A Red Team can be an externally contracted group of pen testers or a team within your own organization, but in all cases, their role is the same: to emulate a genuinely malicious actor and try to break into your systems.
The value of Red Teams can be understood most easily by imagining a fictional scenario. An organization might have an extremely well-developed pentesting process and therefore be confident that its systems can’t be breached by external actors
A worryingly high number of organizations do not have the control they think they do over their data, for instance, that on average 22% of a company’s folders are accessible to every employee, and that 87% of companies have over 1000 sensitive, stale files in their systems.
Once you’ve completed several business cycles of vulnerability and pen testing, you can start Red Teaming. At this point, the real value of Red Teaming can be realized. However, attempting to bring in red teaming before getting a good handle on the basics will produce very little value.
the role of the pen tester is quite tightly delineated. The work of pen testers is organized into four broad phases: planning, information discovery, attack, and reporting. As you can see, pen testers do more than just looking for software vulnerabilities. They’re thinking like hackers: after they get into your system, their real work begins.
They’ll continue to do more discovery and then base new attacks on what they learn as they navigate through folder hierarchies. And that’s what makes pen testers different from someone hired just to find vulnerabilities by using, say, port scanning or virus sniffing software. An experienced penetration tester can identify:
Where a hacker might target you
How they would attack
How your defenses would fare
The possible magnitude of the breach
Email and phone-based social engineering.
With a little bit of research on individuals or organizations, phishing emails become a lot more convincing. This low hanging fruit is frequently the first in a chain of composite attacks that lead to the goal.
Network service exploitation.
Exploiting unpatched or misconfigured network services can provide an attacker with access to previously inaccessible networks or to sensitive information. Often times, an attacker will leave a persistent back door in case they need access in the future.
Physical facility exploitation.
People have a natural inclination to avoid confrontation. Thus, gaining access to a secure facility is often as easy as following someone through a door. When is the last time you held the door open for someone who didn’t scan their badge?
Application layer exploitation.
Web applications are often the first thing an attacker sees when looking at an organization’s network perimeter. Exploiting Web application vulnerabilities (e.g., cross-site scripting, SQL injection, cross-site request forgery, etc.) can give an attacker a foothold from which to execute further attacks.