Randori named leader in Attack Surface Management in GigaOm ASM Radar Report

February 14, 2022

It Takes A Hacker — How to Build a Red Team

By: Eric McIntyre

Share on facebook
Share on twitter
Share on linkedin

Leaders in cyber defense recognize the importance of red team activities to continually improve the effectiveness of their security programs. Building a red team that is effective — and provides value to an organization’s security posture — requires a significant amount of input, and most likely a several-million dollar annual commitment. Randori maintains teams across multiple functions essential for an effective engagement, and brings sophisticated capabilities to bear for our customers through automation, alongside human input, so that every company can incorporate a red team experience that will make a difference in the effectiveness of their security programs.

Red teams are friendly hackers who are hired to conduct attacks and test their customers’ security. For these operations to be successful, it’s not just enough to pwn (exploit) customer networks. Customers need to derive value out of the experience. For example, a defender can see how far an attacker gets into their network before the activity triggers an alert. Or, they can practice that incident response plan that’s been sitting on self since it was written. Each time the red team conducts an operation, an opportunity for measurement and improvement is created. Red teams help companies evolve beyond a find-and-fix mentality to a categorical defense mentality. Turning attackers loose in your network can be a worrisome prospect — but the bad guys are already trying every door handle in your infrastructure. Are you sure you’ll be able to stop them when they find one unlocked?

What Components are Required for Your Red Team?

The trouble is, establishing an effective red team capability requires a lot of input. Most companies are not ready to create a red team from scratch. At a minimum, for an in-house capability in a medium sized business, you’ll want at least one full time employee who can focus on being a red “team” for your company. Because you’ll just be hiring a single FTE, to be effective this person will need to be highly skilled (and usually well compensated — think multiple to mid six-figures). Even if you have that in your budget, red teaming takes significant time and concentration. So, depending on your needs, a single employee could be spread pretty thin. A major driving factor in the effectiveness of this approach is the size of your attack surface. On the other hand, the more narrowly you scope a red team engagement, the less indicative they are of real world conditions — where attackers are looking at everything on your network all of the time.

So, suppose a one-person red team is right for your attack surface and you have the budget. There are still only a handful of people available who possess the skills to run that program. Better post that job now if you want to get things going this year. Once you have your team hired, they’ll need to license their tools, set up their own infrastructure, and build their processes internally. They’ll need to establish methods for identifying targets, scoping their engagements, researching vulnerabilities, creating novel attack capabilities, launching attacks, and performing post-exploitation operations on targets.

Enter the Randori Hacker Operations Center

When we think about building an effective red team capability at Randori, we bucket the necessary skills in terms of three primary functions — just as many nation-states do:

Our Research Team is in charge of finding and analyzing vulnerabilities both public and private, developing novel techniques, and then building new tools and capabilities to evade defenses, execute exploits, collect information, or impact the network.

Our Targeting Team employs our intelligence analysts. They identify targets within your network, and look at network activity and determine where vulnerable systems exist. They also locate data on human assets we can leverage for social engineering.

Our Attack Team operates within the network environment. They approve the activities suggested by our automated system, utilize the tools that the research team produces, and provide additional human-driven activity when automation is insufficiently sophisticated to take the next step in the “kill-chain.”

Bottom Line

At the time most organizations on a security maturity journey have recognized they can benefit from an adversarial offensive capability, they don’t immediately have the resources to build out such a capability. The cost of hiring a red team and maintaining an effective program is out of reach — but that doesn’t mean nothing is possible. Randori Attack customers get the benefits of having a red team engaged with their security program without the upfront and recurring expense. If you believe your security program is doing well, but want to take the next step on the journey to a world-class operation — Randori can help. We have a team of some of the best hackers on earth, allowing us to deliver a consistent and effective offensive security experience at scale for a fraction of the cost of going it alone.

Gain an Attacker's Perspective

Uncover your true attack surface with the only ASM platform built by attackers. Stay one step ahead of cyber-criminals, hacktivists and nation-state attackers, by seeing your perimeter as they see it.