Red Team Methodology: Understanding the Stages
If you’ve decided to undergo a red team assessment and engaged Schellman to perform it, you may be wondering what the next steps entail—as in, how will the next stages of the process work and what should you expect?
In this article, we can and will help clarify that by explaining some of the next decisions you need to make ahead of your engagement before getting into the details of the actual red team assessment process.
Now that you’ve decided to move forward with us for this comprehensive evaluation of your cybersecurity, let us explain how it will work.
Schellman’s Red Team Testing Process
To give you a sneak peek into how your assessment would proceed after you’ve made those important decisions, here’s an overview of our process, including the critical first (and multi-faceted) step we call project discovery.
Project Discovery (a.k.a. the Planning Stage)
As part of our collaborative approach to streamline activity, we’ll also establish formal points of contact, escalation procedures, observation windows, issue alerting processes, and active chat channels to establish a contact cadence to use throughout the engagement.
That being said, one key aspect of a red team assessment is to limit visibility and access to operations, so that only a select few individuals are aware of our work. Typically, this group includes key leaders such as your:
- CIO (Chief Information Officer)
- CISO (Chief Information Security Officer)
- Director of Operations
While these leaders generally have the necessary authority, expertise, and strategic decision-making capabilities to be involved in the operation, this otherwise restricted knowledge allows for a more effective review of your people and processes in response to observed incidents or threats.
Setting Your Red Team Assessment Goal
With the help of our red team, you’ll then decide on a specific goal or target. Red teaming allows for tailored and broad mandates, but when deciding your assessment’s goal, you should align it with your organization’s priorities or potential areas of vulnerability.
We recommend setting just a single goal, as that’ll allow us to focus efforts on a specific attack path and thoroughly evaluate the relevant security controls and incident response procedures.
Some example goals could include:
- Compromising a specific domain to simulate stealing sensitive data or disrupt operations and launch further cyber attacks:
- E.g., we would act as a real-world attacker and attempt to gain access to your website by exploiting a vulnerability in the website’s code, and—once inside—move within your environment to take control of the database of customer data.
- Gaining unauthorized access to a component of your Continuous Integration and Continuous Deployment (CI/CD) pipeline:
- E.g., we would act as a real-world attacker and attempt to introduce malicious code into the software that is being developed or deployed so that we—as an attacker—could take control of the software or to steal sensitive data that is stored within the application.
Setting Timeline Expectations
Before we get started, it’s important that everyone understands the projected timeline. A red team engagement demands more time and resources in comparison to a standard penetration test, as the former requires more extensive operational security techniques to discover attack paths and execute strategies that can bypass security defenses.
Typically, we find that no less than 4 weeks is required for a red team assessment when trying to achieve a single goal. Any added complexities will result in an even longer engagement duration (and higher costs as well).
Schellman’s Red Team Assessment Process
Once the project discovery—including the setting of goals and timelines—is complete, our team will proceed with the assessment using the MITRE ATT&CK Framework to track the effectiveness of your security controls, including both technical and administrative measures.
This comprehensive approach allows us to identify potential vulnerabilities and gaps in your defense posture, and though we customize each red teaming exercise to fit the specific needs of each client, you can anticipate the following six stages in the process:
1. Reconnaissance and Threat Modeling
We’ll analyze your digital footprint using open-source intelligence (OSINT) gathering techniques to help us:
- Identify the most vulnerable entry points into your organization; and
- Develop a targeted approach to the organization's overall security posture.
We’ll also look into threat modeling and discuss the types of attacks that have historically taken place against other organizations relative to your company’s size and industry while also reviewing any specific concerns you have for your organization and setting the “goals” for this engagement.
2. Vulnerability Discovery
Leveraging what we learn during reconnaissance, we’ll identify attack paths through active testing and select the appropriate ones based on whether successful exploitation will help obtain your goal.
We’ll also perform operational security to stay undetected by your security teams and ensure non-repudiation of the test results.
3. Exploitation
We’ll take the identified information leakage, footholds, and pivot points before employing safe exploitation techniques during our attempts to bypass security restrictions and gain access to your system or resource.
4. Credential Access / Discovery and Lateral Movement
After gaining access and analyzing the privileges to determine if they are sufficient for the predetermined "goals" of the test—we’ll attempt to take advantage of system weaknesses, misconfigurations, and vulnerabilities.
5. Exfiltration
At this point, we will attempt to extract sensitive information from the targeted environment while avoiding detection using safe exfiltration techniques to bypass security restrictions and gain access to the sensitive data.
6. Reporting
We’ll provide a deliverable that clearly states what steps we took with tiebacks to the MITRE ATT&CK Framework where possible.
This will include details regarding our Tactics, Techniques, and Procedures (TTPs) that will serve as comprehensive feedback on identified weaknesses and provide actionable recommendations for strengthening security controls.
Overall, the stages involved in this assessment incorporate actions outlined in NIST 800-83, which is a Guide to Malware Incident Prevention and Handling. though there’s a notable distinction regarding the reconnaissance phase in that it includes mapping potential attack paths and generating reports to facilitate shared knowledge and discussions with your security operations center (SOC).
Moving Forward with Your Red Team Engagement
In an assessment that pushes beyond a penetration test, red team engagements simulate real-world attacks to assess your security controls and response capabilities to help you identify and address security gaps that your organization may not have been aware of.
For those preparing to move forward with such an engagement with Schellman, you now understand which key questions to address related to objectives and timing, as well as how the process will progress from start to finish, which will help maximize the effectiveness of the assessment while allowing for seamless integration of the engagement with your ongoing operations.
For more information that can help you further boost your cybersecurity, make sure to check out our other articles detailing different aspects that can help:
About Josh Tomkiel
Josh Tomkiel is a Managing Director on Schellman’s Penetration Testing Team based in the Greater Philadelphia area with over a decade of experience within the Information Security field. He has a deep background in all facets of penetration testing and works closely with all of Schellman's service lines to ensure that any penetration testing requirements are met. Having been a penetration tester himself, he knows what it takes to have a successful assessment. Additionally, Josh understands the importance of a positive client experience and takes great care to ensure that expectations are not only met but exceeded.