“Know thyself and know thy enemy.” This maxim, drawn from the treatise The Art of War by the Chinese philosopher and military strategist Sun Tzu (2nd century BC), summarizes a few strategies to follow in any conflict. It is also the maxim that underlies the creation of the so-called Red Team, highly skilled teams that simulate real and controlled intrusions in an organization. Its development is due to the need to confront an increasingly sophisticated attacker that has a number of factors in its favor (economic resources, time, knowledge, tools and technology, lax legislation, etc.) and will use them without hesitation to cause the greatest possible harm to its objective—be it economic, image, or reputation. Having an overall view of the exact situation of the organization on all fronts (digital, physical, and people) and knowing the intrusive techniques of the attacker and their reasoning becomes indispensable to defend the critical assets of any organization.
The concept of Red Team comes from the military field and is used in opposition to the Blue Team, both encompassed within the activities of war games or war simulations, where one team acquires the role of attacker (Red) and another of defender (Blue). This type of exercise has been carried out continuously for decades by armies of a number of countries and is one of the most effective trainings to know, because it reveals the state of safety, weak flanks, and their defensive capabilities and reaction to any intrusion.
In the aftermath of the 9/11 attacks in 2001, this military practice of attack and defense has been moving and intensifying the intelligence community (both civilian and military) and the private sector, particularly the security sector of large contracting companies of the US government.
From Military Tactics to Security Tactics
Today, Red Teams, such as the one owned by InnoTec (Entelgy Group) cybersecurity company, have adapted these military tactics to security environments in order to go one step further in defense of critical assets of an organization.
It has been demonstrated that traditional measures aimed at protecting systems and equipment, developing security plans, and policies or audits that try to verify that the actions carried out are correct are accurate but not sufficient. In actuality, they allow verification of the security of certain assets but much less the overall security of the organization.
Do not forget that the surface of exposure is increasing. Daily, new vectors of attack, new vulnerabilities, new devices, new applications, new technologies and tools appear. The measures adopted in each case should be continuously evaluated, adapting to these new circumstances.
This situation is clear when analyzing the incidents related to targeted attacks and APTs (advanced persistent threats), where there is a high level of sophistication and resources, and where most of the time a combination of vectors (malware, vulnerabilities, exploits, etc.) is present, across physical factors (access controls, Wi-Fi networks, ATM, etc.) and on the organization’s personnel (social engineering).
In attacks where you look for the shortest path to penetrate the fortress, unfortunately, in a high percentage of cases you will get in. Before this is the defensive team (Blue Team) that has to be prepared to detect it quickly and respond in the most effective way before its propagation.
In the Attacker’s Skin
Precisely to prepare this defense, it is necessary to perform simulations of real and controlled intrusions of Red Team exercises, that is, to get into the attacker’s skin, reproducing all its steps before reaching the target. To this end, the different tactics, techniques, and procedures (TTPs) that can be used in an attack will be deployed: digital perimeter intrusion, APT emulation for theft of information through phishing and social engineering scenarios, exfiltration of sensitive data through encrypted and alternative channels, development of customized malware for the taking control of internal systems and evasion of physical access control, among others.
This equipment is currently used not only to check the level of security existing in the digital or physical field, but also to continuously verify the effectiveness of the action plans, the defensive measures implemented, or the correct operation of the policies and of the organization’s internal security team. In this way, and with a joint vision, a better understanding of the possible adversaries and their form of action is obtained. This helps the security team to implement the necessary measures to face possible attacks and adopts a proactive attitude against directed attacks, something that cannot be obtained in any other way.