Cythera are often approached by clients looking for Red Team services, social engineering and similar attacks which emulate real-world attackers - something over and beyond traditional penetration testing. These terms are commonly used, but typically misunderstood or taken out of context. This article is intended to provide some clarity around these services and Cythera’s approach.
PENETRATION TESTING VS RED TEAMING
Penetration testing uses the same tools and tactics as an adversary, however, due to the transparent nature of the engagement and resource constraints such as time and budget, the consultant is less stealthy than an attacker would be in the real world. This means that there is an efficiency to the testing since time as at a premium. As such, a penetration tester can traditionally afford the luxury of launching attacks that are quite "noisy" by nature - be it brute force attacks or fuzzing web forms. Testers are likely to trip all manner of alerts by launching lots of requests in a short period of time. In a time-constrained white box engagement, this is standard practice. Also, the scope of a penetration test is also intentionally constrained – e.g. to a specific website, API or an entire environment. The intention of these constraints are – among other things – provide breadth of coverage over a given environment.
However, in a Red Team exercise – what Cythera has termed “Adversary Simulation” - the attacker must - by definition - remain stealthy. This means attacks take more time to plan and often execute. As a result, the engagement takes longer. The scope might be extremely bespoke (e.g. obtain Global Administrator access to M365) and the rules of engagement considerably more permissive to facilitate that outcome, employing tactics many might consider unfair (e.g. social engineering is permitted).
This is the point of red teaming - testing your defences in a way that an attacker might. In this case, “the gloves come off” – so to speak. The increase in time, budget, scope and expansion of the rules of engagement allows for a far more comprehensive testing of security that is reflective of real-world attacks, such as those traditionally seen by professional cybercriminals or advanced persistent threats (APTs). This is necessary in order to mimic what an attacker might do, which requires by definition as few constraints as possible.
This means an increase in challenge – to both the defenders to detect these attacks and the service provider to execute. It is also worth pointing out that the nature of these services inclines towards higher risk for both parties due to the fact Red Teaming involves testing people, assets, and access in live situations.
SO WHEN WOULD YOU PICK RED TEAMING OVER PENETRATION TESTING?
Cythera recommends organisations consider red teaming (Adversary Simulation) engagements once the organisation has a robust and well-established security program. This is to allow an organisation sufficient time to build a solid security base to reap the benefit of more rigorous testing.
How would we define “robust and well-established”? Some common indicators we would look for in discussing with our clients:
- The security program has been a funded program of works for several years;
- One or more people are employed or accountable for the organisation’s cybersecurity posture;
- The organisation have been conducting regular penetration tests already: E.g. Internal, External, Wifi, core applications, etc;
- Applications and operating systems are patched and regularly checked for vulnerabilities.
- Multi-Factor Authentication is enabled and identity is centrally managed and this extends to any third party services;
- Endpoint detection and response capabilities are in place and good coverage exists across most - if not all - control domains (e.g. ACSC 37 mitigation strategies);
- The organisation has a risk register for cybersecurity items or a demonstrable track history of seeking feedback on cybersecurity posture and have a treatment for known issues;
- The organisation demonstrates a security culture that owns problems and seeks solutions. A blame culture does not exist (this is vital when discussing social engineering);
- The organisation operates in a high risk environment and actively targeted by threat actors
If a client cannot comfortably tick these items or at least demonstrate sufficient headway on them, then we would typically recommend different kinds of services which would be of higher value.
ARE THERE ANY RISKS ASSOCIATED WITH ADVERSARY SIMULATION?
In short, yes.
These kinds of engagements poke considerable holes in business processes, practices as well as technical controls. Many of these issues can span different parts of the business. Some of these can become quite political internally or challenge culture. As a result, we traditionally emphasise the maturity of a client’s cybersecurity program as an essential pre-condition before conducting any Adversary Simulation engagement.
This is incredibly important when discussing engagements such as social engineering which relies on tricking users into either clicking a link, installing software or disclosing information. These exercises must be seen as an educational experience for all and not descend into a blame game. Some staff on the receiving end of these techniques may resent being targeted, or the techniques employed. They may feel they are being singled out. Also, these tests are traditionally going to be tested in a production environment and not within the relative safety of a dedicated test environment. So there is more risk on the client-side of the fence.
We at Cythera pride ourselves on establishing excellent client outcomes. Our focus is centred around being a trusted service provider and partner with our clients to give them high value, cost effective and tailored offerings.
We have invited clients to consider adding Adversary Simulation engagements as part of their security program, however, some clients will benefit from a more tailored offering. One that doesn’t fall under the Adversary Simulation banner but provides a better fit.
For most of our clients, penetration testing will come out considerably cheaper. It will cover the most territory in the shortest amount of time and unearth the most issues. When those issues and root causes that led to them have been remediated, when subsequent penetration tests are showing increasingly fewer vulnerabilities, when there are specific test cases that penetration testing may not be covered - that's when red teaming becomes more viable.
WHERE ARE YOU AT IN YOUR CYBERSECURITY JOURNEY? GIVE US A CALL AND WE CAN DISCUSS YOUR SECURITY CHALLENGES VIA EMAIL TO SALES@CYTHERA.COM.AU OR CALL US ON 1300 298 437.
