Building a Red Team (Attacker point of view)

To detect potential vulnerabilities before the adversaries, it is convenient to have a group of specialists who think like them, and who try to exploit the vulnerabilities to gain unauthorized access, and if they succeed, explain to the security team how they managed to do it, so that said vulnerabilities or configuration errors are remedied.

The name Red Team comes from the US military games where security with a red group that pretended to be the enemy was tested.

The goal of the red team is not merely to run vulnerability discovery tools, but to try to exploit them, analyze the impact, and try to expand laterally to identify how far an adversary can go. Red teams frequently develop software components that simulate the behavior of malicious programs (malware) and deploy them on the customer’s network.

Although we always have to have a positive vision of the future in terms of being constructive, being aware of what could happen if the organization were in the sights (Target) of attackers is vital to be prepared for when an adversary tries it, in the same way that in resilience we prepare for a failure. In cybersecurity we must strengthen cyber-resilience, our ability to operate smoothly despite attacks, and the Red team is a central component to achieve this goal.

Attack Simulation tools:

  • Guardicore Infection Monkey (Open source and integrated with AWS Security Hub).
  • F-Secure Leonidas
  • XM Cyber
  • AttackIQ
  • Randori
  • Prelude (based on open source CALDERA from MITRE)
  • Scythe
  • Safebreach
  • CyCognito
  • Cymulate