In this article, we will talk about one of the most popular concepts of cyber security, “Red Team”. But before that, we need to know what is penetration testing and why we need penetration tests.
Penetration testing
Penetration testing is a simulated attack, performed by qualified persons in this field, legally and in accordance with certain procedures, in order to prevent the exploitation of security vulnerabilities by malicious people and to evaluate the security of the system.
Why do we need penetration tests?
Analyzing and reporting the vulnerabilities in information systems by a third party is one of the most important steps of proactive security. No matter how careful you are, something is likely to be overlooked, and today the number of attackers, their knowledge and skills cannot be underestimated. Therefore, there is a need for experts who can think like an intruder and discover weaknesses in the system and situations that cause vulnerabilities.
Let’s say we have a critical system and it is known that the takeover of this system will have a huge consequence. The testing of networks, applications and devices that constitute the system was completed, the necessary patches and security hardening was not neglected. We came to the real question, is it enough? No, it’s not. It is good to take precautions against known attack vectors; After all, there are countless script kiddies on the internet. What about their big brothers?
Imagine an attacker who can discover new attack vectors, is software-savvy, understands hardware, can cross physical layers, confuse devices using radio signals, is talented in social engineering and most importantly has no boundaries. To discover the limits of the possible means to achieve the impossible.
What is red team?
It is the name given to high-level security teams that perform attack simulations to test the security infrastructures of critical systems. ‘Red Teaming’ means applying challenging strategies to reach the systems, overcoming complex policies and choosing the muddy path when mandatory.
Red Teaming is similar to penetration testing in many ways but is more targeted; its goal is not to find as many vulnerabilities as possible. The goal is to test the organization’s perception and response capabilities. Red Team will try to access sensitive information as quietly as possible. Red Team attacks are similar to Advanced Persistence Threat (APT); it is all about thinking like a thread actor who wants to avoid detection. Red Teaming usually takes longer than a standard penetration testing project. A penetration test is usually done in a few weeks, whereas Red Teaming needs at least a month. Since it is necessary to master both physical, digital and social attack vectors, more than one team members who are experts in their fields are often required.
So why red team?
Because software security is never enough. Attackers will never rely on computer code for what they want to achieve. Unfortunately, patches are not enough for people who can create new attack vectors by combining digital and physical security vulnerabilities. That’s why organizations with critical systems need Red Team simulations.
A true story
In a penetration testing project, it took almost two days to compromise the domain controller used in a large corporation and become a domain admin. In order to use the remaining time more efficiently, a Red Teaming offer was presented to the director of the institution. Testing started after the necessary approvals. It took about 20 minutes to open the entrance door and office doors with manual lock picking and then access the room where the server and network devices were stored. That’s when I started thinking about limits of security testing; for an attacker, backdoors aren’t just in information systems; there are more dangerous things than unpatched systems and weak passwords; there are many vulnerabilities other than software or network kind of vulnerabilities that we are not aware of.
An incident from USA
A power company in the Midwest hired a red team. The red team attempted to break into buildings and hack into its network, with the goal of gaining full access. And it was all much easier than you might think. The team achieved its goal after 3 days, it would seem those power companies need to step up their game in the fight against cyber attackers or it could be “lights out.”
This article has written by Sercan Sayitoglu and has published in “PwC Turkey – Cyber Security Blog” previously. Reference