How to get started with red teaming

Dominic Mortimer Headshot
Dominic Mortimer
Red Team Specialist

During my time delivering red team engagements over the last few years, I've had the luxury of working with organisations who’re just starting out with their red teaming approaches, all the way up to battling hardened and heavily monitored networks. In this experience, I’ve found that one of the key areas that makes or breaks a successful operation is the scoping, sizing and planning of an engagement. It can often be daunting to explore more threat-led and realistic testing approaches. Often organisations dive headfirst into large end-to-end engagements that are often cost prohibitive or are delivered in the same way as penetration testing leading to disappointment and wasted resources. So this blog aims to explain where you start, or, if you’re already exploring red team activities, how you can get further value with varying approaches. In this short article I will walk through areas of consideration when exploring the prospect of Red Teaming assessments and lend some hopefully useful insights.

What makes a red team engagement?

So, to start from the top: what makes a red team engagement different than a penetration test? The short answer is: pen testing is out to give you a comprehensive list of vulnerabilities that you need to fix. Red teaming is out to circumvent your defences the way a real attacker would, delivering very valuable insights in the process.

The longer answer here is better: red teams are threat driven, meaning we use real threat intelligence as an ongoing guide for operations. This doesn't mean we simply follow a set play book with no deviation like a robot. Rather, we apply the same processes and approaches used by real threats to modify our techniques based on our target whilst adhering to the threat's ultimate operational goals and capabilities. Red team engagements are goal orientated, which ensures the attacking team remains focused on key areas that matter to the client.

A penetration test on the other hand seeks to find, evaluate, exploit and categorise all vulnerabilities in as short a time as possible whilst covering the maximum number of systems. A Red Team often follows the path of least resistance to achieve its objectives and is after depth over breadth in terms of coverage. Red Teaming is designed to take a holistic view of your defences at each level and the depth of detail in findings and recommendations should be apparent over normal penetration testing results.

Context is king. Within a red team engagement, we look to work within the confines of your technical and procedural controls. We do not ask for exceptions to be made and whitelisting actions to be taken, unless required based on time or financial restrictions (we call these fall backs or dechaining events). We provide you with insights into the wins and losses across an attack chain. If your defences excel in repelling initial access but your internal network is more of a chocolate fondant, then the Red Team will highlight this.

If your defences excel in repelling initial access but your internal network is more of a chocolate fondant, then the Red Team will highlight this.

Penetration testing is often carried out from highly trusted networks using attacker-controlled devices in highly unlikely configurations that disregard all defensive protections that may lead to that point. With red teaming, very few findings are isolated and instead form part of a complete attack chain.

Red vs blue

Detection and response matters! Red teams are not a red team without a counter or opposite, be that an external MDR, a dedicated internal security team, or even a growing security function. The red team provides an ideal opportunity to evaluate and enhance the protection offered by these services. All reports do (or should) contain detailed detection guidance where appropriate around the techniques and approaches used during the assessment. The red team should help to highlight detection gaps and provide realistic context on these blind spots. No one can (or will ever) detect everything, but what areas of the attack chain within a scenario should be focused on, where the attacking team are at their most vulnerable. An experienced red team will be able to provide this insight.

Maturity, objectives and complexity are the guiding principles I use when designing scenarios and proposals. These differ from the quantity-driven approaches often taken in a penetration test, in which complete coverage is wanted or samples are taken. With these principles we can provide project delivery estimates and costing that deliver the best value for a client and align outcome expectations early on. Red teams often work with wide scopes and targeted objectives. This wide to narrow approach ensures the attacking team have all the opportunities possible to achieve objectives in the same way a real attacker would, but their approaches and goals keep the engagement on track and stop it from drifting off course.

What’s the right kind of test then?

So, with some of the basic differences out of the way if you're looking to start a journey into red team testing to support your ongoing operations, here are some of the best ways to enhance your current testing approaches:

Assumed Breach

These engagements can be standalone or, pro tip here: added into existing penetration testing projects. Assumed breach assessments deliver the red team approaches without a lot of the more costly and complex aspects of a full red team test. By assuming an organisation can and will be breached at some point, the red team can design a scenario that puts the defensive layers of your organisation to the test. If you still want to include stealth or evasion to test a SOC, that can be done. Want to see what happens if someone clicks a phishing link? We can design that scenario and play it out to completion. You get all the findings, context, and recommendations from a full red team report without initial access overheads resulting in a significant reduction in complexity which allows for a lower day count. Simple as that.

