Red Team: penetration testing teamwork

    This article will discuss teamwork, tools and methodologies for conducting Red Team operations. Red Team operations allow you to most naturally simulate an attack by a group of professional external intruders to identify infrastructure vulnerabilities.

    Red Team vs Blue Team

    The term Red Team came from the military environment and defines a “friendly” attacking team. In contrast, there is a team of defenders - the Blue Team.

    The difference between the Red Team operations and the classic pentest is primarily in the regulation of actions and the lead of the protected side. Also, with the “classic” pentest, “white lists” are often used, the time limit for the work being done, the level of interaction with the system. When conducting a Red Team operation, there are practically no restrictions; a real attack is made on the infrastructure: from attacks of the external perimeter, to attempts of physical access, "hard" sociotechnical techniques (not fixing the link, but, for example, a full reverse shell).

    The goal of the Blue Team is to provide blind infrastructure protection: the defenders team is not warned about an attack or its differences from real attackers - this is one of the best factors to check both defense systems and the ability of specialists to detect and block attacks, and subsequently conduct incident investigations. After the operation is completed, it is necessary to compare the developed attack vectors with the recorded incidents to improve the infrastructure protection system.

    The Red Team approach is most closely related to the targeted attack - APT (Advanced Persistent Threat). The Red Team team should consist of experienced professionals with rich experience in building IT / IS infrastructure, as well as in compromising systems.

    What distinguishes Red Team operations:

    • Duration Attacks can be carried out for several months.
    • Hardcore. Attackers can have a rather tough effect on the infrastructure, which can lead to the failure of some of the infrastructure components.
    • Lack of familiar penetration testing patterns. (Case study - during a bypass of the ACS system at one of the audit facilities, the team carried out the removal of office equipment containing critical data outside the company - naturally, in coordination with the work manager).

    Red Team - these are attempts to gain access to the system by any means, including penetration testing; physical access; testing communication lines, wireless and radio frequency systems; employee testing through social engineering scenarios.

    The concept of Red Team operations allows you to carry out penetration testing as realistic as possible.

    Team approach

    Red Team is similar to a military operation: goals or objects of attack, areas of responsibility and roles of team members are determined. Often in the Red Team, an insider can act as a team, transmitting data from within the company, or performing auxiliary functions.

    A clear distribution of roles, systems of operational interaction and data analysis determine several roles of a sniper, a medic :

    • team leader - leadership;
    • field investigators - the active phase of the attack;
    • insiders - this role may be absent;
    • Analysts - analysis and normalization of the data.


    The use of specific tools in a particular case may be due to the specifics of an application or service and differs slightly from conventional penetration testing. When conducting Red Team operations, the question arises of team interaction and systematization of the results obtained - these are reports of various analysis tools and vulnerabilities identified in manual mode - all this represents a huge amount of information in which, without proper order and a systematic approach, you can miss something important or to "rake" possible doubles. There is also a need to reduce reports and normalize them and bring them to a single view.

    Typically, Red Team operations cover fairly large infrastructures that require the use of specialized tools:

    • Scanners and utilities for conducting an inventory of the perimeter, with the possibility of dividing work areas and reporting results.
    • Data processing systems for penetration testing.
    • Using analysis and vulnerability management tools.
    • Systems for conducting socio-technical campaigns.

    Specialized software:

    Distribution versions are presented that have shareware or free versions. Some distributions may not be available in a particular region due to the restriction of export policies.

    Cobalt Strike
    Cobalt Strike is a penetration test framework. This is an advanced analogue of Armitage, which in turn is a GUI add-on for the Metasploit Framework. An advanced system of built-in scripting language allows for the most effective attacks.

    The Dradis Framework is an open source platform to simplify collaboration and reporting in the field of information security. Dradis is a standalone web application that provides centralized storage of information. There are two versions - Community Edition (free) and Professional Edition (from $ 59). The pro version has more functionality, including integration capabilities, a reporting system, support (including priority), available methodologies, etc. It is possible to expand the functionality in the form of plugins / add-ons.

    Faraday IDE
    Faraday is the most powerful collaboration environment, true multiplayer penetration testing. Supports work in ArchAssault, Archlinux, Debian, Kali, OSX, Debian. It works in real time, instantly processing the results sent by one or another pentester. In this framework, the concept of gamification is laid down, specialists are given the opportunity to measure skills in the number and quality of fixed vulnerabilities.

    One of the most popular vulnerability scanners developed by Tenable Network Security. Until 2005, it was free open source software, and in 2008 a paid version of the product was released.

    OpenVAS (Open Vulnerability Assessment System, Open Source Vulnerability Assessment System, originally called GNessUs) is a framework consisting of several services and utilities that allows you to scan hosts for vulnerabilities and manage vulnerabilities.

    SE Toolkit
    Social Engineering Toolkit (a set for social engineering), a classic multi-tool for conducting sociotechnical attacks.

    OpenSource phishing framework. Allows massive phishing attacks.

    Logstash / Elasticsearch / Kibana
    Solutions for a wide range of data collection, analysis and storage tasks.

    In the comments, I am ready to answer your questions, both on the presented software and on the implementation of Red Team operations.

    Also popular now: