The most challenging element of a Red Team engagement is often breaching the external perimeter of the organization and attaining domain credentials. Companies invest a lot of time and effort into making their public-facing services as impenetrable as possible (while often neglecting internal network security, but that’s a whole separate blog) to deter opportunistic and targeted attacks determined to compromise sensitive data, deploy ransomware or simply to use the organization’s resources to mine cryptocurrency.

The most common way to breach an organization’s external perimeter is, of course, combining social engineering and phishing. But while phishing has proven to be extremely effective in various engagements, there are other ways to breach the first line of defense that are less reliant on the human factor.

Red Team vs. Penetration Testing

The larger the organization, the broader the attack surface, and the more difficult it is to manage network security and monitor all endpoints and users. While traditional penetration testing is a great way to ensure that a service is secure, it will often focus on a specific asset and have a defined scope that restricts the penetration tester.

Red Team or Purple Team engagements performed by offensive security experts against an organization with a dedicated and mature Blue Team are controlled but unconstrained – often including social engineering and physical security testing in order to imitate a real-world attack or APT (Advanced Persistent Threat).

When defending against an attack, an organization’s Blue Team must be alert and protect all possible entry points, while an attacker only needs one opening.

Red Team techniques – Looking from the outside in

Performing security testing on the external perimeter of an organization is invaluable for the cyber-security positioning of an organization. During a Red Team assessment, the offensive security team performs various steps in order to identify the most promising course of attack. These include:

• Open Source Intelligence (OSINT) gathering
• Mapping publicly accessible assets and services (i.e. ADFS, OWA, VPN, Web Apps)
• Identifying leaked passwords of existing and former employees
• Examining existing DNS records and misconfigurations
• Fingerprinting external services and identifying vulnerable products

This information is then leveraged into a full-scale attack on the organization. For this reason, performing proper and thorough information gathering during the reconnaissance phase is the most important part of a Red Team engagement.

The next step of an external attack includes attack planning and execution. One of the most common attacks on an organization’s IT infrastructure is Password Spraying (AKA reverse brute-force attack). This attack method is widely used in order to gain an initial foothold inside the target organization. But it can also be carried out from within the organization’s network when performing Ethical Hacking engagements meant to simulate an attack from the internal network, or an Advanced Persistent Thread (APT).

How does password spraying differ from traditional brute-force attacks?

In this attack scenario, an attacker uses either a single password or a short list of common passwords against a list of usernames (the more, the better) enumerated during the information gathering phase. This attack is more effective than attempting to penetrate a single account with brute-force as it avoids account lockout, evades most of the existing modern monitoring systems, is very difficult to protect against, and will, sooner or later, provide an attacker with a valid set of credentials belonging to the least vigilant user. This technique has proven extremely effective in numerous Ethical Hacking and Red Team engagements and should be part of every hacker’s arsenal.

Why perform Red Team assessments?

Most organizations have implemented penetration testing as part of their cyber-security procedures, whether for compliance with regulations and standards, to increase the overall security level of the organization and its clients, or both! Penetration tests are a great way to ensure the security of specific services, products and interfaces, but they may provide only a partial picture of the organization’s readiness against a real-world attack performed by a team of hackers or an APT group. The reason behind that is that penetration tests usually focus on a specific scope and a limited number of components, therefore revealing impact on a specific system, rather than the full organizational ecosystem.

By performing Red Team assessments, an organization gains insight into the cyber-security threats it may be up against, the efficiency of the implemented security products and procedures, the capabilities of the SOC team, and its overall security positioning.