What is a Red Team?

Teaming is a cybersecurity exercise that fully simulates a real life attack to help measure how well an organization can withstand the cyber threats and malicious actors of today. A red team serves as the attacker in this simulation, using the same techniques and tools of hackers to evade detection and test the defense readiness of the internal security team. This includes testing for not just vulnerabilities within the technology, but of the people within the organization, as well as social engineering techniques like phishing or in person visits to test the security of the physical premises.
Ultimately, teaming serves as a comprehensive assessment of your security infrastructure as a whole.
What Are the Goals of a Red Team?
A Red Team can be made up of as many as two people and can scale to over 20, depending on the task. That’s what is most important—make sure that your team is built for the task at hand. Find experienced, critical thinkers to form the core of your team and continue building it with a diverse mix of skills. A Red Team should be used alongside your vulnerability assessment and penetration testing in order to realize its full value.
Have the Right Conditions
Set Clear Objectives
Get the Right Tools
Focus on Key Issues
Techniques and Tactics
Red teaming is more than penetration testing; penetration testing is locating vulnerabilities in a security system and the focus is often on a specific data target.
Red teams go beyond singular focuses and attempt to breach a cybersecurity system as if a criminal would. Tactics can range from social engineering to physical security attempts to create a real world advanced persistent threat.
Social Engineering
Red teams gather information about the target. The more they know, the more effective they can be.
Open-source intelligence gathering is when a red teamer collects as much publicly shared information as they can. This information is curated from any:
- Media reporting
- Internet searches
- Social media combing
- Publicly accessible data
- Any other searchable information.
It can be used to gain security access, exploit the party in question, or as an offer to another criminal for a price.
Similar to open-source intelligence gathering, red teamers can search for publicly accessible company services. This includes:
- Checking web apps
- VPN information
- Email web applications
- Any other program that is public facing.
Checking publicly accessible apps can show them easy entry points, break into the system, and access sensitive data.
Red teamers can get really crafty when it comes to finding a company weakness. This includes connecting to and conversing with existing and former employees. Using these connections, they can get pertinent security information and possibly even retrieve leaked passwords or credentials.
Identifying Misconfigurations
Security misconfigurations happen far more often than companies know about. Red teamers examine DNS records and any other network misconfigurations to see if there is an entry point, they can breach.
Any information they can glean prior to an attack only helps them leverage a deeper cyberattack against an organization. Getting the most out of this public facing information is one of the most important phases when it comes to red team attack engagement.
Red Teaming Solutions from Fortra
Benefits of Teaming
Uncover attack vectors that attackers could exploit
Demonstrate how attackers could move throughout your system
Provide insight on your organization's ability to prevent, detect, and respond to advanced threats
Identify alternative options or outcomes of an action or attack plan
Prioritize remediation plans based on what is causing the greatest risk
Build a business case for improvements, deploying new solutions, and other security spending
Red Teams vs. Blue Teams vs. Purple Teams
Red team and blue team tests are named and modeled after military exercises. To ensure soldiers are battle ready, simulations are run to test out the effectiveness of their defense strategies. In these simulations, red teams take on the offensive role of the enemy, while the blue team is on the defensive, shielding their position. In the cybersecurity realm, the roles are the same, but the battlefield is in the digital sphere.
RED TEAM
BLUE TEAM
PURPLE TEAM
What Is the Difference Between Pen Testing and Teaming?
Penetration Testing
Penetration Testing is a must have for any organization. A pen tester is designated to ethically hack and evaluate your environment. In this role, they will be the point of contact and operate as the brains behind your security scope. An organization may hire someone specifically for pen testing, or may have someone complete penetration testing as part of their duties.


Teaming
A teaming exercise is basically a penetration test, but from a military perspective. The red team is the attacker, which assumes there is also a defender: your organization’s IT security group. The primary difference is that a pen test is scope-based, and that scope may not involve strengthening the organization’s defense. It may also be conducted by a single individual. Red teams, on the other hand, comprise multiple participants, conduct testing without the knowledge of your staff, and may also operate continuously or routinely.
Implementing red teaming and pen testing together helps close possible security gaps. Pen testing can help open the door for a red team, and the red team can branch out and expand the attack once inside an organization's environment. Red teams that use pen testing tools can test a company's layers of security instead of a single aspect of cybersecurity. This helps with post-exploitation reporting designed to strengthen your security team's defenses.
