What is Red Teaming?
For many companies, targeted attacks are a real threat. Within a Red Teaming Assessment such targeted attacks are simulated by specialized auditors. The focus is on the execution of real attack scenarios that are targeted towards infrastructures with high maturity of IT security (e.g. by a company’s own Blue Team). The aim of these projects is to evaluate and improve the detection and reaction capabilities for such attack scenarios.
Objective
Assessment of detection and response capabilities with regard to real attacks through the simulation of targeted and realistic attack scenarios
Question
How effective are existing protection measures in the company and can attacks be detected or prevented?
Scope
All IT systems and components as well as employees and, if applicable, company buildings/premises
Red Teaming Process: Methodology & Approach
Depending on the perspective and scenario, all local/cloud-based IT infrastructure and components, as well as employees, facility and service providers are in scope of the attack attempts. These range from exploiting of central systems over the infection of clients with Trojan horses up to social engineering. Attack attempts leverage so-called multistaging, in which the combination of multiple successfully exploited vulnerabilities is used. This should lead to the achievement of the set goal (e.g. persistent access to customer infrastructures or gaining access to a central database with sensitive data / information).
At no point does the Red Team Assessment pose a real threat to your company values or your production. Attacks to achieve a predefined target should be carried out as inconspicuously as possible and thus remain undetected. This also corresponds to the approach taken by real attackers. A disruption to business operations would be conspicuous and therefore counterproductive.
When carrying out Red Team Assessments, we are guided by the TIBER-EU standard, among other things. Usually one of the following threat scenarios and approaches is considered:
- Advanced Persistent Threat: Attack from an external perspective
- Assumed Breach: Attack from an internal perspective
Core Components of SCHUTZWERK Red Teaming
The Red Teaming Assessment usually includes the following points:
- Definition of goals to be achieved during the attack simulation
- Collection of publicly or internally (within Assumed Breach) available information that can be used for an attack (OSINT)
- Capture of the relevant IT assets of a company
- Iterative testing of different attack methods and approaches
- Infiltration of the internal company network, or penetration into further network ranges using attacks on available systems, phishing, social engineering, etc.
- Escalation of privileges
- Achieving persistence in the target area
- Analysis of the results in cooperation with your IT administration / IT security team (or Blue Team if available)
- Documentation including risk assessment and description of measures
Red Teaming and Relevant Regulations & Standards
Red Teaming fulfills important requirements of various regulations and standards that may be relevant to certain industries and companies. This advanced form of security testing not only provides a comprehensive view of a company’s cyber resilience but also helps with compliance with legal and industry-specific requirements:
DORA (Digital Operational Resilience Act) - This EU regulation for the financial sector introduces Threat-Led Penetration Testing (TLPT) as a mandatory measure for certain financial institutions. TLPT is conceptually closely related to Red Teaming and requires the simulation of realistic attacks using current threat intelligence. The methodological foundation is the TIBER-EU framework, which also forms the basis of our Red Teaming approaches. A key element of TLPT is conducting covert tests where the defense team (Blue Team) is unaware that a test is taking place, in order to enable an authentic assessment of detection and response capabilities.
TIBER-EU/TIBER-DE - The Threat Intelligence-based Ethical Red Teaming (TIBER) framework was originally developed by the European Central Bank and is implemented in Germany by the Deutsche Bundesbank in the form of TIBER-DE. It provides a standardized approach for advanced security testing in the financial sector, which now also forms the basis for DORA requirements. A TIBER-compliant Red Team Assessment includes specific phases such as Threat Intelligence, Red Team Testing, and Purple Teaming, with the latter emphasizing the joint learning effect for defense teams.
Critical Infrastructure (NIS2) - For operators of critical infrastructure, Red Team Assessments can be an important tool to demonstrate the required cyber resilience. The EU’s NIS2 Directive and similar national regulations establish high security requirements that can be effectively verified through realistic attack simulations.
Framework Requirements - Various international cybersecurity frameworks such as the NIST Cybersecurity Framework or MITRE ATT&CK recommend conducting Red Team Exercises or Advanced Persistent Threat (APT) simulations as best practices for testing an organization’s security measures and defense capabilities.
Our Red Team Assessments are conducted according to recognized methods and standards and can be adapted to the specific regulatory requirements of your industry. By working with our experts, you ensure that your security measures are not only theoretically in place but also practically effective and comply with the compliance requirements relevant to your organization.
Red Team Assessment Results & Deliverables
In all Red Team Assessments, every step during the project is documented in detail. In this way, after the project has been completed, it can be traced which factors led to a successful attack but also which defense mechanisms (e.g. by the company’s own Blue Team) have already been sufficiently implemented.
As a result of the assessment we will provide a detailed report. Depending on the type and scope of the project, the final report will include the following parts:
- Management summary with a description of the results and the security level
- Description of the project approach, scope, schedule and methodology
- Detailed description of identified vulnerabilities in order to understand underlying issues and to enable reconstruction of possible attacks (where necessary with proof-of-concept implementation)
- Detailed description of the iterative exploitation process when using chained vulnerabilities
- Risk assessment of identified vulnerabilities taking into account the IT environment or the application context (risk classification: low, medium, high, critical)
- Description of measures to remedy the vulnerabilities
- If necessary, a description of higher-level strategy, concept and process-related measures or optimization suggestions.
Red Teaming vs. Penetration Testing: Key Differences
In a penetration test , targeted attacks are carried out in a limited time frame and on a limited scope (e.g. for a specific IP address range or for a specific threat scenario). In contrast to that, a Red Team Assessment usually takes place over a longer period of time and aims to test your defense mechanisms. In a penetration test, it is usually not important that attacks remain undetected, as these security testing activities are carried out as transparently as possible for all parties involved, often by ethical hackers working closely with your security teams. The focus is on performing the extensive penetration testing services as efficiently as possible, simulating real-world attacks.
The focus of red teaming , on the other hand, is on the implementation of the most realistic attack scenarios possible, which are particularly geared towards infrastructures with a high degree of IT security maturity. The aim of these projects is to improve the detection and reaction capabilities for such attack scenarios and to uncover potential security weaknesses.