.
Blue teams are internal IT security teams that defend an organization from attackers, including red teamers, and are constantly working to improve their organization’s cybersecurity. Their everyday tasks include monitoring systems for signs of intrusion, investigating alerts and responding to incidents.
Purple teams are not actually teams at all, but rather a cooperative mindset that exists between red teamers and blue teamers. While both red team and blue team members work to improve their organization’s security, they don’t always share their insights with one another. The role of the purple team is to encourage efficient communication and collaboration between the two teams to allow for the continuous improvement of both teams and the organization’s cybersecurity.
Red teams will try to use the same tools and techniques employed by real-world attackers. However, unlike cybercriminals, red teamers don’t cause actual damage. Instead, they expose cracks in an organization’s security measures.
Some common red-teaming tools and techniques include the following:
Red teaming is a core driver of resilience, but it can also pose serious challenges to security teams. Two of the biggest challenges are the cost and length of time it takes to conduct a red-team exercise. This means that, at a typical organization, red-team engagements tend to happen periodically at best, which only provides insight into your organization’s cybersecurity at one point in time. The problem is that your security posture might be strong at the time of testing, but it may not remain that way.
Conducting continuous, automated testing in real-time is the only way to truly understand your organization from an attacker’s perspective.
IBM Security® Randori offers a CART solution called Randori Attack Targeted. With this software, organizations can continuously assess their security posture like an in-house red team would. This allows companies to test their defenses accurately, proactively and, most importantly, on an ongoing basis to build resiliency and see what’s working and what isn’t.
IBM Security® Randori Attack Targeted is designed to work with or without an existing in-house red team. Backed by some of the world’s leading offensive security experts, Randori Attack Targeted gives security leaders a way to gain visibility into how their defenses are performing, enabling even mid-sized organizations to secure enterprise-level security.
Learn more about IBM Security® Randori Attack Targeted
Stay tuned for my next post about how red teaming can help improve the security posture of your business.
The post Red teaming 101: What is red teaming? appeared first on IBM Blog.
TL;DR A conversation with 4o about the potential demise of companies like Anthropic. As artificial…
Whether a company begins with a proof-of-concept or live deployment, they should start small, test…
Digital tools are not always superior. Here are some WIRED-tested agendas and notebooks to keep…
Machine learning (ML) models are built upon data.
Editor’s note: This is the second post in a series that explores a range of…
David J. Berg*, David Casler^, Romain Cledat*, Qian Huang*, Rui Lin*, Nissan Pow*, Nurcan Sonmez*,…