How to Get the Most Out of a Red Team Test
How would real-world attackers break into your network? A red team test is designed to answer this question. At its core, a red team test is an attempt to gain access to your systems through any means. Nothing is off limits—penetration testing of internal and external assets, wireless networks, web applications, physical or remote social engineering, and more. If you want to know how a real attacker could target your network and gain a realistic understanding of your strengths and weaknesses, a red team test can be a highly effective exercise.
How Do You Know If You’re Ready for a Red Team Test?
There is no simple answer. Red team testing is typically appropriate for organizations that have already resolved the “low-hanging fruit” and established a mature cybersecurity program. If you have common issues such as unpatched systems, weak password policies, poor phishing training, or other known issues, these will be exploited, and a red teaming test may not reveal any new vulnerabilities beyond a standard penetration test.
Red Team Readiness Checklist
If you’ve completed most of these tasks, you may be ready for a red team test! If not, work on completing more of these tasks before scheduling your test.
Baseline Security Practices – Make sure you have these areas buttoned-up before moving forward with a red team test.
- Are you running vulnerability scans and if so, are these scans coming back consistently clean?
If your vulnerability scans are coming back clean, with no critical, high or medium-risk vulnerabilities, you usually have strong baselines security practices in place, such as solid patching policies. If you are not currently conducting vulnerability scans, you should start.
- Are you regularly implementing patches and updates for ALL systems?
Unfortunately, it only takes one unpatched computer to bring down the whole environment. For example, Checkpoint says it has stopped over 4 million attempts to exploit the Log4j vulnerability in the widely used Apache Log4j Java-based logging library. The vulnerability impacted a staggering number of organizations such as SAP, Apple, Tesla, VM Ware, Cisco and many, many others, that had to scramble to patch their software and roll-out patches to fix vulnerabilities in their products. This one vulnerability had a ripple effect that required many organizations to quickly patch a dozen (or more) programs.
- Are you re-using credentials across systems?
Don’t reuse credentials. It can be very risky. For a Windows domain, ensure that Local Administrator credentials are not reused, or those accounts are disabled. Additionally, if users within your IT team have a normal user account and an administrator account, ensure that their passwords are not the same for both. During penetration tests, when we can obtain one set of Local Administrator credentials, more often than not, we can use those to access multiple systems within the environment.
- Are your policies and procedures in line with best practices?
As a penetration tester I don’t necessarily enjoy diving into the documentation, but if your organization’s password policy hasn’t been updated in 4 years, it’s time to revisit that. It’s 2022 folks, don’t make me write another blog on why you need the minimum length in your password policy to be longer than 8 characters. USE STRONG PASSPHRASES, a password manager (to help prevent password reuse and suggest strong passwords), and multi-factor authentication. If you need help integrating best practices for policies and procedure, consult an advisory and compliance services team.
- Are you training your employees on cybersecurity best practices, as well as your internal IT policies and procedures?
Training is key, particularly now that many organizations have implemented remote work (check-out our home network security blog for security tips). The weakest part of any organization’s cybersecurity is frequently your staff, and attackers know this. If your staff is not trained to recognize the hallmarks of a phishing email or the steps to take to report a potential threat, an attacker will be able to exploit this vulnerability. In fact, the 2022 Verizon Data Breach Investigation Report found that 82% of breaches involved a human element – e.g. social engineering – and over 60% of those attacks were a result of phishing. Training your staff is one of the most important steps you can take to prevent a cybersecurity incident. If you need help, we offer managed, on-demand employee cybersecurity training.
- Do you have Multi-Factor Authentication in place?
To err is human. Make sure you have multi-factor authentication (MFA) set up whenever possible, and especially on all Internet-facing accounts. That way, if one user’s password is stolen or guessed, there is another layer of protection in place. Avoid using SMS multi-factor authentication if possible (the kind that sends a text to your phone). It is no longer considered secure.
- Is your Antivirus/Endpoint Detection solution effective in stopping and alerting on threats?
Speaking of technical controls, should an attacker bypass other controls within your environment it may come down to your antivirus or endpoint detection solution to alert your team to potential threats. One of the benefits of a red team engagement is that it can demonstrate whether your antivirus or endpoint detection solution is effective in alerting on and mitigating potential threats. Trying to circumvent these controls will be a main component of any red team test, so ensure that these solutions are in place in order to get the most value out of your red teaming experience.
- Do you have logging in place and are you retaining logs for an appropriate period of time?
It’s important to have effective logging so that you can identify indicators of attack or compromise, especially if an attacker does gain access to your network. Should an incident occur, these logs can save your team time and effort should a forensics team need to review the data.
Advanced Security Practices – So you’ve met all the pre-requisites above? Awesome! Let’s look at some more advanced steps you can take to secure your environment and get a more fulfilling red team engagement:
- Is your security team receiving and reviewing alerts, either directly or with the assistance of a third party?
It is fantastic that you are logging alerts and retaining logs for an extended period. Make sure someone is reviewing your alerts regularly so that you can respond to threats quickly and effectively. Check out or video on how to use proactive logging and monitoring strategies.
- Do you perform regular (continuous, quarterly, or annual) penetration tests, and are the results mundane? (Are you tired of having your consulting firm report on weak or expired SSL certificates?) This may mean that your organization has a mature security program in place, and you’re ready for an even deeper dive into your environment. If you haven’t performed a penetration test, start with that, as you will more than likely learn a lot about your environment beyond what simple security scans reveal. You should also add proactive threat hunting. Threat hunting is one of the best ways to identify criminals lurking undetected in your environment. In fact, cyber threat hunting is frequently one of the top recommendations from CISA when it publishes alerts about new mass exploits, and CISA considers threat hunting to be a top priority for proactive security. This is also one of the top ways to counter zero-day vulnerabilities. Read more in our threat hunting blog.
- Have you performed a red team previously, and how much did you learn from it?
If you’ve had red team engagements performed in the past, but did not find much helpful feedback, sometimes it helps to switch it up with a purple team test or getting a second vendor’s perspective on your environment.
So, are you ready for a Red Team test?
Red team tests can be extremely valuable, and provide you with realistic, actionable information about how threat actors may target your network. If you found yourself responding “yes” to most of the items in the list above, it may be time to take your cybersecurity program to the next level by engaging in a red team test. Contact LMG Security’s expert red team testers for more information. And if you found that you still have a lot to work on, let us know—we can help you take your cybersecurity program to the next level.