Red Teaming – What Is It?

This first chapter of 2NS’ Red Teaming blog series provides an overview of what is Red Teaming. Additionally, we explain some key aspects on why Red Teaming is important and what kind of organization should consider performing Red Teaming exercises to test their security. Future blog posts will dive deeper into how Red Teaming exercises are done and what are different phases of a usual Red Teaming project. Additionally, we will talk about alternative security testing models such as Purple Teaming and discuss related topics from a more technical perspective.

Red teaming is a security testing model which aims to test the organization’s overall security in a holistic way by covering people, processes, and technologies. In Red Teaming, real-world attacker tactics are used in assessing the target organization’s security. In addition to performing technical attacks, the Red Team can simulate physical attacks by utilizing social engineering methods to gain physical access to the target organization’s office spaces or other locations. Similarly, the Red Team may utilize modern phishing techniques to gain access to organization’s accounts bypassing security controls such as multi-factor authentication.

One of the main goals for Red Teaming is to evaluate the target organization’s detection and response capability by performing attacks relevant to the target organization. The Red Team mimics real-world attacker’s TTPs (Tactics, Techniques & Procedures) to ensure that that the exercise simulates an attacker that may target the organization.

Red Teaming exercises are collaborative and multiple teams contribute into the project to ensure that the target organization gets the full benefits from the project. The different teams usually are:

  • Red team: The team that simulates attacker steps to evaluate organization’s overall security. Usually external to ensure neutral point of view.
  • Blue team: The security team that defends against threats. Usually unaware of the Red Teaming project to ensure realism. Can consist of customer’s internal security specialists and external service providers e.g. MSSP SOC monitoring the security of the environment.
  • White team: The small team at the target organization that is aware of the Red Teaming project. Participates in the project planning with the Red Team.

Significant Value for Organization’s Information Security

Red Teaming can provide significant value to organizations, as it provides visibility into multiple different layers of security. Some key benefits include:

  • Identifying Blind Spots: Uncovering vulnerabilities and weaknesses that may not be evident through traditional security assessments.
  • Enhancing Incident Response: Improving the organization’s ability to detect, respond to, and recover from security incidents.
  • Strengthening Defenses: Providing actionable insights that lead to the enhancement of security controls, policies, and procedures.
  • Building Resilience: Preparing the organization to withstand and quickly recover from actual cyberattacks.
  • Promoting a Security Culture: Raising awareness and fostering a culture of security within the organization.

Is Red Teaming Right for Your Organization?

Red Teaming is not something that should be viewed as a one of the first steps when an organization starts to test their security capability using offensive security testing. In most cases, it is recommended that penetration tests and other more vulnerability-centric projects are performed before Red Teaming is used to test the overall defense.

Red teaming requires a high maturity level from the target organization to provide the customer with maximum benefits. In addition to having done security testing, the organization should have a good visibility into their organization’s events, for example by having a dedicated SOC monitoring the environment’s security 24/7.

But when should an organization then consider red teaming?

When the organization’s information security maturity level increases, red teaming testing can be applied, and it can be a very effective way to assess the organizations overall security and to verify that the organization can detect and respond to modern attacks.

This type of security testing is often used in the following situations:

  • The organization has invested significantly into security but is unsure about their current capability or whether the technologies work as intended or are properly setup. In this type of situations red teaming is primarily used in verifying organization’s current information security capabilities and technologies, as they are difficult to verify without offensive security testing.
  • An organization has purchased an external SOC (Security Operations Center) service from an MSSP or is building internal capability but is unsure whether the current security monitoring is able to detect and respond to an attack. Are all the necessary logs collected and analyzed? Are the SIEM rules configured correctly? Is EDR installed on all company systems and is configured properly? Do the SOC playbooks and processes work and is the SOC able to alert the necessary people in a timely manner?
  • In some cases, red teaming can be required by regulations. An example of this type of regulation is the European Union’s DORA act, which requires financial organizations such as credit and payments institutions and insurance providers to perform Threat intelligence-led Red Teaming. DORA act will be applied 17.1.2025 onwards. The DORA act is still under progress, but currently it looks like TIBER-EU  or local frameworks such as Bank of Finland’s TIBER-FI frameworks will be utilized. TIBER frameworks provide guidance on how authorities, financial companies, and threat intelligence and red team providers should work together to test and improve the customer’s cyber resilience.

Red team testing can provide significant value for an organization, but in turn it requires a high level of security maturity from the organization, and thus, it is often used in more complex cases, when an organization needs to test their security. It is a good choice when overall security needs to be tested as it offers visibility into security in many different levels.

Stay tuned for more blogs on the topic!