Putting the team in red team
One of the more common questions we receive during a red team scoping call or RFP Q&A call is, how many dedicated consultants will be involved in the assessment? There is no “correct” answer to this question, and ultimately, the answer as to how red team engagements are staffed comes down to how the consultancy prefers to structure its engagements and workflow. I generally ask the following question back to the client:
Given the goals of the engagement, do you think it would make more sense to have two consultants for three weeks or one consultant for six weeks?
Historically, utilizing multiple consultants is rooted in pentration testing, where the ultimate goal is to provide thorough, coverage-based testing, and splitting in-scope hosts across multiple consultants can accomplish more in a shorter period. It is therefore understandable to conclude that reducing the number of calendar days is what will produce the desired results. If you buy a 12-week red team, then surely you could get the same results in four calendar weeks with three consultants as you could in 12 consecutive weeks with one consultant, right?
At TrustedSec, you will find our consultants to be fierce guardians of the engagement’s value. We want you to get every single dollar’s worth from your investment in our services. When it comes to a red team engagement, you are paying for the curiosity, skill, and determination of a real attacker. TrustedSec’s goal on red team engagements is more than just identifying potential vulnerabilities and exploiting them to show impact. Our clients want to include the evaluation of their detection and prevention controls, as well as their internal Incident Response procedures.
Our clients want these additional services because they know that, being a top-tier defender, you must do more than just apply the latest patches and configure the proper settings. You must also catch the threat before it becomes a breach.
So, how does this apply to the amount of consecutive days spent on an engagement? The shorter the engagement a consultant has to act as a predator, the louder they become. Have you ever read a data breach report that contained something like the following: “the attacker was resident in the network for six weeks”?
Artificially reducing testing time produces results only applicable FOR that time period.
Or, to put it another way, if a blue team can detect a red team engagement that was scheduled for a five-day period, then all they’ve shown themselves is that they can ONLY detect threats that act within that time frame.
To really simulate active attackers, it takes time—time to learn your network inside and out, what applications are used, and who everyone is (their role, habits, and flaws). Ultimately, it takes time to blend in, in order to find the flaws that go unnoticed during a typical penetration test. Ultimately, time is your best friend in achieving all this while evading detections.
There are always exceptions, of course—for instance, large companies on 2-month or longer engagements with immensely sprawling internal or external attack surfaces (even if, in those cases, certain phases of the engagement might benefit from additional resources, but not the entire assessment).
So, if it’s just one consultant, where’s the “team”?
Well, when we use terms like “dedicated consultant,” what we really mean is a dedicated consultant who interfaces with you, the client. At TrustedSec, we do not and will not simply farm out engagement communications to an account executive or engagement coordinator while the person doing the technical work just lurks in the shadows. Every engagement is assigned an engagement lead, who is the technical consultant doing all the hands-on-keyboard testing work while also acting as the client’s primary interface with TrustedSec. The engagement lead has an entire catalog of teams to work with, from project management to advanced research, allowing us to achieve the engagement’s objectives.
Targeted Operations Team – Our entire team of senior-level operators collaborates daily, discussing the engagement progress, controls encountered (and their evasions xD), and sharing internal research or exchanging ideas around the latest cyber threat intelligence report. The team draws from each consultant's unique experience and perspective to deliver the highest quality results possible in the time allotted.
TrustedSec Research Unit – As the defensive space continues to quickly improve, we move towards a model of a dedicated research team that can provide long-term development and research, as well as ride side by side on all red team engagements. It is a common occurrence that an engagement objective roadblock is encountered, only to have a workaround program delivered the following day by the TrustedSec Research Unit. They also provide private training to various entities, helping them with cutting-edge tradecraft for whatever may come.
Application SecurityTeam – TrustedSec has a dedicated application security team that performs web, mobile, and thin/thick client assessments, but can also be used on red teams when necessary. A common situation is encountering a public-facing web application that isn't tied to Active Directory or the primary IDP provider. We can either sign up for or use previous breach information to access a low-privilege, user-level account. Often, these legacy sites are scanned externally by the company or third parties but never from an authenticated standpoint. Numerous times, the Application Security Team has been able to help quickly convert an identified web application flaw into a working RCE for the Targeted Operations team.
Physical Security – They are good. Very good. If you ever meet them, you’ll walk away smiling, because you just had a great conversation with a genuinely nice and caring individual. You may want to take a peek into your server room, though—just sayin’…
Other Teams and SMEs across the company – TrustedSec consultants' broad backgrounds across other teams allow us to pull from experiences on-demand during red teams. If it's cloud-specific, network-specific, or any other area, it’s highly likely that we have a consultant with the background needed to help give you a great experience.
At TrustedSec, we genuinely want you to have the best and most valuable red team experience possible. That’s not just some marketing slogan—those are true words. This model has performed exceedingly well in providing the best client value over the years, while at the same time, we are constantly looking to refine and update our approach and methodology.