While no-one can predict if and when a cyber attack will take place, a red team exercise is as close as an organization can get to understanding its full level of preparedness. Red team exercises conducted by certified ethical hackers are key to uncovering hidden vulnerabilities and addressing them before they impact a company’s cyber resilience.
By simulating the adversarial stance and tactics used by threat actors, red team exercises significantly advance organizational insight into potential threats. This article outlines the value of a proactive approach to security, the benefits delivered by red team exercises and the specific ways in which red teaming services contribute to reduced risk and enhanced cyber resilience in today’s threat landscape.
What is a Red Team Exercise?
Red teaming is a full-scope, goals-focused adversarial simulation exercise that incorporates physical, electronic and social forms of attacks. As well as testing electronic attacks by targeting web applications and network infrastructure, red teaming should also include social and physical attacks that test staff, their adherence to policies, and the security measures in place in an organization’s premises.
As a form of offensive security, red team exercises leverage a black-box methodology which means that engagements accurately reflect the mindset and tactics of attackers. However, unlike genuine cyber attacks, they are non-destructive and non-disruptive. Organizations can ensure that their assessment meets the highest technical, legal and ethical standards by choosing a proven and highly accredited red teaming services provider.
What Are the Objectives of Red Team Exercises?
Red team exercises enable organizations to achieve critical security objectives, including:
- Simulating real-world cyber attack conditions to test cyber security defenses
- Testing the effectiveness of security technology, people and processes
- Identifying and classifying a wide range of security risks
- Improving detection and response procedures
- Uncovering weaknesses missed by other forms of testing
- Addressing risks and mitigating vulnerabilities
While the overarching goals of red teaming are generally the same, each assessment is usually carefully planned around a specific issue or aim. This could be a focus on gaining access to a segmented environment that holds sensitive data, compromising a company director’s account credentials, gaining physical access to a server room or sensitive location, or bypassing specific security controls, such as endpoint detection and response (EDR), data loss prevention or email security controls.
Why Conduct a Red Team Exercise?
Red team exercises help organizations to advance their information security controls in a number of important ways; safely and securely simulating real-life attacks, providing a comprehensive review of security controls, raising security awareness and gauging the effectiveness of incident response programs.
Red teaming tests your organization against the top threats facing your particular industry, whether that’s a data breach, a sophisticated ransomware attack, or an attack from nation-state actors. While it’s best to test against different types of attacks, what industry you work in will decide which type of attacks you should prioritize when it’s time to test. A good partner will help you figure out what you should be testing against based on your business needs.
Red Team Exercise Metrics
A red team exercise should involve techniques modeled after real-life threats to a specific industry to test an organization’s ability to prevent, detect and respond to real-world attacks. The assessment should provide tangible data for understanding and communicating an organization’s abilities to detect and eradicate a particular threat affecting it.
A well-executed red team engagement should go beyond an attack simulation. The report resulting from the assessment should be actionable, providing data and metrics designed to inform executive decision-making about future security spend. Alongside a complete list of findings and remediation advice, a report that concludes a red team exercise should contain the following metrics:
- A “heat map” of an organization’s detection and protection maturity, mapped to individual attacker tactics, techniques, and procedures (TTPs)
- An analysis of which tools an organization uses, which TTPs each tool should catch, and any identified execution or coverage gaps
- Mean Time to Detection
- Mean Time to Remediation
- The eradication success rate
These metrics are vital because they can inform better decision-making around security, for example, whether to buy new products, fine-tune existing products or invest in hiring or training.
Red Teaming vs Penetration Testing
While red team testers simulate the behavior of real threat actors, concealing their movements as much as possible and trying to get as far into the target systems as they can, penetration testing focuses on exploiting the vulnerabilities of only one specific system or set of systems in order to test the resilience of the technology in place.
Senior management teams alone are aware of when a red team exercise is being performed, while the majority of the IT team will be unaware that what’s happening is a drill and not a real attack. Penetration testing is usually chosen to evaluate systems, while a red team exercise provides an evaluation of the defenses as whole, covering technical controls, processes and training.
As pen testing and red teaming are complementary, an organization should make both a part of their security strategy. Frequency and intensity should be defined by the specific industry and the current threat landscape. However, organizations with a mature security posture often conduct regular red teaming exercises and engage in continuous penetration testing.
Red Teaming and Data Breaches
The average cost of a data breach in the U.S. rose from $4.45m USD to $4.88m USD, according to IBM’s 2024 Cost of a Data Breach Report. Red team exercises play a vital role in defending against data breaches by finetuning detection and protective controls and security employees’ response skills. An organization’s internal security team is the blue team, focused on preventing adversary emulation of the red teamers in a simulated attack.
Red Teaming and Ransomware
Ransomware is a key threat because attacks are continuously becoming more sophisticated and harder to stop. It is particularly dangerous for industrial organizations under pressure to meet tight deadlines and with a central role in the supply chain. Much of the impact of ransomware can be reputational—with other organizations less likely to work with a company that has been proven unprepared for this type of attack. Criminals recognize that manufacturers in particular need to keep their business moving at a consistent pace, leading to a steady increase in ransomware attacks against them. While penetration testing is a good tool, organizations won’t know for sure if their defenses are effective without running red teaming exercises.