Is Red Teaming and Ethical Hacking the Same Thing?
Red teaming is a part of ethical hacking, along with penetration testing. The difference between the two depends on the size of the organization that’s conducting cybersecurity tests. Smaller and medium-sized businesses typically use penetration testing to uncover vulnerabilities and configure security issues.
Larger organizations deploy red teams to test cybersecurity. Utilizing the social engineering threat actor phase, the stealth, undetectable system breaching malware deployment, and breach infiltration and pertinent data theft, a red team is a multi-faceted real world attack simulation. Once completed, attack statistics are generated and reported to a blue team in efforts to show them where these vulnerabilities are and what type of data was “stolen.” This information is used to help remediate any known or unknown security vulnerabilities and strengthen employee security measures.
When Should You Use a Red Team?
When you’ve implemented new security software, programs, or tactics in your organization
When a new breach or attack occurs
Routinely
How to Build a Red Team Program
Red teams are about quality, not necessarily quantity. They work to produce high level critical thinking and aren’t the ones that create a list of vulnerabilities. Know what the red team’s objective is, understand how they’re working to complete it, provide them with the right toolset to get the job done, and maintain teamwork between them and your internal IT teams.
Steps To Build Your Own Red Team
Is a red team the right step for your organization?
Get this guide "How to Build a Red Team" and learn the best ways to create your internal red team.
What Are Red Teaming Tools?
Of course, the biggest asset for red teaming is the team itself. The skills a team has and how they work together can directly impact the effectiveness of a red teaming exercise. Some organizations may choose to build their own red team. These teams can be quite small, even consisting as few as two people, and can scaled to be over twenty. Ideally, red team members should be spanning across different specialties and functions of your technologies. Building out a team with members possessing a diverse set of skills and backgrounds will help provide coverage for all of the different aspects of an organization's infrastructure that need protection, such as IT, operations, or facilities. Red team members can have diverse backgrounds. Some may come from pen testing, while others may have more knowledge in IT administration, network engineering, or web development, to name a few.
Third party red teams are also regularly utilized. Organizations often choose to rotate between different security firms because each red team operates a little bit differently, using different approaches and tools. Since an external team can bring in a true outside perspective, third party teams are even used by organizations who have an internal red team, as they may uncover issues that have been overlooked due to the on site security team’s familiarity with the environment.
Teaming tools are as diverse as the teams themselves. Just like with penetration testing, there is no comprehensive tool that can be used. Instead, teams rely on creating their own toolkit, including many commonly used in pen testing. Such adversary simulation tools could include vulnerability scans, assessment or reconnaissance tools, password crackers, phishing tools, exploitation tools, post-exploitation agents, and more.
What to Look For in a Red Team Tool
To emulate the same attack methods and techniques of a malicious actor, red teams need the right tools. The purpose of implementing a red team is to safely attack your security system and find the weaknesses before a cybercriminal exploits them, thus educating and informing your internal security team. Red teams need a multitude of resources, from planning and preparation to stealth and post-exploit reporting.
Bundling the right tools can help coordinate red teaming efforts and work quicker, more efficiently, and stealthier.
Targeted Attacks
Threat Actor Simulation
Stealth and Evasion
Expansive and Evolving Attack Toolkit
Red Team Collaboration
Comprehensive Reporting
The Role of Threat Emulation Software and Red Teaming
The right security red team needs the right toolset to maximize its effort and effectiveness. Threat emulation tools are necessary for red teams. Emulating attack tactics and techniques, quietly and for a long-term, can help red teamers embed a threat into an IT network.
Cobalt Strike can change network indicators and emulate different malware. It can quietly embed a red team within a company’s cybersecurity and can silently evade a blue team. Plus, it has a solid social engineering process that lets a red team collaborate efforts.
After a simulated attack, reports are generated and designed to aid in blue team training. Post-attack reviews should be used to help IT professionals prepare for a real attack. Red teams should be a trusted partner in the cycle of improving your organizational cybersecurity. It’s not enough to implement security features and teams without testing them and improving upon those processes.
Featured Resources
Fill Security Gaps with Layered Security
Bundle Core Impact, Cobalt Strike, and OST to help cover overlooked security gaps. See how adding red team and pen testing security options together can strengthen your cybersecurity portfolio.