Purple Teams

Just want to focus on detection and response? Do you think your current SOC can handle the worst a ransomware gang can throw at it? Find out with a purple team in which the red and blue team, work hand in hand to evaluate and enhance the detection capabilities within an organisation to block numerous TTPs packaged up into a threat scenario which is delivered by the red team. These can be great to carry out incrementally and regularly to enhance protections before putting them to the test against a complete end to end red team engagement. The size and coverage of a purple team is entirely up to the organisation but we suggest starting in sections and carrying out smaller regular engagements that allow time for improvements and tuning for recommendations and cover phases of an attacker's playbooks.

Red Teams

The main event! At Bulletproof we have designed a robust, phased-based delivery approach. We always want to deliver the best results we can within the budgets and timelines of our clients wherever possible. We get it, not everyone has the budget for a full low-and-slow 3-month engagement focusing on novel attacks and complete realism. We will, however, do everything we can to manage expectations and deliver what we feel is best for you, even if that is not a Red Team. We can deliver what we call "Guided Red Teams" these follow the full end to end process of a Red Team test starting externally but have a larger amount of clear and direct fall back or dechaining checkpoints. This ensures that a Red Team engagement continues to move through the phases and delivers results across the attack chain on a more compressed timeline. A few examples of these would be:

  • Falling back to assumed breach after a pre-defined amount of time.
  • If the attacking team is unable to maintain persistent access to the network by a pre-defined time the engagement will move to a collaborative purple team styled final delivery in order to assess the ability of the defences to prevent and detect the attack.

These of course would usually also be a part of larger less compressed engagements but using a stricter timeline with a smaller set of very clear objectives can reduce costs. Again, it's all about managing complexity, maturity, and objectives and to a degree realism to correctly size an engagement. We are confident of this due to the planning and delivery approaches we have in place, which have been designed from experience delivering complex engagements over the years. This structured approach is always something I would recommend you look for in your providers regardless of who they are. Not a strict robotic check list but a clear understanding of the complexities and expectations from these operations is key.

OK, where do I start?

The other side of the coin might be that you haven't had any form of testing done but want to look to explore red teaming. With all organisations I would always suggest that the basics are done before jumping in for a red team, though the waters are a bit less clear these days with some less reputable security providers selling penetration testing as red teaming and vice versa. But I'd always say red teaming is an evaluation of the organisation as a whole, and that a true sign of maturity is the basics done and done well. So, start small, ensure you have a handle on vulnerability management, carry out penetration testing, and align your systems and networks with hardening best practices. From there detection and prevention should also be considered, with these basics in hand and a good understanding of your security operation you should look to add in red team engagements in tandem with other tests or in isolation. This might mean starting with assumed breach or a tailored end- to-end red team.

Top Tips for getting a good red team

  1. 1

    Know what you want

    When looking for a red team engagement, ensure you can go into a discussion with an open mind and a grasp on what's important to your organisation. The clearer the vision you have of what you want out of the engagement, the better the attacking team can design a scenario to fit. Red teaming exists to support, develop, and enhance your security posture, so make sure the projects do just that and support your organisation’s key areas of concern.

  2. 2

    Be aware of the strengths and weaknesses of red teaming

    If you want to test a single web application as a red team, you're missing the key advantages of a red team and could probably get better results from a code review and web app penetration test. But if you want to see if it's possible for an attacker to gain access to the CI/CD pipeline and underlying code bases that underpin that web service, then that sounds like a good goal to me. Just be aware the more false constraints and assumptions you add to an engagement the greater you limit the value, and you may be better with other testing approaches or review activities. Like many things in life, no single approach is best for everything.

  3. 3

    Find a reputable provider

    The next step is choosing a supplier, as most organisations are not in a position to have their own internal red team. That's where I’ve made my career as a consultant and red teamer for hire, and here are my views on selecting a provider. I may be biased on this but ensure you pick a supplier based on capabilities and track record. Look for an established methodology and organisation whose outcomes and approaches align with your organisation’s goals and expectations. Red teaming is highly complex and continues to get harder. