CRIMSON
7

What is a red team?

Unlike a penetration test, a Red Team engagement goes beyond merely identifying vulnerabilities. It simulates a real-world attack scenario across the entire kill chain, often executed stealthily and undetected. The primary objective is to assess the effectiveness of your security controls, processes, and procedures throughout the entire corporate IT environment, and potentially extending into operational technology (OT) when feasible. A Red Team's focus is not on uncovering as many vulnerabilities as possible. Instead, it zeroes in on the most promising attack vectors to demonstrate or verify the potential business impact of a breach.

Testing security with a vertical, stealthy and straight - Threat and Adversary Simulation

A red team exercise is a simulated cyberattack conducted by security professionals, ethical hackers, to test defenses. It might remind a pentest but a good red team differs from a pentest; the goal here is not only to identify vulnerabilities. It requires more specialised skills, experts known as red teamers, who attempt to breach the organization using different attack paths, playing a game by scenario like attacking networks, and physical infrastructure using the same tactics and techniques employed by real-world attackers. The exercise aims to identify vulnerabilities, assess the effectiveness of existing security measures, and improve the organization's overall cybersecurity posture and ofter requires advanced techniques and stealthiness.

Methodology

How to conduct a Red Team? We evolved from the classic kill-chain inspired methodology to meet modern attacks and the best value delivery objectives, adapting to regulatory requirements (CREST/CBEST) that in EU are more stringent.

  • Attack surface recon, intelligence
  • Initial access or assume breach
  • Execution, C2 and local escalation
  • Lateral move, privilege escalation, domain
  • Attack finalisation, reach critical business functions
1 - PREPARATION

We setup the entire exercise together, planning upfront and defining scenarios, communication and strategy, goals, leg-ups, etc.

2 - EXECUTION

The core phase, it’s about executing the attack simulation from the in-phase to the CBFs.

3 - WORKSHOP

Optional purple workshop, to enhance the value of the exercise and debrief the attack with the SoC, Re-play, perform Detection Engineering.

4 - WRITE UP

We provide an extensive report to describe each scenario in tech details, with a clear attack-path, mapped to MITRE and complemented by an executive summary.

The importance of "Assume Breach"

A RT in "Assume Breach" simulation focuses on post-exploitation phases, bypassing the initial access stage that Red Teams typically spend significant time on. In this Red Team model, the Red Team assumes a successful payload delivery, simulating a scenario where an employee has inadvertently clicked a malicious attachment or leaked credentials.

The exercise begins with payload execution on a standard user-privileged device. Many organizations prefer this Red Team approach to thoroughly evaluate security controls across various attack kill-chain stages. It also helps avoid regulatory complications and the intricacies of targeting personnel (e.g., through phishing) in sensitive environments like financial institutions.

We, along with many in the cybersecurity testing community, believe that allocating less engineering effort to time-intensive initial steps and concentrating on sophisticated Red Team attacks yields more value, particularly if previous assessments or phishing exercises have been conducted. The "Assume Breach" methodology is optimal for maintaining stealth and controlling noise, as the initial Red Team phases often generate more detectable activity. Additionally, this approach addresses insider threat scenarios, such as unauthorized access to shared file systems or databases.

What are the benefits?

SITUATION

Penetration tests and attack simulations are increasingly commoditised or automated and their value is diminishing. However, business resilience and regulatory requirements still necessitate testing security postures and validate controls across the entire kill chain to provide actionable insights. Cheap commodity services or need for real security validation?

SOLUTION

At Crimson7, we have extensive experience with Red Teams. We have been refining our methodology to ensure compliance with regulations, keeping realistic scenarios, reproducing the latest attack's TTPs. Our Research team consistently develops new payloads, which we incorporate into our human-driven creative simulations.

VALUE

Red Team serves both as a validation and ethical hacking tool, compatible with CTAM or DORA, helps prepare organisations for complex compliance like TIBER or CBEST. Rather than simply providing findings, we identify weaknesses in the attack surface; attack paths that could lead to a compromise. We assist in remediation or better detection.

Vito Rallo
Director and co-Founder

FAQ

FOR REDTEAM SERVICES

How RedTeam differ from pentests?

keyboard_arrow_down

Red Teaming is an end-to-end simulation across the typical attacker's kill-chain, aimed at simulating adversary behaviour, focusing on persistence, stealth, and goal-oriented attacks, typically based on a pre-defined attack scenario, while penetration testing identifies a larger range of vulnerabilities exploiting them without a precise goal or following a defined simulation scenario.

What are the main goals of a RedTeam?

keyboard_arrow_down

Assessing the effectiveness of security controls, identifying vulnerabilities, and improving incident response capabilities testing across the entire kill-chain and the controls in place at different levels.

How often to perform a RedTeam?

keyboard_arrow_down

At least annually, but the frequency may vary based on theorganization’s risk profile and compliance requirements.

Are there regulations and compliance for RedTeam?

keyboard_arrow_down

This might vary according to the country and to the geographical region. CBEST from Bank of England has been widely adopted as reference for mandatory Red Team in banking environment, even outside of the UK. TIBER EU, implemented in each EU member state with his own adaptation is heavily inspired by CBEST/CREST. DORA has Red Team and Resilience validation requirements while other regulations might require Red Teaming for critical infrastructure or services which might trigger a systemic disruption.

What type of skills are required for a RedTeam?

keyboard_arrow_down

Red Team is very specialised, and usually requires senior and experienced profiles than traditional pentest. Some of the key expertise on top of ethical hacking include offensive security, social engineering, scripting, network exploitation, and understanding of attacker tactics.

What is a Purple Team and how it relates to redteam?

keyboard_arrow_down

A collaborative effort where Red (offensive) and Blue (defensive) teams work together (here is the color in the middle, purple) to improve security is called purple team. We are Purple Team specialists and you can understand more reading our dedicated page on Purple Teaming.

* We will get back to you for additional conversations, to provide a tailored approach fitting your specific need
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form