Introduction
What?
Red teaming is a term borrowed from the military. In military exercises, a group would take the role of a red team to simulate attack techniques to test the reaction capabilities of a defending blue team against known adversary strategies.
Red teaming does not replace penetration testing. It complements it by focusing on detection and response rather than prevention. Red teaming improves penetration testing by taking into account several attack surfaces:
Technical Infrastructure: Like in a regular penetration test, a red team will try to uncover technical vulnerabilities, with a much higher emphasis on stealth and evasion.
Social Engineering: Targeting people through phishing campaigns, phone calls or social media to trick them into revealing information that should be private.
Physical Intrusion: Using techniques like lockpicking, RFID cloning, exploiting weaknesses in electronic access control devices to access restricted areas of facilities.
Why?
In cybersecurity, red team engagements consist of emulating a real threat actor’s Tactics, Techniques and Procedures (TTPs) so that we can measure how well the blue team responds to them and ultimately improve any security controls in place. The final objective of such exercises is never be for the red team to “beat” the blue team, but to simulate enough TTPs for the blue team to learn to react to a real ongoing threat adequately.