Red Team — Automation or Simulation?

While both programs are performed by ethical hackers, whether
they are in-house residents or contracted externally, the
difference runs deeper.

In a nutshell, a pen-test is performed to discover exploitable
vulnerabilities and misconfigurations that would potentially serve
unethical hackers. They primarily test the effectiveness of
security controls and employee security awareness.

The purpose of a red team exercise, in addition to discovering
exploitable vulnerabilities, is to exercise the operational
effectiveness of the security team, the blue team. A red team
exercise challenges the blue team’s capabilities and supporting
technology to detect, respond, and recover from a breach. The
objective is to improve their incident management and response
procedures.

The challenge with pen-testing and red team exercises is that
they are relatively high-resource intensive. A pen test can run for
1 to 3 weeks and a red team exercise for 4 to 8 weeks and are
typically performed annually, if at all.

Today’s cyber environment is one of rapid and constant change.
It is driven by evolving threats and adversarial tactics and
techniques, and by the accelerated rate of change in IT and
adaptations to the security stack. This has created a need for
frequent security testing and demand for automated and continuous
security validation or breach and attack simulation (BAS).

These solutions discover and help remediate exploitable
vulnerabilities and misconfigurations, and they can be performed
safely in the production environment. They enable security teams to
measure and improve the operational effectiveness of their security
controls more frequently than pen-testing. But can they be used in
a red team exercise?

There are two approaches that need to be considered. The first,
red team automation, has the obvious advantage of increasing the
operational efficiency of a red team. It enables them to automate
repetitive and investigative actions, identify exploitable
weaknesses and vulnerabilities, and it provides them a good picture
of what they are up against, fast.

In principle, this is not too far from what BAS provides today
by supporting a broad set of attack simulations and providing a
rich library of atomic executions codified to the MITRE ATT&CK
framework. They even provide red teams the capability to craft
their own executions. Red team automation can support red team
activities, but the value is limited, and most red teams have their
own set of homegrown tools developed for the same purpose.

A new approach, red team simulation, takes these capabilities a
step further. It enables a red team to create complex attack
scenarios that execute across the full kill chain, basically
creating custom APT flows. Instead of executing a bank of commands
to find a weakness, it performs a multi-path, sequenced flow of
executions.

The primary advantage of this approach is that it incorporates
logic into the flow. As the simulation progresses, it leverages the
findings of previous executions in addition to external data
sources and tools. It will even download tools on a target machine,
based on the dependencies of an execution.

For example, a sample flow could include Mimikatz providing
credential input to a PSexec based technique and drop to disk
PSexec on the target machine if it’s missing. A red team simulation
can include all the stages of an attack from initial access to
impact and even reconnaissance performed in the pre-attack
stage.

The benefits of red team simulation extend beyond operational
efficiency for both in-house red teams and companies that provide
red team services. Scenarios can be replayed to validate lessons
learned from previous exercises. Red teams that operate in global
companies can cover more geographies.

Even with red team simulation, the human factor remains key in
assessing the result of an exercise and providing guidance to
improve incident management and response procedures, but it makes
red team exercises accessible and achievable to a larger market,
where cost is a limiting factor.

For more information, visit www.cymulate.com^[1] and register for
a Free Trial^[2].