top of page
  • Writer's pictureORNA

Red Team: An Appendage to Incident Response

As a former black hat, not all hackers are advanced, but we are all persistent threats. They are persistent because hacking is their passion. While most normies typically have conventional hobbies, hackers are fueled with a fervor equal to religious zeal. That passion compounded with a hacking addiction and an uncommonly high intellectual capacity, it really does not matter what incident response you have. This caliber of a threat actor is armed with a complete understanding of cybersecurity in virtually every sense, namely, your security. This is why it is time to bring out the big guns.

A network is never inherently safe, regardless of who keeps vigil over it. If it is not connected to the internet and kept in a locked room where only one person has access, then it is totally safe.

I digress. For every smart network systems administrator, there are half a dozen kids that can code a script from memory, have a secret collection of 0 days, and are armed with firepower superior to at least a hundred Anonymous hacktivists. This is not an exaggeration.

Regardless of the skill level of the threat actor, the adage rings true — where there is a will, there is a way. Therefore, when I think about implementing a maximum effort toward an effective incident response plan, I cannot help but include the Red Team and Blue Team components that can and will raise the amplitude of the incident response.

Think about it. Instead of merely pursuing event incident management and triaging security incidents, imagine implementing a completely offensive security element aimed at staging unscheduled security threats. This is beneficial because it allows your team to have a holistic understanding of the network in the broader sense, incorporating an adversarial factor.

Red Teaming and Why It Is Important

Integrating a Red Team allows them to obtain a view of the company from the perspective of the threat actor. This should not only encompass remote attacks but also local, physical insider threats, such as testing physical access controls, to ensure they cannot be abused or manipulated in some way by employees, vendors, or members of the public.

Over a decade ago, I used to work in a building that will be armed to the teeth with access controls such as biometric and RFID identification systems. But the facility had two critical, vulnerable entry points. The front and back sliding glass doors were never locked, even when guarded by a night security guard.

The emergency stairway had an access control that could be bypassed if the actor pulled the door handle. If this happened, the lock would catch triggering the alarm. The alarm sounded for 15 seconds before the lock was released granting access to the stairway.

As the security officers did their rounds, a threat actor could easily slip inside and break into the facility. I was the insider threat, and I reported it to my superiors. The door was never secured.

Nevertheless, conducting unsolicited, real-world attacks should trigger the Incident Response team if they are keeping a sharp weather eye for security alerts. Additionally, it is important to note that attacks can appear unobtrusive.

Moreover, you have to crave the art of cyber warfare and strive for superior security on par with the same passion that drives us to break it. That is ultimately how you begin to think like the enemy.

Without a mind that pushes the boundaries of achieving anti-security, moved by the thrill of the hunt, you cannot truly appreciate security itself. Security and anti-security exist as a dichotomy. And yet, these two exist in a binary relationship because one cannot exist without the other, like energy and matter.

It is interesting to point out that the origin of attacks can be spoofed and can otherwise seem innocuous to a network security analyst as it is masquerading from a trusted source. But a competent incident responder, thinking like a hacker, can interpret the activity as suspicious and flag it for further analysis.

Sometimes, this was how I used to hack into systems over poorly secured network protocols, by creating as little network noise as possible. Evading firewalls, web application firewalls (WAF), or Intrusion Detection Systems (IDS) were not particularly difficult.

That is because the network admins of practically every system I have ever broken into, never noticed the attack unless I got sloppy and left evidence that an intrusion had taken place. There are plenty of IDS, WAF, and firewall by-passing scripts anyone can download for free.

Regardless of the attack methods, this is all the more reason for the Red Team component to create simulated scenarios for incident responders to gain dire experience in combatting realistic threats. Even exercises like these are a lesson in sharpening the readiness to go to war against malicious hackers.

Red Team in Action

The first step taken by all threat actors is reconnaissance. This means we need to assess the types of vulnerabilities extant on the network. This does not necessitate merely firing up the old port scanner.

We have to find network services, enumerate a list of network applications, and look at the whole network as a macrocosm with a possible variety of attack vectors. While one Red Teamer might locate your employee portal and find a cross-site script allowing them to inject code that exposes the username and password table, another might attempt a phishing campaign, after enumerating a list of company emails obtained from a scan.

Still, another might discover an old forum thread cached on Google where a former employee discussed sensitive password management details used by the company. If any of the employee emails appear in a breach report database, the attacker could gain password examples and try them in the employee portal to attempt access to internal resources.

A common security vulnerability I have discovered is companies using RF scanners connected to Telnet or Remote Desktop Protocol. Telnet is an unencrypted and very insecure network protocol that is easily exploited, and Remote Desktop Protocol is rife with vulnerabilities. Both protocols can become entry points to the internal network, providing an avenue to pursue privilege escalation.

The list of possibilities is endless. While these activities create security incidences, there is still the aspect of fixing these security vulnerabilities. All of these compounded into a single organism create a formidable incident response team capable of handling cyber threats of any variety.

In the words of Aristotle, “We are defined by what we do repeatedly, therefore, excellence is a habit, not an act.”

An article by

Jesse McGraw

Edited by

Anne Caminer




Rome wasn't built in a day, but your SOC might be.


Weekly cyber insights

Thanks for submitting!

bottom of page