Red Teaming: How good is your resilience and detection?
How successful could attackers be in a given threat scenario? And how much would you detect? A Red Teaming assessment provides the answer.
The supreme discipline: Red Teaming
A realistic simulation of a real attack to challenge your cyber defense.
Red Teaming is the perfect solution when you have a concrete threat scenario in mind and want to know the likelihood of it occurring and what parts of the attack your Cyber Defense Center (the Blue Team) would detect.
Since Red Teaming does not inform the Blue Team in advance, such an assessment is not very effective without a well-developed Blue Team. Newly established SOCs or CDCs are still busy with day-to-day operations and typically (not without reason) view such a predictive outcome less as an aid and more as an exposure. However, to benefit from Red Teaming, it is not helpful to look for culprits, but for solutions.
Background information and characteristics
- Meeting to agree on the scope
- Kick-off meeting
- Workshop for scenario definition
- Threat intelligence (HUMINT / OSINT)
- Attack planning and preparation
- Execution of the attack with hacking, if necessary on-site inspection and social engineering
- Regular status meetings
- Preparation of a detailed report
- Replay workshop with the Blue Team
- Management presentation
When conducting security assessments, HvS follows common industry standards. For realistic assessments, it is obvious to use the Mitre Att&ck Framework, which describes the generic approach of real attackers.
It consists of the following phases: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact.
The focus on individual phases depends on the scenario. However, we recommend that you do not run through the entire attack chain straight away, but rather carry out several smaller assessments. This reduces the project risks and the Blue Team must expect an attack at any time... real attackers don't just strike every three years.
- Lateral movement from DMZ to internal network
- C2 channel on client and internal reconnaissance
- Would Ransomware group X be successful with its standard approach at your site?
- Can an internal employee make an illegal financial transaction?
The European Central Bank has published the TIBER-EU Framework, which describes a comprehensive approach to conducting Red Teaming assessments within the financial industry. The German Bundesbank has adapted this framework as the TIBER-DE Framework.
It is motivated by the fact that attacks against the financial system have increased in recent years. While many organizations conduct assessments themselves, but focus on their core business processes and crown jewels, TIBER focuses on critical functions of the global financial system and tries to shed light on the impact of attacks on individual institutions.
Apart from the specific objective, the framework describes a very professional approach on how to design Red Teaming and includes success factors and risks as well as many tips on how to proceed. A TIBER test is conducted by a large project team consisting of a White Team, a Threat Intelligence Team, a Red Team, a Blue Team and management representatives.
The core phases of a TIBER test are: Scope definition, creation of a targeted threat intelligence report (TTIR), creation of a Red Team test plan, execution of the defined scenarios, creation of a test report, a replay workshop and creation of an action plan.
Our entire HvS approach to Red Teaming is inspired by the TIBER framework. However, as long as you are not obligated to TIBER, we always recommend conducting a Red Teaming as you can customize the content to meet your needs.
If you are interested in a TIBER test, feel free to contact us and we will be happy to explain our approach.
More information on the TIBER-EU Framework can be found at the ECB: https://www.ecb.europa.eu/paym/cyber-resilience/tiber-eu/html/index.en.html and information about TIBER-DE at the Bundesbank: https://www.bundesbank.de/de/aufgaben/unbarer-zahlungsverkehr/serviceangebot/tiber-de/tiber-de-816986