Red Team services can be valuable part of any company’s journey toward ensuring a mature security posture. There have been notable Red Team operations that have made the news over the last couple of years that have painted a very complex picture about this particular practice, but we think it’s important to highlight the various levels at which companies at any point in their journey can utilize Red Team services to accomplish a number of objectives, from simply identifying vulnerabilities, to simulating attacks, and providing valuable resources to help your teams grow and become more secure in their daily activities.
We recently sat down with Chris Sterbank, Director of Red Team Operations at CYDERES, to identify the varying levels of our Red Team offerings and to help shed some light on Red Team operations overall.
Hi Chris, thanks for taking the time to talk with us today. Tell us about what you do at Fishtech Group.
Hi, my name is Chris Sterbank and I’m the Director of Red Team Operations at Fishtech CYDERES.
Now, within the Red Team at CYDERES, there are multiple levels at which you engage our customers. What are each of those levels?
That’s right! We offer four distinct levels of varying services to help ensure our client and customers’ security posture. The first level is Attack Surface Management. Level two is Penetration Testing. Level three is Purple Teaming. And level four is Red Teaming.
Let’s dive deeper into Attack Surface Management, and its position as a level one engagement within our Red Team.
Right, so attack surface management offers key services such as Vulnerability Management, where we provide routine discovery of new vulnerabilities and where validated patches are being applied in a timely manner. We can also scan external, internal, and cloud networks, along with web applications.
Another core component of our Attack Surface Management is User Awareness. Part of every organization’s attack surface are their people, right? So, CYDERES can perform phishing exercises on your personnel with detailed metrics and follow-up training. We can use scenarios that are seen in the wild. Ones that have been successful in previous penetration tests along with custom designed scenarios. We believe these services are foundational to any security program and help establish a good baseline in those key areas.
You Mentioned Penetration Testing is the next step within a red team engagement. What differentiates Pen Testing from Attack Surface Management?
Penetration Testing differs from Attack Surface Management in that Vulnerability Management and Attack Surface Management is kind of looking at entire possibilities where Penetration Testing actually tries to exploit those possibilities, right? And this comes after an organization has an established Vulnerability Management program, they have routine patching and upon, of course, introduction of new applications or systems into their network.
A Penetration Test will validate various technical security controls, depending on the type of engagement. So, you might be looking at things such as multifactor authentication, making sure that’s enforced, and maybe looking at enhanced password security, network segmentation, and also making sure things like your endpoint detection response are on point in detecting some of the common threats that are out there.
We do this by offering several different services. We can perform network penetration tests which are both external and internal, and against the cloud. We offer web application penetration testing, wireless, and social engineering engagements in which we will send targeted spear phishing, and vishing attacks against your users and do things such as tailgating into your environments.
Next up, we’re talking Purple Team. How does this ramp up from penetration testing?
Purple Teaming, which is a cooperative assessment between your Blue and Red Team takes organizations to the next level by ensuring your technology and staff can actually detect the most common cyberattacks. These assessments are usually recommended for organizations which have an established Security Operations Center, that centralize logging and alerting and appropriate staffing.
So, by design, these scenarios will sound the alarm and give your personnel hands-on experience with real world tactics and techniques. We will work directly with your team, hand-in-hand, to ensure that the attacks are detected, or gaps in detection are identified. This is great for validating that you have centralized logging, and that it’s in place and actually working, and also detection of common attack types and scenarios.
We offer scenarios, such as password strength, command and control exercises, phishing and vishing scenarios, and also scenarios on the inside of your network, such as information gathering, lateral movement, and privilege escalation.
Lastly, how does Red Team differentiate from Purple Team, and what makes it Level Four within the broader Red Team offerings?
So, our Red Team exercises are no notice, and they can range in size and complexity from individual scenarios, similar to the Purple Teaming, all the way up to a full blown assessment, which tests every facet of your organization to include physical security. Red Teaming will attempt to achieve specific objectives using any in scope means as necessary.
For example, if a company wants us to go after something such as PCI data, it may not require purely cyberattacks. We can always rummage the trash, or maybe find sensitive documents out in the open. The Red Team engagements typically help answer a question: how do we fair when it comes to a dedicated adversary?
Red Teaming will validate whether you have fine-tuned detection, meaning various different types of attack techniques will be deployed, and will also measure your response actions. In addition, it can help validate some threat hunting if you have that available in your organization. These types of scenarios are typically for the most postured and security heightened organizations.
The types of services that we offer there are Red Team exercises, similar to our Purple Teams, but these are no notice exercises, and we will apply different layers of evasive techniques during this, so if you team detects us, we will actually change up our tactics and come back again. Our final service that we offer there is a full-blown Red Team Assessment where there is no scope restrictions, very much objective-based and cyber and physical are all in scope, and they’re typical long duration, six week assessments.