Cybersecurity is an ongoing battle between ethical hackers (white hats) and malicious hackers (black hats). As cyber threats continue to evolve, the demand for specialized services that help companies better prepare for real-world attacks also grows.
Traditional security measures like vulnerability assessments and penetration testing offer valuable insights into a company’s technical security weaknesses. However, they may miss other vulnerabilities that a real attacker could exploit. In this context, conventional penetration testing is effective in identifying risks and enabling proactive defenses but may not fully prepare organizations to respond to a live attack from a determined adversary.
TryHackme Red Team Fundamentals
Vulnerability Assessment and Penetration Tests
Vulnerability Assessments
Vulnerability assessments are the most basic form of security evaluation, primarily aimed at identifying as many vulnerabilities as possible across all systems within a network. To achieve this goal effectively, certain adjustments may be made, such as adding the attacker’s machine to the allowlist of security tools to prevent interference during the scanning process. This approach ensures a thorough review of each host’s security posture, offering detailed insights into where a company should focus its remediation efforts.
In summary, vulnerability assessments involve scanning individual systems for security flaws, enabling organizations to pinpoint weaknesses and implement prioritized security measures. These assessments are largely automated and can be performed by personnel with minimal technical expertise.
Penetration Tests
Beyond identifying vulnerabilities, it’s crucial to understand how these weaknesses impact the network as a whole. Penetration tests build upon vulnerability assessments by simulating how an attacker could exploit these vulnerabilities to compromise the network. This process involves:
- Exploiting Vulnerabilities: Attempting to exploit discovered flaws to determine if existing security controls effectively block exploitation or if a system can be compromised.
- Post-Exploitation Actions: Investigating compromised systems to extract sensitive data or use them as a pivot point to access other systems within the network.
Penetration testing starts similarly to vulnerability assessments but goes further by demonstrating how vulnerabilities can be combined to achieve specific attack goals. While still focusing on identifying weaknesses and improving defenses, penetration tests assess how attackers could exploit the network’s interconnected systems.
Advanced Persistent Threats (APTs) and the Limits of Regular Penetration Testing
Standard security assessments like vulnerability scans and penetration tests can identify most technical vulnerabilities but fall short in fully preparing organizations for real-world attacks. Several key differences between penetration tests and actual attacks include:
- Penetration Tests Are Noisy: Pentesters typically don’t prioritize stealth, making their actions easily detectable. Real attackers, in contrast, strive to remain hidden.
- Non-Technical Attacks Are Often Ignored: Social engineering, phishing, or physical break-ins are usually excluded from traditional penetration testing.
- Security Relaxation: For efficiency, some security defenses may be disabled or weakened during testing. This allows pentesters to focus on identifying critical vulnerabilities rather than spending limited time bypassing complex security layers.
Real attackers, especially Advanced Persistent Threats (APTs), don’t operate under ethical guidelines. APTs are highly skilled, often state-sponsored or part of organized crime, and they target critical infrastructure, financial institutions, and government agencies. These groups are termed “persistent” because they can stay hidden within networks for months or even years.
Critical Questions for Companies:
- Can the organization effectively detect and respond to an APT attack?
- Would it recognize prolonged network intrusions?
- How would it handle an attack that began with a phishing email or a zero-day exploit?
- Do past penetration tests truly prepare the company for these advanced threats?
To address these challenges and provide more realistic attack simulations, Red Team Engagements were introduced.
Red Team Engagements
To address evolving cyber threats, red team engagements were developed to move beyond traditional penetration testing by evaluating how well an organization’s defensive team can detect and respond to real-world cyberattacks. Rather than focusing solely on identifying vulnerabilities for prevention, red team exercises test the effectiveness of detection and response strategies. These exercises are designed to complement—not replace—regular penetration tests.
The term “red teaming” originates from military training, where a designated red team simulates enemy tactics to challenge and assess the defense readiness of the blue team. In cybersecurity, red teams emulate the Tactics, Techniques, and Procedures (TTPs) of real attackers to gauge the blue team’s detection and response capabilities, ultimately improving security defenses.
Structure of a Red Team Engagement
Every red team engagement begins with clearly defined objectives, often called “crown jewels” or “flags.” These goals could include compromising a critical system or exfiltrating sensitive data. Typically, the blue team is unaware of the exercise to prevent bias in their response. The red team uses stealthy and evasive methods to achieve these goals, bypassing security measures such as firewalls, antivirus software, Endpoint Detection and Response (EDR), and Intrusion Prevention Systems (IPS).
Unlike traditional penetration tests, red team operations don’t focus on scanning every system for vulnerabilities. Similar to real attackers, red teams seek the most efficient path to their objectives, avoiding noisy activities that could alert defenders.
The goal isn’t for the red team to “defeat” the blue team but to expose gaps in detection and response. The insights gained allow the blue team to strengthen security controls and refine their reaction to actual threats.
Key Attack Surfaces Explored in Red Team Engagements
- Technical Infrastructure:
- Identifying and exploiting technical vulnerabilities with a strong focus on stealth and evasion.
