An expert ethical hacker reveals how he goes about carrying out a red team exercise
Published: 29 Dec 2022
Hacking can be a dirty word. It evokes images of a person sitting in the dark with a black hoodie on, hunched over a keyboard, in front of multiple screens, attacking an innocent business, or individuals, online. It automatically generates thoughts of terrible ransomware attacks and cyber criminal gangs with names such as Evil Corp.
But cyber criminals have a foe – ethical hackers. We hack companies to show them their weaknesses so they can fix them before they are breached.
Companies are aware that cyber attacks are increasing by 50% year on year. With organisational spending on cyber security at an all-time high, firms are spending significant amounts on their security infrastructure. I’m often asked: How can we know that our cyber security is working effectively?
My advice to companies is simple – invest in a red teaming test.
Red teaming is the practice of simulating a multi-layered cyber attack that tests the effectiveness of every aspect of an organisation’s security. Rather than running the risk of financial and reputational damage after being hit by a ransomware attack, hire ethical hackers to simulate an attack to unearth vulnerabilities, so that they can be addressed before it’s too late.
Rob Shapland, Falanx Cyber
Cyber attacks – like when Revolut was breached in September 2022, revealing 50,000 customers’ sensitive data – may have been prevented with a red teaming test that would have pinpointed the threat social engineering posed to the team.
For a company to be put through its paces, it needs to be tested through active and proactive attacks of both its virtual and physical systems, using the same tactics, techniques and procedures as cyber criminal groups are using right now. My team typically carries out a red teaming mission in five steps:
- We always begin with open source intelligence gathering (OSINT). As with the first stage of any operation, we begin an attack by investigating a company and its employees, gathering inadvertently revealed information. This comes from a variety of sources with a focus on the corporate and staff’s social media pages. We use this to plan our attacks, both cyber and physical.
- We then identify internet-facing systems that may have been insecurely configured or have login pages we can access using stolen credentials, as potential access points to break into an organisation.
- This is typically supported by email phishing and telephone vishing attacks – two hacking techniques, together known as social engineering. By phone, we call employees to try to have them divulge sensitive login information. Then we send phishing emails using personal information gathered during OSINT to trick employees into revealing sensitive information, like their username and password, or to open an attachment that would let us into their computer.
- Last, but certainly not least, is the physical intrusion of their premises. It may surprise you to hear that cyber attacks can happen in person. This is my specialty. To simulate this, we use various tricks and disguises to access the organisation’s offices to compromise its network, plant keylogger devices, or steal valuable information right from under the business’s nose. At Falanx Cyber’s office, we have a wardrobe full of costumes from an everyday plumber to a postman’s uniform, that we wear as a disguise to test whether a company’s security will let unauthorised people into the building.
- All these steps combine to allow us to breach the perimeter and access the organisation’s internal network. When we find a successful route in, we will then attempt to escalate our privileges to gain access to sensitive data that a cyber criminal would target. The process culminates in a strategic report, detailing identified weaknesses, and recommendations for making an organisation’s defences more robust.
Red teaming exercises provide a comprehensive look at just about any tactic, vulnerability, or entry point cyber criminals might use to breach your systems. Without one, companies will never know how secure their systems are.
With almost 90% of hacks due to human error, it’s important to test your employees’ cyber defence abilities. And unlike a simulated penetration test, staff are unaware that a red teaming mission is underway against them – almost like a mystery shopper. It truly is the best way to improve overall security, with the bonus of reinvigorating your staff’s commitment to cyber security by putting them through their paces.
This may be unsettling to hear, but the only real way you can determine the effectiveness of your security is by getting hacked. Red teaming tests employ both virtual and physical methods to probe for weakness, exactly as a cyber criminal would. Knowledge is power. Find out what your weaknesses are so you can put in place the defensive and offensive protections to mitigate them.