Red Teams are often confused with penetration testers due to their overlap in practices and skills, but we believe they are not the same. Penetration testers deal with the pursuit of one or several objectives. However, Red Teams have a specific quality and goal that separates them from other security teams.
The true purpose of a Red Team should be to find ways to improve the Blue Team. Red Teaming measures the effectiveness of security controls and response mechanisms. This requires a more resource-intensive approach to measure both detection and response of specific threats.
Red Team – Blue Team Communications
Effective Red Teaming requires active communication and coordination with the Blue Team. Beyond just proving they can break-in, the true goal of Red Teaming is to assist Blue Teams in fine-tuning the detection thresholds and security response mechanisms of defense in depth strategies until the desired performance metrics are satisfied.
The more your red and blue teams communicate, the stronger your security strategy will be. Additionally, the better you can speak to company leadership and the board, the more your program will flourish.
Unlike vulnerability scans and pen testing, a skilled red team leader is a cybersecurity technology expert and an excellent communications coordinator. The Red Team's job is finished when the blue Team has a prioritized understanding and action plan for their threat landscape.
What is a Purple Team and Why You Don't Want One?
Given the Truvantis definition of Red Teaming, why do you need a Purple Team? The short answer is you don't. Industry confusion arises when for example, a vendor describes pen testing but falsely calls it Red Teaming. (The same vendor may also label vulnerability scanning pen-testing.) Then they claim you need a Purple Team so that the pen testers (aka Red Team) can communicate and coordinate with the Blue Team.
Sometimes Purple Teams are sold as an actual external team. In this definition, Purple Teams are a single group of people who do both Red and Blue testing and securing of a company. For example, purple Team may be an IT security consulting group brought in for an audit or company employees directly. Still, they do not focus exclusively on attacking or defending – they do both.
Sometimes Purple Teaming is described as concepts, practices, and exercises that enable red and blue teams to collaborate and work together more effectively. In this definition, Purple teaming is a security methodology in which red and blue teams work closely together to maximize cyber capabilities through continuous feedback and knowledge transfer – but shouldn't they be doing that anyway?
This Purple is unnecessarily confusing. A proper Red Team engagement already includes all the functions or features others may describe as Purple. It's just called 'doing the job properly.'
Attack Surface Analysis
A proper Red Team engagement begins with an Attack Surface Analysis. Attack Surface Analysis replicates the techniques of real-world attackers in searching for unexpected ingress vectors. Your actual attack surface may be much larger than you think.
Without performing an Attack Surface Analysis, you will fail to find all your risks. For organizations that fail to refresh their knowledge of their attack surface, the scope used for their last penetration test will be input for their current test cycle. The gap between the actual attack surface and the perceived attack surface grows with each cycle. This gap is where real-world attackers will strike.
Using OSINT for Attack Surface Analysis
As part of attack surface analysis before penetration testing, understanding your OSINT footprint is essential. Your attack surface consists of more than just open ports, hostnames, and IP addresses. Email addresses, employee names, SaaS platforms, cloud-based tools and storage, public records, data breaches, social media accounts, and more are now all potential areas of risk.
The intelligence stage is the critical element required to define Tactics, Techniques, and Procedures that may be used to reach the target and accomplish mission objectives. The number of entry points of the corporate network establishes the number of attack vectors available for the mischievous person.
Potential attack vectors include:
- Information systems with access to the Internet (e.g., servers, work stations, and administrative control panels of special equipment.).
- Mobile devices of the employees
- Accounts of the cloud platforms and services used by the employees
With an attack surface that extends far beyond an organization's physical network, traditional methods of scanning and reconnaissance are no longer enough. Identifying what OSINT information is available about your organization is critical to your ability to address potential risks adequately.
Dark Web Data Breach Dumps
Many Corporations and organizations have been a victim of serious breaches. Breached data is the data available publicly by entities that have caused the data breach. The use of the data after it's leaked is beneficial in OSINT investigations.
Data breaches can include names, phone numbers, addresses, credit card details, passport numbers, and other sensitive data. Breached data can be essential to building a dossier early in an OSINT investigation. This information can show newer data points and confirm existing data about the target.
Breached data is routinely uploaded to forums, paste bins, and file storage sites where it is sold and shared. Items for sale on the Dark Web include credit cards, malicious services like malware, D Dos-as-a-service, and data dumps.
Proper red teaming begins with a thorough attack surface analysis. The key to red team success is communication with the Blue Team and an overall improvement in risk management and cyber resilience.
The unifying theme is getting the Red and Blue teams to work together and agree on their shared goal of improving risk management and cyber resilience. The more your red and blue teams communicate, the stronger your security strategy will be.
Additionally, the better you can speak to company leadership and the board, the more your program will flourish.
At Truvantis, you will find a world-class team of experts with holistic cybersecurity and privacy services, from pen testing to regulatory compliance.
When you select Truvantis as your trusted third-party security partner, you get intelligence-driven operations designed to uncover vulnerabilities associated with real-world risk exposure. Truvantis penetration testing and red team engagements include attack surface analysis, evaluating insider threats, and comprehensive, full-spectrum testing.
Our accredited penetration testers are highly skilled specialists who have mastered the same skills used by cybercriminals. The Truvantis team of senior-level security engineers deploy our penetration testing services to help your company achieve compliance, understand the real threats to your system, and create a realistic, actionable plan to manage risk.
Truvantis is a cybersecurity and privacy consulting organization with comprehensive expertise in implementing, testing, auditing, and operating information security programs. We specialize in helping our clients improve their cybersecurity and privacy posture through practical, effective, and actionable programs—balancing security, technology, business impact, and organizational risk tolerance. Contact us to get started today.