Red Teaming

Red Teaming describes the process of mimicking real threats and their Tactics, Techniques and Procedures (TTP). The goal is to train and measure the people, processes and technologies used to defend the environment. The basis for this is a realistic threat, which can be defined, for example, using the MITRE ATT&CK® framework. A special focus is always placed on the realism and the knowledge to be gained from red teaming. The operations are planned and executed individually accordingly. Red Teaming is measured by the factors of training and location determination for the Blue Team. Processing and sharing insights with the Blue Team after the operation is a key component of Red Teaming. Here, too, the use of ATT&CK has proven its worth and is readily employed.

In this Research & Insight blog post, we highlight what we believe makes a good Red Teaming.

If the following questions are still open in your company, a Red Teaming is recommended:

  • Can our defenders (our Blue Team, our external SOC, etc.) detect attacks in our organization?
  • Is there a correct response to an ongoing attack?
  • Do our use cases cover realistic threats and procedures?
  • Are we really collecting the information that is needed when dealing with a cyberattack?
  • How can our Blue Team leverage the Red Team's knowledge to better protect us?

Process

Scoping

Goal and scope

The purpose of the scoping meeting is to define the goals of the red teaming and to transfer sufficient knowledge about the environment to be tested so that the offer can then be created on this basis. The questions mostly revolve around the simulated threat and any limits and constraints.

Offer

Agreement

The offer is prepared on the basis of the scoping meeting. In addition to the objectives, methods, price and general conditions, it also contains a suggested timeframe for execution. Of course, nothing is set in stone and the offer will be adapted to your needs. In principle, we always charge according to the actual effort involved.

Kick-Off

Test details

In the kick-off, the test details are discussed with the responsible persons. In particular, the definition of the exact objectives in the scope and the provision of any accounts for an Assumed Breach approach are discussed. Fast and smooth communication during the test is also ensured in this meeting.

Planning

MITRE ATT&CK

With the help of ATT&CK, an appropriate real-world threat is chosen as the basis for the tactics, techniques and procedures. This is done after consultation with the contact person and taking into account the capabilities of the Blue Team.

 

Operation

Execution

Now the planned operations are carried out and all steps are documented. A contact person (White Cell) is defined for the implementation period who is available for queries from the Red Team. This minimizes the chance of unintended impact.

 

Report

Report Writing

All results are summarized and evaluated. Measures are proposed for all risks and their priority is recorded. The report also contains information and MITRE ATT&CK references for the tools and methods used.

Closing

Schlussbesprechung

A closing meeting ensures that the results and measures from the test can be understood and implemented. This ensures that the Blue Team can really benefit from this Red Teaming.

 

Threat Analyis With MITRE ATT&CK

In each Red Teaming, a real threat is recreated. Finally, a realistic assessment of the defense mechanisms and the Blue Team should be possible. The choice of the real threat, which should be simulated, is therefore important for the course and success of the Red Teaming. This is most easily done with MITRE ATT&CK. Ideally, the corresponding preparatory work has already been done by the Blue Team, as they deal with real threats to the company on a daily basis. The easiest way is to choose a known group that has already carried out attacks on similar companies. Based on the techniques that this group has used in their attacks, a similar operation is prepared and then executed. The indicators are also deliberately adopted. If the Blue Team already has a lot of experience and good coverage in detecting the selected groups, it may be worth considering other threat groups for Red Teaming. With detections, the origin should always be questioned. Ideally, a detection does not depend on specific tools, but on the underlying technology. These details can be improved in a Red Teaming as well as more efficiently in a Purple Teaming.

MITRE ATT&CK Threat Group

 

Purple Teaming

A Purple Teaming is done in close cooperation with the Blue Team. This merges the two teams into one team, which is where the name comes from (Blue and Red become Purple). The tactics, techniques and procedures of the Red Team and their elaboration remain similar to Red Teaming, but during the execution, possible detections are looked at directly with the Blue Team and thus the methods and tools of the Blue Team are directly improved. The individual steps of the Red Team can also be repeated and the methods and detections for these can be improved iteratively. Purple Teaming is often a more efficient improvement of the Blue Team and is therefore often recommended. A Red Teaming is again a test under real conditions and is especially recommended for more advanced Blue Teams that have already performed Purple Teamings.

Deliverables

All results are submitted in a final report (PDF, Excel and JSON) and made available via the Mesher platform. This is where the real work begins. Cybersecurity can only be increased if measures are also implemented. Therefore, it is a key concern for us that the findings from the tests arrive at the right place in the right format and that media breaks are eliminated.

PDF
The final report in PDF format contains an introductory section, executive summary, tools and methods, test details, positive aspects and passed requirements, results and measures with detailed description, categorization and prioritization, MITRE ATT&CK references and indicators of compromise.
 
EXCEL
The Excel contains all results and measures with detailed description, categorization and prioritization. Thanks to the editable format, this list is suitable for further processing of the results and additional information can be easily added.
 
 
JSON
The JSON file contains all results and measures with detailed description, categorization and prioritization. The JSON format is the most common format for automated further processing of information and can often be fed into existing tools with little effort.
 
 
Report

Categorization

We categorize all findings according to their probability of occurrence and impact. If required, the CVSS score can also be calculated for each vulnerability.

risk_matrix
Report

Executive Summary

Each report contains an Executive Summary, in which the results and recommended measures are summarized on one page and illustrated in diagrams.

chart_2
Report

MITRE ATT&CK References

The report includes references to all MITRE ATT&CK techniques that were used. This simplifies the work of the Blue Team to work up possible gaps in the detections and to learn more about the techniques.

mitre_teamactivity

Mesher

Via Mesher, your current security level is recorded and you can view the return on investment for the various measures. All results are also visualized here and can be linked to existing tools thanks to integrations. With the platform, technical measures can be assigned directly with tasks to the appropriate people and agile work without media breaks is enabled. In Mesher you can view the Mitre ATT&CK matrix for the performed Red Teaming and use this for the further improvement of the Blue Team. Also, already existing ATT&CK layers can be imported and merged.

More about the Mesher platform

Mesher Plattform