What is a Red Team?

A Red Team consists of IT security experts who test a company’s security program in a realistic attack scenario. Red Teams not only test technical systems, but also the company’s employees and processes. Typically, companies hire an external, independent party to conduct a Red Team operation. These operations are always goal-oriented. A classic objective of a Red Team operation is, for example, to gain access to certain systems or data of the company. The opponent of the Red Team is the so-called Blue Team. It consists of the internal IT security experts who defend the company against Red Teams and real attackers.

How a Red Team operation works

A Red Team operation is the most challenging test for a company’s full security program. It takes place without prior notice, so neither Blue Team nor other employees can prepare themselves. The Red Team itself does not receive any information about the target company, so the starting conditions are fair and the attack scenario is as realistic as possible. The Red Team’s approach will very often be guided by the following questions, which are usually of particular interest to the target company

  • How quickly does the Blue Team react to attacks?
  • How effective are the measures taken?
  • Do employees and Blue Team adhere to the security guidelines?
  • Are existing security guidelines coherent and complete?
  • How is the physical security in the company’s buildings?

To answer these questions, the Red Team usually has a broad range of options and takes a very dynamic approach. Among other things, social engineering attacks can be executed. Here, typical human weaknesses are exploited to manipulate employees of the company in a targeted manner. For example, they can be tricked into disclosing confidential information. In addition to social engineering and technical attacks on the company’s IT infrastructure, physical access can also be gained within the course of a Red Team operation, for example by forging or falsifying access cards or by smuggling in manipulated devices. It is not uncommon for Red Teams to mislead and create distractions to put the Blue Team under pressure. In summary, a Red Team deployment involves attacks across all channels, requiring considerable time and resources. A Red Team operation is therefore a simulation of an Advanced Persistent Threat (ATP).

What are the differences between Red Teaming and Penetration Testing?

Red Teaming Pentesting
Mode Hidden operations, possibly below the detection threshold. Usually very obvious procedure.
Goal orientation Strongly focused on achieving specific goals that are set in advance. Also focused, but still broader in scope. The test object is extensively examined.
Requirements Only companies with a very mature IT security program require Red Team deployments. Even with only basic IT security, a penetration test is useful.
Use of resources High use of resources. The project is carried out by a whole team. Less use of resources. Often a penetration test can be managed by a single person.
Scope of action Often the Red Team has a wide range of action and takes a dynamic approach. Pentestests are more rigid. The procedure is often closely coordinated with the customer.
Time frame Usually extends over several weeks to months Usually 1-2 weeks
Goals Check the Blue Team’s responsiveness and detection capabilities. Review processes and their effectiveness Assess the attack surface, uncover critical vulnerabilities, evaluate possible effects of an attack
Basis of information No prior information – neither for Red Team nor for Blue Team. In some cases, there is a White Team, which is briefed and ensures a controlled process. Often information about the test object is provided, company employees are often briefed.
Channels Attacks are always carried out through multiple channels (physical, human, network, etc.) Often limited to one channel e.g. attacks exclusively via the network

Who needs Red Teaming?

A high degree of maturity of the company’s information security is a basic pre-condition to justify a Red Team operation. Only if there is a comprehensive security program is it worthwhile testing it. The number of companies that have a high degree of security maturity is however limited. The vast majority of companies do not have a Blue Team that could compete with a Red Team. For these companies, it makes more sense to invest in the development of the security program. Only when the program is in place and positive pentest results are reported is it time to consider Red Teaming. In the EU there is the so-called TIBER-EU framework (Threat Intelligence-based Ethical Red Teaming) for the voluntary implementation of Red Teaming in the financial industry. It is aimed at banks, insurers and operators of financial market infrastructure and aims to improve the cyber-resistance of the financial sector in a long-term perspective.

Share on linkedin
LinkedIn
Share on email
Email
Share on print
Print
Dennis Kionga

Dennis Kionga

Dennis is Managing Director of Cloud Cape, an IT services company that implements and operates future-proof IT security and cloud solutions. He previously worked as a Business Development Manager at Lufthansa Group, where he was responsible for global sales of outsourcing solutions for airlines. He graduated from the University of Mannheim with a Master of Laws (LL.M.). He also holds a postgraduate certificate in Project Management from the University of Cape Town. In his career, he has spent extended periods abroad in Portugal, the Czech Republic and South Africa.

Leave a Comment

About Cloud Cape

We help companies to create transparency in their own IT landscape and accompany them along the path of secure digital transformation. As a ‘cloud-first’ company, we have specialized in the field of cloud security.

Recent Posts

Would you like to know more about us?