Beyond vulnerability scanning: Enhancing attack surface management for more proactive security

May 5, 2022

How to Arm Your Red Team — Chapter Four

By: Keegan Henckel-Miller

Share on facebook
Share on twitter
Share on linkedin

When it comes to protecting your organization from cyber threats, a well armed attacker is typically your worst nightmare. But if you work for a company looking to add a red team, they can be your best friend.

A skilled red team is the most realistic way to validate your defenses, as it most closely resembles what actual threat actors are doing. In authentically and safely replicating real world threats, your blue team can more accurately assess their effectiveness and make better improvements.

How well resourced your red team needs to be depends on a number of factors including the maturity of your blue team, and the size and complexity of your organization’s attack surface. Broadly speaking, red teams tend to fall in to three tiers depending on their capabilities:

  • Tier 1. This is an entry level red team. These red teams use publicly available exploits, capabilities, and tools and are usually limited in human resources, employing only a few people in service of cyber defense. The tools used are generally free, open-source, or low cost and rely on the skill of the red team for proper execution. 
  • Tier 2. This is a professional red team. Red teams in this tier also use publicly available tools but support them with more substantial resources and expertise. This may include things like licenses, hardware, quality assurance, or a lab environment to maximize effectiveness. They also likely invest in commercial red team tools, like Cobalt Strike, Scythe, and BloodHound, which come with significant cost — usually tens of thousands per user, per year. 
  • Tier 3. This is an elite red team. The most well-resourced teams also use publicly and commercially available tools. The key differentiator is that they develop their own. Creating custom and exclusive capabilities requires significant skill, budget, and internal resources. These teams utilize reverse engineering, stand up complex lab environments, and have the capacity to add persistence and lateral movement once they’re on your network. Teams armed at this level are relatively large and their costs generally exceed hundreds of thousands of dollars per year in human resources alone. 


Key Capabilities Any Red Team Needs

Regardless of their budget, red teams operate in a goal-based methodology utilizing anything it takes to achieve the goal whether phishing, exploiting, abusing misconfigurations, guessing passwords, etc. The greater your red team’s resources, the more pernicious and lifelike they can be. Defenders need red teams to be able to simulate real-world cyber attacks and techniques. This has to happen across the entire cyber attack lifecycle with red teams stress-testing your internal network, not just your perimeter. This is what separates red teams from penetration testing. 

Your red team’s size and capabilities will vary based on your resources, the maturity of your blue team, and your business objectives. However, the core function of a red team is universal. 

No matter your level of sophistication, every red team needs tools that enable them to perform these four functions:

1. Reconnaissance 

Hacking into any organization starts with surveying the lay of the land. Both red teams and real cyber criminals use reconnaissance of your attack surface to identify critical organizational, personnel, and technical points of vulnerability. The more information red teamers acquire at this stage, the higher their chances of successfully infiltrating a target network down the line. 

There are two types of reconnaissance (or recon), passive and active, which each involve  different tools:

Passive Reconnaissance

Passive recon is when red teamers collect information without directly interacting with a target. Through passive recon, red teams can figure out details like the identity of personnel, email addresses, domain names, and DNS records.

This step usually involves using public resources like whois, data brokers, DNS, search engine dorks, etc. 

Active Reconnaissance 

Active recon is when red teams interact with their target to gain more information about it, and is conducted with tools that send requests to the target system, like Nmap.

Although active recon can yield more useful information, there’s also the risk that it will alert defenders, foiling attacks before they happen. 

For this reason, many red teams use customized recon tools that are stealthier and more effective than commercially available equivalents. For example, details leaked during the 2020 FireEye hack revealed that in addition to publicly available tools, the company also used specially made recon tools such as “GetDomainPasswordPolicy” to get an Active Directory domain’s password policy and “GPOHunt” to claim Group Policy configurations. 

Through active recon, red teams can find out information like what services their target is running, the OS of a machine, and what ports are open and closed. 

Randori Recon was designed to provide red and blue teams with a continuous, authentic, and proactive solution for automating this task. We don’t simply scan for targets; we layer on the attacker’s perspective to present a real-world “target temptation” score. 

2. Initial compromise 

Once a target is identified and understood, red teams attempt to gain initial access to a target environment. There are a variety of means available for a red team to succeed in initial compromise, and they are highly dependent on their sophistication and resources.

Here is an example of  how different tiers of red teams might conduct a phishing campaign: 

  • Tier 1: Smaller red teams might use open-source kits and tools like King Phisher or GoPhish to set up phishing emails and harvest credentials. 
  • Tier 2: Professional red teams may create custom phishing kits by combining the best features from several different tools (this is what cybercriminals did in 2020 when they developed the attack infrastructure known as “TodayZoo”). 
  • Tier 3 Elite red teams that want to further increase the success of their attacks will  replicate advanced persistent threats. This includes drafting targeted emails for specific users, setting up copycat domains, or taking over a subdomain to harvest credentials. They will design emails to specifically bypass email filtering tools uncovered during the reconnaissance stage and may even pair phishing with an exploit embedded in the message. 


Similarly, when it comes to exploiting vulnerabilities, less advanced red teams will rely on public exploits available in tools like Metasploit or Github. The best red teams will weaponize N-days, extend or augment public techniques to evade detection, or even develop custom zero-day exploits. 

3. Persistence

After a red team gains access to a system, they need to maintain network access even if the target environment shifts. Whether through changed credentials, restarts, or other interruptions, it is crucial that the team do so without setting off alerts.

Although publicly available tools allow attackers to maintain connection with target network, they are more likely to be detected by defensive tools such as AVs or endpoint detection than modified or custom tools. Modifying open-source tools to imitate advanced cybercriminals will result in a far more authentic assessment.

Earlier in 2022, we saw an example of why this is important when security experts spotted real-life attackers using a modified version of Ligolo, a reverse tunneling tool, for persistence. The threat actors got rid of the use of command-line parameters and added a number of execution checks to bypass the need to run multiple instances. These changes allowed attackers to establish a more secure connection with target networks and minimized the risk of being noticed by defenders. 

4. Moving Laterally

After a red team gains access to a system, they move laterally to other systems behind the perimeter.

While this capability can be achieved through simplistic network protocols, predictable approaches like this make it easier for blue teams to detect malicious communications. In real life, attackers often use a combination of off-the-shelf products and fully customized solutions. Red teams need to be able to do the same. 

Final Thoughts

Cybercriminals are anything but predictable. However, analyzing common attack chains makes mimicking them possible. Malicious attacks often use a combination of off-the-shelf tools, borrowed or stolen code, and bespoke tools and exploits.

Authentic red teams should be equipped to accurately emulate  real-world threats. Open source tools are a great starting point, but to truly imitate sophisticated actors red teams also must leverage commercial tools and have the resources and expertise to develop their own when needed.

We’ve designed Randori Attack to provide organizations a continuous, authentic, and proactive way to test their defenses. Our platform is designed to work with or without an existing in-house red team. Backed by some of the world’s leading offensive security experts, our Hacker Operations Center provides our customers with access to one of the world’s most well resourced red teams at a fraction of the cost of building it themselves.

Click here to get started with the Randori Attack Platform

Gain an Attacker's Perspective

Uncover your true attack surface with the only ASM platform built by attackers. Stay one step ahead of cyber-criminals, hacktivists and nation-state attackers, by seeing your perimeter as they see it.