Red teaming is an offensive method of cybersecurity testing. A realistic attack simulation tests the cyber resilience of an organization against an advanced attacker. As with other offensive methods, it uses the hacker mindset to look at an organization's security. We call the ethical hackers who run the simulation the red team. We collectively refer to the various teams that are responsible for security within the organization to be tested as the blue team. A select number of individuals from the organization to be tested are involved for coordination and coordination, who together form the white team. 

A red teaming serves two primary purposes. First, it is a measurement of the organization's current resilience level. How mature is the organization in the field of cyber security and does this meet expectations? This is an important starting point for determining a broader cyber security strategy. Second, a red teaming is an opportunity for the blue team to learn from their opponents. Which holes can the red team identify that were unknown to the blue team and which techniques are used that remain under the radar of the blue team.  

A penetration test efficiently helps to close as many specific gaps as possible. The technique thus tests measures that fall within the Protect function of the NIST framework. A red teaming is aimed at verifying whether the total set of security measures in place offers sufficient protection against a real attacker. This tests the Identify, Protect, Detect and Response functions from the NIST framework. 

More information

A red teaming has three core properties that distinguish it from a penetration test. The individual properties can also be applied within a penetration test, creating a hybrid form. However, a true red teaming has at least the following three properties: 

1. The test is carried out organization-wide. This means that all IT systems of an organization can be attacked. In addition, red teaming is not limited to attacks on technology alone, but people and processes can also be targeted. 
2. The test is performed in secret. Only members of the red team and a select few individuals from the tested organization, such as the CISO, are aware of the exercise. 
3. The test is scenario-oriented. It is a simulation of a real attacker with an underlying motive, an objective and associated method. An example could be an attacker with the motive of financial gain, the aim of receiving a ransom and the method of holding IT systems hostage with ransomware. 

Organization-wide execution of the test ensures that the results of a red teaming are influenced as little as possible by scope limitations that a real attacker is not aware of either. This is required to determine to what extent the organization has identified the correct parts that need to be protected.

The secret execution of red teaming is required to realistically test the organization's detection and response measures. After all, when the blue team is aware of the fact that red teaming is being carried out, they may proceed in a different way than when this is not the case.  

The scenario-oriented approach is required to realistically test the detection and response measures. Despite the fact that several routes are possible to reach a certain end goal within an organization, a real attacker will only try to find one route. To test whether an organization can detect and stop such an attack, the red team must proceed in a similar way. If the red team were to look for additional routes, this would result in more detectable actions than necessary, so that the detection capabilities would no longer be realistically tested. 

Threat Intelligence Based Ethical Red-teaming Netherlands (TIBER-NL) is a program of De Nederlandsche Bank (DNB) to increase the cyber resilience of the financial sector in the Netherlands. With regard to the social function that financial institutions, such as banks and insurers fulfill, a cyber attack on such an institution can have a major social impact. For that reason, periodic performance of a TIBER test is mandatory for specific financial institutions. TIBER tests are performed using the TIBER framework. Although this framework has been developed for the financial sector, it can also be applied to other sectors. Following the success of the TIBER-NL framework in the Netherlands, the European Central Bank (ECB) has introduced a comparable framework together with the central banks of 12 EU countries: TIBER-EU. Various central banks also have their own variant of the framework. For example, the central bank of Germany uses the TIBER-DE framework. Within The S-Unit, the TIBER-NL framework is used as a starting point for performing red teaming tests.

The S-Unit offers red teaming services based on modules. This makes it possible to tailor red teaming to the wishes and information needs of our customers. The modules are based on the TIBER-NL framework and are divided into four phases: preparation, targeted threat intelligence, red team test and closure. The preparation serves to coordinate the project and collect the correct information from the organization. The targeted threat intelligence phase aims to collect information to create relevant attack scenarios. During the red team test phase, the prepared scenarios are actually implemented. During the closing phase, knowledge transfer takes place to increase the educational value. 

More information