A Red Team consists of IT security experts who test a company’s security program in a realistic attack scenario. Red Teams not only test technical systems, but also the company’s employees and processes. Typically, companies hire an external, independent party to conduct a Red Team operation. These operations are always goal-oriented. A classic objective of a Red Team operation is, for example, to gain access to certain systems or data of the company. The opponent of the Red Team is the so-called Blue Team. It consists of the internal IT security experts who defend the company against Red Teams and real attackers.
How a Red Team operation works
A Red Team operation is the most challenging test for a company’s full security program. It takes place without prior notice, so neither Blue Team nor other employees can prepare themselves. The Red Team itself does not receive any information about the target company, so the starting conditions are fair and the attack scenario is as realistic as possible. The Red Team’s approach will very often be guided by the following questions, which are usually of particular interest to the target company
- How quickly does the Blue Team react to attacks?
- How effective are the measures taken?
- Do employees and Blue Team adhere to the security guidelines?
- Are existing security guidelines coherent and complete?
- How is the physical security in the company’s buildings?
To answer these questions, the Red Team usually has a broad range of options and takes a very dynamic approach. Among other things, social engineering attacks can be executed. Here, typical human weaknesses are exploited to manipulate employees of the company in a targeted manner. For example, they can be tricked into disclosing confidential information. In addition to social engineering and technical attacks on the company’s IT infrastructure, physical access can also be gained within the course of a Red Team operation, for example by forging or falsifying access cards or by smuggling in manipulated devices. It is not uncommon for Red Teams to mislead and create distractions to put the Blue Team under pressure. In summary, a Red Team deployment involves attacks across all channels, requiring considerable time and resources. A Red Team operation is therefore a simulation of an Advanced Persistent Threat (ATP).
What are the differences between Red Teaming and Penetration Testing?
| Red Teaming | Pentesting | |
| Mode | Hidden operations, possibly below the detection threshold. | Usually very obvious procedure. |
| Goal orientation | Strongly focused on achieving specific goals that are set in advance. | Also focused, but still broader in scope. The test object is extensively examined. |
| Requirements | Only companies with a very mature IT security program require Red Team deployments. | Even with only basic IT security, a penetration test is useful. |
| Use of resources | High use of resources. The project is carried out by a whole team. | Less use of resources. Often a penetration test can be managed by a single person. |
| Scope of action | Often the Red Team has a wide range of action and takes a dynamic approach. | Pentestests are more rigid. The procedure is often closely coordinated with the customer. |
| Time frame | Usually extends over several weeks to months | Usually 1-2 weeks |
| Goals | Check the Blue Team’s responsiveness and detection capabilities. Review processes and their effectiveness | Assess the attack surface, uncover critical vulnerabilities, evaluate possible effects of an attack |
| Basis of information | No prior information – neither for Red Team nor for Blue Team. In some cases, there is a White Team, which is briefed and ensures a controlled process. | Often information about the test object is provided, company employees are often briefed. |
| Channels | Attacks are always carried out through multiple channels (physical, human, network, etc.) | Often limited to one channel e.g. attacks exclusively via the network |
Who needs Red Teaming?
A high degree of maturity of the company’s information security is a basic pre-condition to justify a Red Team operation. Only if there is a comprehensive security program is it worthwhile testing it. The number of companies that have a high degree of security maturity is however limited. The vast majority of companies do not have a Blue Team that could compete with a Red Team. For these companies, it makes more sense to invest in the development of the security program. Only when the program is in place and positive pentest results are reported is it time to consider Red Teaming. In the EU there is the so-called TIBER-EU framework (Threat Intelligence-based Ethical Red Teaming) for the voluntary implementation of Red Teaming in the financial industry. It is aimed at banks, insurers and operators of financial market infrastructure and aims to improve the cyber-resistance of the financial sector in a long-term perspective.
