Another example for Red Teaming is physical penetration. It’s easy to fake an employee’s card, but how will security react when a stranger with a different ID enters the building?
Therefore, there are many potential risks when implementing the “real” attackers scheme. And due to the complexity of the systems and the complexity of both technical and organizational and administrative issues, it is nearly impossible to foresee them all. But at the end of the job, is it necessary to see if the profit from such a work will be this big?
The penetration tester who plays an attacker remains an expert only. He uses some technical methods and ideological approaches from the arsenal of real violators, but still remains a properly motivated specialist. The attacker, on the other hand, is motivated by utility just to avoid getting caught and doesn’t care from what source he gets it. The probability of entering through the main entrance to steal money from banks is very low. It is easier to work on the Internet and “break” not a particular bank, but the first bank that fell for the bait. In addition, a pentester will not purchase very specific exploits for zero-day vulnerabilities in the tested organization’s products, purchase “access” (Trojan horse hackers) at large companies on the black market, or bribe employees. But the real attacker will do all this if he needs it.
Then what do you really need?
Most of our penetration tests show that the level of security within companies is very low. Even the basic principles of information security are not followed and often the “trusted zone” of a corporate network consists of thousands of hosts. So what do customers really need?
In most cases it is penetration testing that is required in the first place. Experts analyze any system (website, application, corporate network, Wi-Fi, access control, etc.) in a limited time, looking for maximum vulnerabilities and misconfigurations. As a result, the client receives a list of vulnerabilities and an understanding of what needs to be improved. Unlike Red Teaming, not a single vector is considered (several critical vulnerabilities linked together to achieve the desired goal), many are taken into account. Once you realize that it’s pretty easy to bribe or deceive an employee, you can run a penetration test with user rights and check how much multi-layered protection is in-house.
Red Teaming makes sense if a company already has multi-layered protection, most of its information security processes have been established, and most importantly, a monitoring and response system has been established. In a simplified form, the task comes down to controlling the monitoring system: How quickly and accurately can a company detect the actions of an attacker, does it monitor all the key events of an attack, What and how fast is the response of IT Security experts?
The action plan is roughly as follows. The Red Team is secretly analyzing the corporate system in various ways, and the blue team is watching everything it can. The results confirm what Team Red found and what Team Blue found. The Blue team then proposes countermeasures and the Red Team tries to bypass them to achieve the same results.
Penetration efficiency for a company can be maximized by providing access rights, information assistance and close interaction with penetration testers. Thus, it will be possible to detect the maximum vulnerabilities and potential weaknesses of the system, to eliminate the problems and to prevent their occurrence in the future. The same goes for Red Teaming. And the more gaps in monitoring and senseless actions emerge in response, the more these are fixed, the more opportunities appear to neutralize intruders at an early stage.