By Ross Miewald   /   Jun 9th, 2020

How to Get the Most Out of a Red Team Test

How would real-world attackers break into your network? A red team test is designed to answer this question. At its core, a red team test is an attempt to gain access to your systems through any means. Nothing is off limits—penetration testing of internal and external assets, wireless networks, web applications, physical or remote social engineering, and more. If you want to know how a real attacker could target your network and gain a realistic understanding of your strengths and weaknesses, a red team test can be a highly effective exercise.

How Do You Know If You’re Ready for a Red Team Test?

There is no simple answer. Red team testing is typically appropriate for organizations that have already resolved the “low-hanging fruit” and established a mature cybersecurity program. If you have common issues such as unpatched systems, weak password policies, poor phishing training, or other known issues, these will be exploited, and a red teaming test may not reveal any new vulnerabilities beyond a standard penetration test.

Red Team Readiness Checklist

If you’ve completed most of these tasks, you may be ready for a red team test! If not, work on completing more of these tasks before scheduling your test.

Baseline Make sure you have these areas buttoned-up before moving forward with a red team test.

  1. Are you running vulnerability scans and if so, are these scans coming back consistently clean?

If your vulnerability scans are coming back clean, with no critical, high or medium-risk vulnerabilities, you usually have strong baselines security practices in place, such as solid patching policies. If you are not currently conducting vulnerability scans, you should start.


  1. Are you regularly implementing patches and updates for ALL systems?

Unfortunately, it only takes one unpatched computer to bring down the whole environment. For example, in one penetration test, LMG Security’s team found a server with the unpatched “Heartbleed” vulnerability on a single host (this vulnerability allows an attacker to download the contents of memory from a system). After dumping the contents from memory and analyzing it, we found a set of Administrator-level credentials. From there, we were able to completely control over five hundred servers using the same credentials. The other computers had been patched for Heartbleed, but all it took was one vulnerable computer to topple their whole infrastructure. Updates and patching are a crucial foundation of your cybersecurity.


  1. Are you re-using credentials across systems?

Don’t reuse credentials. As the previous example showed, it can be very risky. For a Windows domain, ensure that Local Administrator credentials are not reused, or those accounts are disabled. Additionally, if users within your IT team have a normal user account and an administrator account, ensure that their passwords are not the same for both. During penetration tests, when we can obtain one set of Local Administrator credentials, more often than not, we can use those to access multiple systems within the environment.


  1. Are your policies and procedures in line with best practices?

As a penetration tester I don’t necessarily enjoy diving into the documentation, but if your organization’s password policy hasn’t been updated in 4 years, it’s time to revisit that. It’s 2020 folks, don’t make me write another blog on why you need the minimum length in your password policy to be longer than 8 characters. USE STRONG PASSPHRASES. If you need help integrating best practices for policies and procedure, consult an advisory and compliance services team.


  1.  Are you training our employees on cybersecurity best practices, as well as your internal IT policies and procedures?

Training is key, particularly now that many organizations have implemented remote work (check-out of home network security blog for security tips). The weakest part of any organization’s cybersecurity is frequently your staff, and attackers know this. If your staff is not trained to recognize the hallmarks of a phishing email or the steps to take to report a potential threat, an attacker will be able to exploit this vulnerability. According to the 2020 Verizon Data Breach Investigations Report (DBIR), the top two threat actions were phishing and use of stolen credentials (which were primarily gathered through phishing). Training your staff is one of the most important steps you can take to prevent a cybersecurity incident.


  1. Do you have Multi-Factor Authentication in place?

To err is human. Make sure you have multi-factor authentication (MFA) set up whenever possible, and especially on all Internet-facing accounts. That way, if one user’s password is stolen or guessed, there is another layer of protection in place. Avoid using SMS multi-factor authentication if possible (the kind that sends a text to your phone). It is no longer considered secure.


  1. Is your Antivirus/Endpoint Detection solution effective in stopping and alerting on threats?

Speaking of technical controls, should an attacker bypass other controls within your environment it may come down to your antivirus or endpoint detection solution to alert your team to potential threats. One of the benefits of a red team engagement is that it can demonstrate whether your antivirus or endpoint detection solution is effective in alerting on and mitigating potential threats. Trying to circumvent these controls will be a main component of any red team test, so ensure that these solutions are in place in order to get the most value out of your red teaming experience.


  1. Do you have logging in place and are you retaining logs for an appropriate period of time?

It’s important to have effective logging so that you can identify indicators of attack or compromise, especially if an attacker does gain access to your network. Should an incident occur, these logs can save your team time and effort should a forensics team need to review the data.


Advanced So you’ve met all the pre-requisites above? – Awesome! Let’s look at some more advanced steps you can take to secure your environment and get a more fulfilling red team engagement:


  1. Is your security team receiving and reviewing alerts, either directly or with the assistance of a third party?

It is fantastic that you are logging alerts and retaining logs for an extended period. Make sure someone is reviewing your alerts regularly so that you can respond to threats quickly and effectively.


  1. Do you perform regular (continuous, quarterly, or annual) penetration tests, and are the results mundane? (Are you tired of having your consulting firm report on weak or expired SSL certificates?)This may mean that your organization has a mature security program in place, and you’re ready for an even deeper dive into your environment. If you haven’t performed a penetration test, start with that, as you will more than likely learn a lot about your environment beyond what simple security scans reveal.
  1. Have you performed a red team previously, and how much did you learn from it?

If you’ve had red team engagements performed in the past, but did not find much helpful feedback, sometimes it helps to switch it up with a purple team test or getting a second vendor’s perspective on your environment.

So, are you ready for a Red Team test?

Red team tests can be extremely valuable, and provide you with realistic, actionable information about how threat actors may target your network. If you found yourself responding “yes” to most of the items in the list above, it may be time to take your cybersecurity program to the next level by engaging in a red team test. Contact LMG Security’s expert red team testers for more information. And if you found that you still have a lot to work on, let us know—we can help you take your cybersecurity program to the next level.



About the Author

Ross Miewald

Ross Miewald is a Senior Security Consultant for LMG Security. Ross graduated from the University of Montana with a bachelor’s degree in Management Information Systems, and a minor in Chinese. Ross works closely with our security testing team performing Internal and External Penetration Tests, Vulnerability Assessments, Web Application Testing, Wireless Assessments, and Social Engineering. Ross is currently a certified Nexpose Certified Administrator (NCA), GIAC Web Application Penetration Tester (GWAPT), GIAC Penetration Tester (GPEN), and is expected to complete the Offensive Security Certified Professional (OSCP) exam in 2019.