Here are six things to do first before taking on a Red Team
Red team assessments are a great way to understand an organization’s detection and investigative capabilities. But good intentions can lead to less-than-great outcomes if you don’t do the right prep work. A red team will generate activity that looks similar to a targeted attack, so a little planning on your side will go a long way.
With this in mind, here are six things your Security Operations Center (SOC) should do before taking on a red team:
1. Articulate your objectives
Get clear on your objectives -- this is what will set the direction of the engagement and define the ground rules. Worried that an attacker could gain access to a segmented part of your network? Nervous that someone could compromise credentials and spin up resources in Amazon Web Services (AWS)? Whatever your concerns are about network vulnerabilities, come up with objectives to make sure you’re pressure testing whatever worries you most.
Business-focused objectives often look like this:
● Break into a segmented part of your network.
● Obtain a VIP user’s credentials (CEO, CTO, IT Administrator, etc.).
● Access/exfiltrate customer data.
While these will drive the overall end-game for the red team, there are a set of objectives that often surround the organization’s ability to respond as well.
From a defensive perspective, some reasonable objectives include:
● Assess detection capabilities and identify gaps.
● Stress test response and remediation capabilities.
● Assess investigative capabilities in Windows and Linux environments.
● Assess investigative capability in the cloud.
2. Review your IR plan with the team
It’s critical to build “muscle memory” around your incident response (IR) process before a bad thing happens.
Review the plan with your team. This way everyone knows what to do, including how to communicate. One of the biggest challenges is getting over the adrenaline rush that comes with responding to an incident. Panic sets in and chaos will ensue the first couple of times you work through it. But as everyone gets more comfortable with the process and experiences some of those unknowns together, the response process will become a well-oiled machine, spurring team confidence instead of mass confusion.
3. Emphasize remediation
The emphasis of a red team should be response. Talk about remediation ahead of time. Ask hard questions like, “What would we do if that account was compromised?”
Plan your response, know who to contact and then stress test your plans. If your SOC doesn’t have a lot of reps responding to red team activity, remediation may happen without considering business impact.
Consider the following: The red team appears to be using the account “sql_boss” to move laterally. We should disable that account.
Red teams love service accounts. Service accounts typically have privileged access and are tough to reset.
In this scenario, disabling the account ‘“sql_boss” would cause the red team some pain. But what else would it do? What does that account run? How’s it used? Is it responsible for the back end of a business-critical application?
Should we disable this account? Can we disable this account right now?
There are stories I could tell you about how this oversight caused pain for lots of companies.
The TL;DR is this: Do your homework, plan your response and talk about it ahead of time.
4. Set expectations
Your blue team just spotted a bad guy moving laterally via Windows Management Instrumentation (WMI) to dump credentials on a server? Great find! Will you let them know it is an authorized red team?
There are many theories to appropriately assess the response to a red team. Some organizations prefer not to tell their defenders while some prefer to operate more openly in the purple team model. Regardless, there will be a moment between detection of the initial threat and the recognition that this is authorized red team activity that you’ll want to plan for. Your SOC will think this is a real threat, and your playbooks for a real threat will (hopefully) be followed.
5. Chat with your MSSP/MDR
Use a managed security service provider (MSSP) or managed detection response provider (MDR)? Make sure you understand their approach to responding to red team activity. It’s likely that assessing how your MSSP/MDR performs in this scenario is one of your goals in your exercise., which is great. But understand what you should expect before you get started.
At Expel, I like to treat red team engagements as a real threat to exercise our analysts’ investigative muscle, and also to showcase and test our response process. This helps build confidence between us and our customers. It also helps them understand how we’ll communicate with them -- via Slack, email, PagerDuty or something else -- when there’s an incident in their environment.
6. Have a “bat phone” to the red team
So, your MDR or SOC just spotted activity they believe is the red team. Don’t assume that’s the case -- verify it’s the red team using evidence. You’d be surprised at how often the lines get crossed when the actions taken during an assessment don’t necessarily line up with what was documented and in scope. However, the quicker these actions are confirmed, the happier everyone is when they discover that they’re not dealing with an actual threat.
Most SOCs won’t stand down until this is confirmed -- case in point, my teams waited more than 12 hours in the past to get confirmation that something we identified is related to an authorized test. That’s a lot of energy expended on both ends.
Parting thoughts
Red team assessments come in all shapes and sizes. They’re essential for understanding not only your overall security posture but also the team’s level of response readiness. If you’re in a position to influence how a red team assessment is organized, talk about these points not only internally but with the red team, you’ve selected to carry out the assessment as well as the SOC, MSSP or MDR you’ll be relying on to play defense.
Do some quick planning and expectation setting before you run your red team exercise. That prep work will save you headaches down the road and will create an overall better experience for everybody involved.
About the author: Jon Hencinski is the Director of Global Security Operations at Expel, which is a transparent SOC-as-a-service provider out of Herndon, VA.