The red team: Getting inside the attacker’s head

Discover the gaps in your security framework by thinking and acting like a hacker.

FacebookTwitterLinkedIn
The red team: Getting inside the attacker’s head

"Probably the biggest challenge for a Security Operations Centre (SOC) is to be able to isolate and identify the things they need to be aware of among the hundreds of thousands of events hitting the SIEM."

By: Matthew Lorentzen, Principal Security Consultant at Trustwave, a Singtel company. Lorentzen is an expert Red Teamer and penetration tester at Trustwave SpiderLabs® and takes us on a journey through the mind of the attackers and what enterprises can do to think like one, act like one, and ultimately plug the gaps in their security framework.

Cyber attackers act with a malicious intent in mind – either to access sensitive data or intellectual property, hinder financial operations, or damage assets and reputation. How, then, can your business foil the attacker’s plan? By thinking and acting like them, by adopting an organised, combative fighter’s mindset – and this is Red Teaming.

The idea of the Red Team is to work with organisations to assess their detection capabilities around real-world attack scenarios. This includes penetration testing and building off of platforms to test for realistic attack vectors, identifying the gaps in the processes - the people, the technologies - to try and emulate real-world threats. Physical security is also an aspect of this, as well as the technological controls and breach parameters.

The challenge

Probably the biggest challenge for a Security Operations Centre (SOC) is to be able to isolate and identify the things they need to be aware of among the hundreds of thousands of events hitting the SIEM. As “attackers”, the Red Team can take advantage of that, because we can nestle inside that noise.

It takes a mature organisation to drill down into the types of things that they’re actually interested in. For example, what’s a benign action that a user takes, in comparison to what could be considered a malicious attack? From that perspective, it can be a real challenge for Blue Teams (internal SOC agents, for example) to get enough insight into user actions within the organisation to separate out insider threats from routine operations.

There can be process disparities that end up as windows of opportunity, as vectors get delivered through those gaps. Responding in an effective manner and the amount of time it takes for that to happen are key issues: this involves measuring the time from the initial point of entry to when the incident is detected and how quickly it is responded to by the SOC.

One of the main gaps — and therefore points of entry for malicious vectors — is login and authentication channels. Externally facing services missing solutions such as two-factor authentication (2FA) means that if the Red Team can intercept credentials, it can gain a better level access to the environment through legitimate connections. And even when there is 2FA in place, we can look to try and compromise those solutions. Red Teams have had successes in bypassing those setups - not because the technology is not effective, but because it’s process-driven and there are opportunities to circumvent or manipulate these processes to get to the requisite level of control.

Our Red Team’s work is driven by a combination of vast proprietary intelligence collected from research and a global network of ten SOCs, as well as open source intelligence such as the public profile of an organisation. Knowing the organisation’s target markets and third-party partners is very important when looking at what the potential attack vectors might be. 

Common vulnerabilities and insider threats

Attackers now incorporate intelligence gathering to gain a deep knowledge about their targets. They’ve spent their time profiling an organisation and the technologies that are in place through public information such as job postings, social media, and adverts, etc. For organisations looking to respond to this, they need to know their perimeters, but also what is it that they’re trying to protect and the routes into that.

If your organisation has public-facing services with limited visibility on the traffic that routes to these services, it is the first place to start. The exterior or the outer edge of a network is often very well secured. But if you can get past that first level, potentially the barriers are reduced, based on several factors such as company resources dedicated to security and overall security maturity.

This brings into play physical attacks and the insider threat, which we as Red Teams can emulate. If we adopt the ‘assume breach’ mentality, we assume that a device has been compromised and can look at the following: what does it look like when it’s trying to make an outbound connection? Are there implemented controls that would prevent this connection in the first place?

Different verticals have specific vulnerabilities. In banking, most attackers are interested in gaining access to critical banking infrastructure, like SWIFT. In the hospitality industry, companies are often custodians of customer data, and attackers often try to track a targeted  users’ movements, and attempt to attack them via a potentially less secure connection such as  hotel WiFi, for example. These types of environments, with a wide variety of users logging in and out, provide pathways for social engineering. It’s the same with social media compromises: attackers sometimes use current public news stories or calendar events to support the legitimacy of a crafted social engineering attack.

It is difficult to solve the problem of the malicious insider completely, because it is the only part of the security posture that you cannot fully control. Security testing is normally delivered in a truncated time window; a determined attacker, without time restrictions, can spread their objectives out over a longer period of time. Role-based access controls and well-thought-out network segmentation can mitigate the risk somewhat, but ultimately, it’s a very difficult problem to solve, particularly if that user is a part of the organisation.

Essential red teaming takeaways

Red Teaming gives an internal security team the ability to test the organisation’s effectiveness of detecting and responding to attacks. Most companies are intent on stopping the initial point of the attack and can easily become ‘perimeter focused’, but in a more modern ‘assume breach’ model, the benefit is exercising a shift in focus towards the proactive protection of data (at rest or in motion) and the impact of a potential data breach. SOC playbooks for response procedures, reporting chains and tuned detection and control capabilities can greatly help.

The most successful organisations realise that they have gaps in some of their security processes, and have a contingency plan for recovery. I’ve yet to meet a company that’s brave enough to flatline their entire Active Directory infrastructure and then restore it from scratch because they have a comprehensive solution that has been thoroughly tested to recover from that type of malicious outcome. However, should an attacker gain ‘Enterprise Level’ rights within an Active Directory infrastructure, recovery becomes considerably more complex.

It boils down to asking yourself: what is going to get your CISO out of bed at night? What is it that you’re trying to protect, and do you know where that is in your network? If it’s dispersed across a broad landscape, do you have visibility of where that data is, and should or when breaches happen, what’s the response to maintain a focus on the perimeter whilst diverting resources and attention to the things that you’re actually trying to protect?

Speak to us to find out more about red teaming and the various cybersecurity strategies to keep your organisation secure.

You may also like

Bridging the cyber talent gap: Why training matters as much as hiringShare
Apr 2025 | -
cyber security
Bridging the cyber talent gap
Singapore is tackling the cyber talent shortage by creating new ways for people to enter and grow in the field—no tech background needed. With industry-led training and support from key industry players, these programmes focus on real-world skills and practical readiness, helping build a stronger, more resilient cyber security workforce for the nation’s digital future.
Shield against cyber scams through preparedness programmeShare
Mar 2025 | -
cyber security
Shield against cyber scams through preparedness programme
Cyber scams are evolving, exploiting both technology and human psychology, making cyber security training essential for organisations. Frost & Sullivan explores how Singtel’s CSI offers a comprehensive Cyber Scam Preparedness programme, emphasising shared responsibility and victim empathy to equip frontline employees as the first line of defence against cyber threats.
Organisations with managed connectivity and cloud-delivered SSEShare
Mar 2025 | -
cyber security
Securing organisations with managed connectivity and SSE
This infobrief explores how managed connectivity and cloud-delivered Secure Service Edge (SSE) can protect IoT and mobile-enabled organisations, highlighting the importance of robust security solutions to safeguard devices, data, and networks in an increasingly connected world.