Penetration Testing: The Red Team Way
by MS-Luddite
What is Penetration Testing?
Penetration testing is a method of evaluating the security of a computer or network by simulating an attack by an intruder.
In most cases, the tests are performed by outside consultants; however, the company IT department or security group may also perform the tests. The general format of the test is to enumerate all operating systems and services running on the target network and then to attempt to exploit any known or discovered weaknesses in those systems.
Enter the "Red Team"
While traditional penetration testing methods are extremely valuable and very effective, there is another approach that provides a far more realistic evaluation of an organization's overall security posture.
Red Team penetration testing, or "Red Teaming" as it is commonly called, is an entirely different way of testing network security.
Instead of working the test by moving down a check list of predetermined items or running an application that systematically searches for vulnerabilities to exploit, the "Red Team" executes the attack in a manner consistent with the actions of real intruders.
The term "Red Team" comes to us from the United States military. In military exercises, the good guys are always the Blue Team and the bad guys are always the Red Team. The Red Team attempts to attack the resources of the Blue Team in an environment similar to a game of capture the flag. This system was devised to provide military personnel with live training exercises that are as close to real combat situations as possible.
Red Teaming Structure
When the Red Team begins the penetration test, they begin as a real intruder would begin an attack.
In most cases, no one at the target is informed of the time of an impending attack. Any tools or attack methods used will be executed on the live network or computer systems being tested. Few or no preparations are made to spare these systems from the negative effects of the attacks being conducted.
For example, suppose the Red Team has learned that the target network is running a Microsoft Exchange Server and that their research shows that this particular version of Exchange is vulnerable to a common form of attack called a buffer overflow.
This attack will cause the server to enter into an error state that would allow an attacker to run arbitrary system commands in an effort to compromise the machine. The attempt will be made without regard for possible damage to the server in question. The only decision will be when to attempt the exploit, such as after hours, over the weekend, or on a holiday.
By freeing the minds of the team to behave as a real attackers, Red Teaming creates a much more realistic environment in which to evaluate the security of the target network or system.
Legal and Other Concerns
It should be mentioned that there are often some predetermined boundaries when using the Red Team approach to penetration testing.
The boundaries will be unique to the particular test and depend on many factors, possibly including the target environment, management concerns, and industry regulations.
For example, the financial services industry is federally regulated. It is conceivable in the previous example of a vulnerable Microsoft Exchange Server that laws would be broken if the Red Team were to actively exploit the live server.
It is also possible that senior management would exercise their right to limit certain aspects of the tests in order to protect the company from negative exposure.
For instance, if the decision has already been made to replace a piece of equipment known to be insecure, then that device might be deliberately excluded from the test in favor of later testing of the new device. The organizers of the test may also choose to simply mark certain systems or networks as off limits for any reason they deem appropriate.
Another option is to have the Red Team discover all attack possibilities from the outside with no previous knowledge of the target and then to test those possibilities in a lab environment. While this is not as realistic as an active attack on live systems, there are many times when this approach is more appropriate for the business. Only discussion between management, Red Team members, and legal counsel can answer this question. It is of paramount importance that both management and the Red Team have a clearly defined scope of work on paper and signed before a test begins to prevent any misconceptions that could draw both sides into legal trouble.
Hackers and Crackers
The word hacker has come to imply a shady individual sitting at a computer in the middle of the night, drinking caffeine with abandon and having no goal beyond the destruction of networks.
The origins of the word "hacker" actually predate the Internet, and many hacking groups have nothing at all to do with computers.
However, years of media coverage of computer intrusions have conflated the terms hacker and criminal, and so the word has stuck. Some people think that Red Teaming is hacking and that those who use this approach are criminals themselves.
There is a small degree of truth to this statement; many penetration testers choose their career in order to hack without the fear of legal repercussions. It is also true that many of the best penetration testers are former hackers themselves.
However, it is obvious that the benefits of the Red Team approach far outweigh these misguided concerns. In my work as a security consultant, I have personally witnessed a Red Team test conducted shortly after an internal audit by the company IT department. Several new systems had been installed by outside security professionals.
The contractors had taken great care to secure the systems, and the internal IT department was diligent while reviewing the work.
However, the Red Team still found several points of entry into the network that had been missed by the traditional penetration tests. How can this be explained?
There are three answers to this question: first, no matter who secures a system, there is always something missed that could lead to a compromise; second, even if you hire an expert to secure a system, they usually don't maintain the system after the initial setup, which can lead to misconfiguration or newly discovered weaknesses after the time of install; and, finally, I guess I am a bit biased, but I am a true believer in what I call the "Hack Factor."
I define this factor as that certain something inside a hacker that simply drives them until a solution to a problem is found. Simply stated, if I were going to hire someone to test my network security, I would hire a hacker. I believe that there is a terrible shortage of hackers in professional security companies.
Conclusions
It is clear that the Red Team approach is a valuable tool available to penetration testers and to anyone else responsible for network security.
The out-of-box thinking that it promotes can often mean the difference in discovering a problem before an attacker does. When conducting any test, always remember that there is no such thing as total security for any system.
Security is a process, not a solution. We must therefore always continue thinking about every possible attack vector that may be available to an intruder.
The one thing that you can be assured of is that your enemies are doing the same.