- Social Engineering:
- Launching phishing campaigns, deceptive phone calls, or exploiting social media to manipulate employees into revealing sensitive information.
- Physical Intrusion:
- Gaining physical access to restricted areas through tactics like lockpicking, RFID cloning, or exploiting weaknesses in access control systems.
Types of Red Team Exercises
- Full Engagement:
Simulates the complete attack lifecycle—from the initial breach to achieving the final objective—mirroring a real attacker’s workflow. - Assumed Breach:
Starts with the premise that an attacker has already gained some level of access. For example, the red team may be provided with user credentials or direct access to a workstation inside the network. This allows for testing detection and response beyond the initial intrusion. - Tabletop Exercise:
A discussion-based simulation where the red and blue teams walk through hypothetical attack scenarios to evaluate the organization’s response. This approach is ideal when live simulations are impractical.
Purpose and Benefits
The primary goal of a red team engagement is to help the blue team improve its ability to detect and respond to real threats. These exercises provide valuable insights that help refine security strategies and implement stronger detection mechanisms, ultimately enhancing the organization’s resilience against advanced attacks.
The Structure of a Red Team Engagement
A fundamental role of the red team is adversary emulation, where they mimic real-world attackers by using similar tools, techniques, and methodologies to assess how well an organization can detect and respond to genuine threats. Though not required for every engagement, adversary emulation is widely adopted to replicate the behavior of actual threat actors within an environment.
To structure and evaluate these engagements, red teams often rely on various cyber kill chains, frameworks designed to map out the stages of a cyberattack. These frameworks help the red team plan attacks and align their Tactics, Techniques, and Procedures (TTPs) with realistic adversary behavior. Similarly, blue teams use these kill chains to analyze and disrupt attacker movements during incidents.
Common Cyber Kill Chains
Several organizations and standards bodies have developed their own versions of cyber kill chains. While they generally follow a similar structure, some provide deeper insights or define attack stages differently. Notable examples include:
- Lockheed Martin Cyber Kill Chain
- Focuses on external or perimeter-based attacks.
- Lacks detailed coverage of internal lateral movements once a breach occurs.
- Unified Kill Chain
- Expands on the Lockheed Martin model by integrating external and internal attack phases, offering a more comprehensive view of an attack lifecycle.
- Varonis Cyber Kill Chain
- Tailored to insider threats and data-focused attacks, emphasizing data exfiltration and privilege escalation.
- Active Directory Attack Cycle
- Specializes in attacks targeting Active Directory environments, highlighting common exploitation methods within domain networks.
- MITRE ATT&CK Framework
- A globally recognized framework providing detailed documentation of real-world adversary behaviors across various attack stages and platforms.
Lockheed Martin Cyber Kill Chain Breakdown
This model outlines seven stages of a typical cyberattack, focusing on how attackers breach external defenses:
| Stage | Purpose | Examples |
|---|---|---|
| Reconnaissance | Gather intelligence on the target | Harvesting emails, Open-Source Intelligence (OSINT) research |
| Weaponization | Develop a deliverable payload by pairing malware with an exploit | Creating malicious Office documents, bundling exploits with backdoors |
| Delivery | Transmit the weaponized payload to the target | Phishing emails, malicious websites, USB devices |
| Exploitation | Trigger the exploit to gain system access | Exploiting vulnerabilities (e.g., MS17-010, ZeroLogon) |
| Installation | Install malware to maintain access | Deploying tools like Mimikatz or Rubeus |
| Command & Control | Establish communication with the compromised system | Using frameworks like Empire, Cobalt Strike |
| Actions on Objectives | Execute the final attack goal | Data theft, deploying ransomware (e.g., Conti, LockBit 2.0) |
Red Team Use of Cyber Kill Chains
By mapping their attack steps to a kill chain, red teams can:
- Simulate realistic threat actor behavior.
- Identify security gaps in each phase of an attack.
- Provide valuable insights to improve the blue team’s detection and response mechanisms.
The blue team can then analyze this data to enhance their defenses, detect early indicators of attacks, and disrupt adversaries before they reach their objectives.
TryHackme Red Team Fundamentals | Room Answers
Would vulnerability assessments prepare us to detect a real attacker on our networks? (Yay/Nay)
Nay
During a penetration test, are you concerned about being detected by the client? (Yay/Nay)
Nay
Highly organised groups of skilled attackers are nowadays referred to as …
Advanced Persistent Threats
The goals of a red team engagement will often be referred to as flags or…
crown jewels
During a red team engagement, common methods used by attackers are emulated against the target. Such methods are usually called TTPs. What does TTP stand for?
Tactics, techniques and procedures
The main objective of a red team engagement is to detect as many vulnerabilities in as many hosts as possible (Yay/Nay)
Nay
What cell is responsible for the offensive operations of an engagement?
Red Cell
What cell is the trusted agent considered part of?
White Cell
f an adversary deployed Mimikatz on a target machine, where would they be placed in the Lockheed Martin cyber kill chain?
Installation
What technique’s purpose is to exploit the target’s system to execute code?
Exploitation
Click the “View Site” button and follow the example engagement to get the flag
THM{RED_TEAM_ROCKS}