Red Teaming and Nation-State Actors
Nation-state actors pose another significant threat. Unlike ransomware attacks and data breaches, which are motivated by financial gain, these types of attackers are driven purely by the desire to cause damage. This is why they frequently focus on critical infrastructure, with the goal of disrupting or disabling systems to gain leverage or achieve strategic goals. They use every technique and tool they have to simply disrupt and break a system instead of exfiltrating data or locking it down to pose a ransom. Because of this, red teaming is essential for organizations that are a likely target for nation-state threat actors. With so much at stake, the breadth of red teaming alone delivers a precise perspective on an organization’s security posture.
Maximizing the Impact of a Red Team Exercise
An organization should meet a certain minimum level of maturity in order to get the most value out of a red team exercise. It should have alerting, logging, and monitoring in place—either in-house or through a managed security service provider (MSSP). The business should have some idea of the TTPs that can be detected in its environment. Vulnerability management and patching programs should also be in place.
Budget may also be an important factor because full-scope red team engagements tend to be longer than traditional penetration testing engagements. An organization should never feel obliged to choose a full-scope red team exercise just because it aligns with a specific offering from a potential vendor. A prospective red teaming vendor should adapt and work with an organization in a way that fits with its current level of maturity and its budget.
Kroll’s Role in Red Teaming
At Kroll, our cyber risk assessments are informed by our extensive experience of data breach prevention experience and expertise. We perform security assessments for a global client-base which spans across almost every industry and government agency. Through services such as red team exercises, we help organizations to identify potential vulnerabilities and put in place robust security practices in response.
A red team exercise from Kroll fully assesses the ability of security controls, personnel and processes to detect and respond to highly targeted attacks. Our team evaluates organizations’ response to an attack, helping them to identify and classify security risks, uncover hidden vulnerabilities and address identified exposures. Our red team experts leverage field-tested techniques, industry best practices and the best commercial and proprietary technologies. These enable us to:
- Identify, monitor, and analyze vulnerabilities in organizations’ information security systems
- Enable companies to identify the best methods to manage or resolve data security risks
- Uncover potential data privacy and security compliance issues that may have been previously overlooked
- Outline remediation steps as part of an effective data security plan that addresses organizations’ security and business goals
From ex-Interpol and FBI agents to former corporate security directors to cyber investigators to forensic computer scientists, our team includes career security professionals with experience in high-stakes investigations as well as individuals skilled in working with sophisticated tools and cutting-edge technology. Our experts are Certified Information Systems Auditors, Certified Information Security Managers, Certified Information Systems Security Professionals and Certified Ethical Hackers.
Case Study: Helping an International Trade Organization Comply With Industry Security Mandates
A three-month-long, covert and exhaustive Kroll red team exercise revealed significant and fundamental information security risks within an international trading organization. The insight enabled the organization to prioritize security projects and improve board-level confidence in its ability to avert and detect breaches.
Through the red team exercise, Kroll’s experts identified a particular exposure to phishing attacks and failures in the company’s access permissions, which could be exploited to disrupt multi-million-dollar trading transactions. They also uncovered configuration issues in intrusion detection systems and a large number of false alerts, as well as the use of weak security passwords by the company’s employees.
A lack of active monitoring of the internal network meant that once Kroll had successfully infiltrated it, there was no likelihood of discovery. Kroll also identified that the company’s responses to suspicious incidents were inadequate. As a result, the firm’s information security and executive leadership undertook an incident response tabletop exercise to fine-tune their incident response plan.
Reap the Rewards of Red Team Exercises With Kroll
Red team exercises delivered by Kroll are fueled by frontline intelligence gained through our status as incident response leader, handling over 1,000 incidents worldwide every year. We apply a systematic approach, using our extensive knowledge of data security to test organizations’ cyber security controls and incident response procedures. Our team of ethical hackers possess the skills and experience to identify and leverage the latest threats, ensuring that your defensive controls are put to the test, and enhancing your long-term cyber resilience. Our red teaming experts are certified to the highest level, including Offensive Security Certified Professional (OSCP), CREST Registered Penetration Tester, CREST Certified Infrastructure Tester, Azure Security Specialist Cert, AWS Security Specialist Cert, GIAC Penetration Tester (GPEN) and Certified Red Team Operations Professional (CRTOP).
Because red teaming revolves around real-world scenarios, it can only be effective if the people testing your systems are simulating TPPs that are relevant to the current landscape. Attackers are constantly evolving: a red team needs to keep up. Conducting a red team exercise using an out-of-date methodology can be dangerous as it creates the risk of thinking critical assets are protected when they are not. This is why Kroll maintains a dedicated Red Team R&D group—to ensure we are always testing using the latest tools and techniques.
