A beginner’s guide to red teams

Article | November 2020

What they are, what they do and why your organization needs one

Pen tester, ethical hacker, vulnerability scan, red team operator… These terms are frequently bandied around in the infosec sphere but not everyone has a clear understanding of what they mean. If you work in IT or in a senior management position, figuring out the best way to protect your organization’s critical assets can be a challenge. To help you on your way, we’ve put together a concise guide to one of the most important groups of professionals in the world of information security: The red team.


So what exactly is a red team?


In 19th century Prussia, the state military devised a series of wargames or kriegsspiel designed to help soldiers anticipate their adversaries’ next moves by putting themselves in the enemy’s shoes. Using a board game similar to Risk, they would divide officers into two groups where the first would develop a battle plan and the second would attempt to thwart it. Seeing as the Prussian army traditionally wore blue uniforms (yep, that’s where the color “Prussian blue” comes from), the defending group were represented by blue counters on the board. That left the attacking team with the red counters.

The games proved successful in testing forces’ combat readiness; so much so that they were adopted by military groups across the world. As technology advanced and warfare went cyber, the terms “blue team” and “red team” retained their original meaning, despite the roles expanding dramatically in scope. In today’s cyberarena, red teams play the same role as in 19th century Prussia: they help organizations’ blue teams to improve their tactics and strengthen their defenses by launching attacks on their critical assets.


Got it. But how does that work in practice?


Your organization probably already has an information security team that defends valuable company data and funds from bad actors and insider threats. The problem is that it is very hard for infosec professionals to test their own defenses — they are likely to miss critical vulnerabilities or underestimate how far criminals will go in their efforts to breach organization systems. 

That’s where red teams come in. These groups of ethical or “white-hat” hackers (individuals who launch attacks on computer systems and networks without malicious intent) work completely separately from organizations’ infosec teams; approaching their task with an attacker’s mindset. Red teams evaluate networks, applications, people and physical security measures to identify opportunities for bad actors to breach organization defenses. They launch carefully devised attacks across multiple environments to determine where security vulnerabilities lie.

In order to realistically simulate sophisticated cyberattacks, red teams may spend weeks or even months preparing and planning. They might begin by extensively researching the target organization or social engineering employees into divulging sensitive information. So-called “dumpster diving” (going through organization trash looking for login details, IP addresses and other useful info), network scans and enumeration (connecting to a system with the aim of extracting information such as machine and user names) are also important steps in the “reconnaissance” phase of red team exercises.

Once the organization’s main vulnerabilities have been identified and mapped, the team can initiate the attack phase. Multiple vectors may be employed using a bespoke set of sophisticated exploitation and phishing tools. Though red teams normally adopt a “by any means necessary” approach to their attacks, it is crucial that they do not cause any permanent damage to the organization. In many cases, they will meet with executives or IT professionals prior to launching the attack to determine any no-go areas.

The most important part of any red team exercise is the feedback phase. Red team professionals will produce detailed reports specifying the weaknesses and vulnerabilities they discovered in the target organization’s security systems and describe how they succeeded in exploiting them. They will also put forward recommendations to the senior management team on how they can prevent similar attacks in the future.


How is that different from pen testing and vulnerability scanning? 


The main difference between red team exercises and penetration testing/vulnerability assessment is the scope of the security evaluation. While pen testers and security analysts generally focus on a single environment e.g. a specific application or system, red teams carry out a holistic evaluation of the organization’s defenses. They do not limit their assessment to cybersecurity protocols but also focus on physical security measures. For example, red teams may break into organization offices and safes, create fake ID cards or pose as maintenance workers to gain access to a building. 

Due to the comprehensive nature of their work, red teams require professionals with a wide range of different skills. A team may consist of penetration testers, software developers, network engineers, IT administrators and even locksmiths (think the infosec version of Ocean’s Eleven). Conversely, pen tests and vulnerability assessments are generally carried out by individuals, rather than teams.

Finally, red team exercises are carried out without staff knowledge in order to make them as realistic as possible. The teams may also operate on a continual basis. In contrast, other types of security tests are generally performed more sporadically (for example, when a new application is launched) and employees are usually given prior notice.


So should I employ a red team?


“My organization is too small for hackers to bother with” is a commonly heard justification from executives who don’t want to invest in extensive security testing. Unfortunately, this couldn’t be further from the truth. According to Vox, one in every five small businesses will fall victim to a cyberattack. Furthermore, 60% of said companies will then go out of business within six months. Hackers are also no longer just interested in obtaining data or funds. Even if your takings are small fry, they could still recruit your computer system as a botnet to carry out attacks elsewhere in the world. 

The Domain Tools 2020 Threat Hunting Report found that 63% of survey respondents saw a marked improvement in detecting advanced threats when carrying out regular threat hunting. But does this mean that all organizations require an in-house red team? Not necessarily. Due to their extensive scope, red team exercises may not be suitable for small organizations with few on-prem or cloud-based systems. In this case, penetration testing may be more appropriate. Furthermore, not all organizations need to employ a red team on a permanent basis. Third-party security service providers can be contracted to carry out red team exercises at relevant times e.g. when new programs or software are implemented or following a successful data breach. Even if your organization already has an in-house red team, it may still be useful to outsource the security evaluation process as third parties may discover weaknesses overlooked by employees familiar with the environment(s).


Okay, that’s all clear now. But what about blue teams? And purple teams?


Blue team operators are the defenders in the cyber kriegsspiel. While red teams attempt to breach organization defenses, blue teams safeguard data and devices by implementing comprehensive safeguarding measures and protocols. During a red team operation (or a real-life cyberattack), blue teams will attempt to block attacks and/or mitigate the impact of the breach. Blue and red teams will often work closely together to discuss the tactics employed by both sides during simulated attacks and the measures required to patch vulnerabilities and reduce risks. This close collaboration is known as purple teaming (think secondary colors on the color wheel).


Great! So where do I go from here?


If you’re an organization looking to upskill your information security team or an infosec professional looking to develop new competencies, CyberPro can help. Our academy offers a wide range of red and blue team courses, including ethical hacking, reverse engineering and network monitoring. Check out our training programs here and feel free to get in touch should you have any questions.