Note: This blog is the final chapter of our five part How to Build A Red Team Series. If you’re new, please check out our previous blogs in this series Chapter 1, Chapter 2, Chapter 3, Chapter 4
As we’ve discussed in previous posts, a skilled red team is the most realistic way to validate your defenses, as it most closely resembles what actual threat actors are doing. But choosing to build a red team is a significant investment and commitment.
In this final chapter, we’re going to look at why many organizations choose to partner with Randori when building out a red team capability.
How Randori Can Help
The fact is that attackers are innovating faster than defenders can keep up. They are leveraging new tools and automation all the time. To get ahead, defenders need their red teams to be able to innovate at the same pace. For an organization, just starting out – getting a red team spun up and effective takes time and for those with existing red teams, they’re often far more projects then they can take on.
Given limited budget and staff, many internal red teams are not able to invest the time and effort needed to truly emulate their adversaries. As they result, they rely upon commercial tooling, such as metasploit, and publicly available information to conduct their attacks – focusing often on short term projects, rather than long term engagements.
By deploying our red team continuously across our global customer base, Randori empowers organizations – with or without red teams – to benefit from our latest innovations. By spreading our findings across our customers, we’re able to hire specialized talent and make investments that most internal red teams can’t support. This allows us to conduct deeper reconnaissance, develop a broader set of tools, and invest the time and resources needed to create our own capabilities. This allows us to provide security teams a deeper understanding of their security program and a more authentic experience – by mirroring not only the techniques but organizational structure of today’s adversaries.
In times of crisis like Log4j or the recent F5 vulnerability, having the ability to innovate and respond quickly can be the difference between proactively mitigating risk and responding to an incident.
Designed to work with or without an existing in-house red team, Randori Attack to provide organizations a continuous, authentic, and proactive way to test their defenses. Backed by some of the world’s leading offensive security experts, our Hacker Operations Center provides our customers with access to one of the world’s most well-resourced red teams at a fraction of the cost of building it themselves – allowing anyone to keep up with attackers.
Why Continuous Testing Matters: Log4j
Log4j snuck up on the infosec community. Most companies were unprepared for a vulnerability that was so ubiquitous, powerful and easy to exploit. On the evening of Friday, December 10th, 2021, Randori researchers inside our Hacker Operations Center noticed a Chinese researcher sounding an alarm about a new vulnerability, with a warning that it would be an impactful one.
Our Research & Development team dove into action to validate this claim. We quickly confirmed that the vulnerability was as bad as it was purported to be. Within around 4 hours, our R&D team had weaponized the bug and had a working exploit against one of the impacted applications: VMware Horizon.
Upon verification, our CTO immediately called the CTO of VMWare, pulling him out of a restaurant on a Friday night with the urgent warning that their software was critically exposed to this new vulnerability. We were able to notify him before anyone else was aware.
Meanwhile, our Hacker Operations Center (HOC) got to work updating our risk scores, identifying potential targets, notifying exposed customers and getting the exploit into our platform so we could begin validating customers’ exposure.
8 hours after initial exposure (at around 2 am on Saturday morning), the HOC was able to exploit a second application: JAMF. At this time, Log4j was still awaiting a CVSS score.
Because of the investments we’ve made to automate the targeting, delivery and execution of attacks, we were able to begin testing customers’ resiliency to Log4j at scale — before the vuln had even gained steam in the press. In fact, one of our customers was able to confirm that their outbound firewall was able to stop the exploit before real attackers started hitting their system and before their bosses began asking the next morning.
By the time the broader infosec community noticed, we’d already published our findings, our customers knew their exposure and we’d already been using this vulnerability to help customers understand their risk for hours.
Final Thoughts:
Cybercriminals are anything but predictable. However, analyzing common attack chains makes mimicking them possible. Malicious attacks often use a combination of off-the-shelf tools, borrowed or stolen code, and bespoke tools and exploits.
Authentic red teams should be equipped to accurately emulate real-world threats. Open source tools are a great starting point, but to truly imitate sophisticated actors red teams also must leverage commercial tools and have the resources and expertise to develop their own when needed.
We’ve designed Randori Attack to provide organizations a continuous, authentic, and proactive way to test their defenses. Our platform is designed to work with or without an existing in-house red team. Backed by some of the world’s leading offensive security experts, our Hacker Operations Center provides our customers with access to one of the world’s most well resourced red teams at a fraction of the cost of building it themselves.