Ruslan Rakhmetov, Security Vision
Modern cyberthreat landscape is growing in complexity, speed, and adaptability, like a virus evolving year after year. While in 2019, attackers needed an average of 68 days to carry out ransomware attacks, in 2023 they needed less than 4 days, and now, given the development of AI technologies and agents, it's frightening to even imagine. Therefore, on the defense side, tools have emerged that check not just individual elements of the IT infrastructure, but the entire organization's security system, including people, processes, and technologies. In this article, we'll discuss comprehensive security analysis using Red Team (an excellent option for testing a company's readiness to counter real threats).
Table of contents
1) The evolution of security and the emergence of the Red Team Assessment process
2) Teaming concept, philosophy, goals and tools
3) Anatomy of a real attack: tactics, techniques and procedures (TTPs) and Kill Chain
4) Differences in Red Team and Pentest
5) SOC works: a cat-and-mouse game with Blue and Red Teams
1) The evolution of security and the emergence of the Red process Team Assessment
Strategic cybersecurity is based on a process of assessment, adaptation, and improvement. Historically, organizations have relied on vulnerability scanning (VS) and vulnerability management VM, but the process itself is continuous and has evolved in stages.
1) The earliest systems performed basic scanning of the environment for known network vulnerabilities and unpatched application errors, followed by management of the remediation process. This process can be grouped into a whitebox group and supplemented with hardening (as in the Security Vision SPC module)
2) As IT infrastructures matured, the need arose for practical exploitation of these vulnerabilities, leading to the popularization of penetration testing (pentesting). Pentesting takes this a step further by exploiting identified vulnerabilities under controlled conditions, simulating attacker actions (for example, brute-forcing passwords and weak encryption algorithms, as in the Security Vision VS module). So the process was supplemented with scans of the blackbox group.
3) The next, most critical stage of development is Red Teaming – an approach focused not on finding technical flaws, but on testing the resilience of business processes to attacks by advanced attackers. It utilizes automated tools for whitebox, blackbox, and greybox scanning, expert knowledge, coordinated teamwork, and data from analytical services.
A pentest can be compared to a technical audit of a bank vault's security systems: auditors (pentesters) openly check the thickness of the walls, test motion sensors, attempt to crack safe locks, and verify the functionality of CCTV cameras. Finally, they provide the manager with a report listing the defects.
Red Team, on the other hand, is a simulation of a real bank robbery: a group of experts doesn't care how many vulnerable locks are installed in the building. They simply need to find one trusting security guard, steal his badge, enter the building under the guise of a delivery service, bypass cameras in blind spots, and remove the contents of a specific cell from the vault. They focus on achieving their goal by any means necessary, bypassing defenses at the intersection of people, the physical world, and technology.
2) Teaming concept, philosophy, goals and tools
The Red Team is an independent group of highly qualified specialists with diverse experience and skills who emulate the tactics, methods, and mindset of real-world attackers. This team conducts a comprehensive assessment of an organization's ability to detect, respond to, and restore normal operations. The exercise team aims to stress-test the company's entire defense ecosystem: people, processes, and technologies.
While a classic pentest stops after recording the maximum number of breaches in a given perimeter, Red Team An assessment is aimed at performing a specific, business-critical task: for example, "stealing a customer database," "transferring funds through a payment gateway," or "gaining access to process control systems." To achieve this goal, the "red team" seeks any available route, bypassing detection systems and information security tools (ISS).
The Red team operates covertly, providing management with realistic performance metrics: specialists use advanced methods of bypassing antivirus protection and EDR systems, custom-developed malware, zero-day exploits, encrypted command and control channels, and anti-forensic methods (covering tracks). This advanced "arsenal" allows us to identify systemic risks that cannot be detected by isolated testing of individual applications.
3) Anatomy of a real attack: tactics, techniques and procedures (TTPs) and attack chains (Kill Chain)
To make the attack simulation as realistic and practical as possible, Red Team utilizes tactics, techniques, and procedures (TTPs) from real-world cybercriminals and hacker groups. TTPs describe the attacker's behavior at both the macro and micro levels: the strategy they choose (tactics), the methods they use to implement it (techniques), and the specific tools or command sequences they employ (procedures). The use of TTPs ensures that defenses are tested not against abstract models, but against algorithms used in attacks "in the wild."
Modern, detailed matrices, such as MITRE ATT&CK and FSTEC BDU, offer adaptability and deep understanding of attacker activity and are widely used by red teams and information security systems (for example, in Security Vision SIEM and SOAR modules).
Cyber Security Kill Chain framework is also widely used in the security industry, originally developed by Lockheed Corporation Martin based on military models, but adapted for the digital world. We've already discussed it separately, and we also use it in developing automated incident management tools.
Think of MITRE ATT&CK as a modern GPS navigator: it provides detailed turn-by-turn directions, alerts you to potholes, traffic jams, and suggests specific tricks (such as detours) along each step of the route.
At the same time, the Cyber Kill Chain framework works like a paper map of your road trip. It shows the strategy: "leave the city, take the highway, arrive at your destination," dividing it into seven clear steps.
4) Differences in Red Team and Pentest
The vast majority of destructive cyber incidents in the real world begin not with the exploitation of a complex, unknown zero-day technical vulnerability on the network perimeter, but with successful human deception. Penetration testing teams and Red teams can also operate in this manner. Teams, which, unlike classic pentests (which are limited by the IT infrastructure and pre-provided IP addresses), actively use social engineering, phishing, and physical penetration to achieve their goals, since these are the vectors preferred by real criminals.
A pentester, having found a vulnerability on the perimeter, often simply documents this fact (Proof of Concept) and moves on to searching for other independent breaches, but for the Red team, the initial hack (for example, of an ordinary sales manager's laptop) is just a springboard. They then work according to the concept of Lateral Movement. This is a type of horizontal network navigation, moving from one compromised system to another in order to find critical assets, escalate privileges, and expand their presence within the infrastructure. The attacker's goal is rarely to target a random user's device: they target databases, financial systems, or Active Directory domain administrator rights. Directory. Therefore, for security purposes, it is important to build a resource-service model and a network map (as in the Security Vision AM module), and for incident analysis, our developments use AI assistants to analyze paths to critical systems and intruder routes. Using these technologies, we can counter Red's actions. Team and real attackers, promptly "cutting off" parts of the network from each other, blocking accounts and closing user rights.
5) SOC works : a cat-and-mouse game with Blue and Red commands
The final stage of the processes described in this article is the SOC (Security Operations Center) to repel attacks in real time. In cyber-exercises, internal or outsourced defenders are called Blue Team, which plays catch-up with Red Team.
While one of the offensive team's primary goals is covert operations to avoid leaving obvious indicators of compromise (IoCs, such as hash sums of known malicious files, communications with publicly known suspicious IP addresses, or non-standard entries in the system registry), the defensive team relies on analytics:
- Are the installed SIEM, EDR, XDR, and SOAR systems capable of correctly collecting logs and generating alerts?
- In the face of daily information "noise" and thousands of false positives, can analysts connect the dots between disparate events and see signs of a targeted attack?
- How to evaluate the effectiveness? MTTD (Mean Time to Detect), the average time elapsed between the start of an attack and its detection by the protection system, and MTTR (Mean Time to Respond), the average time from the moment of detection to the complete elimination of the incident and localization of the threat.
Red Team helps you find answers to all these questions if you choose security services, and if your company chooses perimeter tools and technologies, then the technologies, processes, and analytical capabilities of advanced security and risk assessment tools will be at work.
.jpg)
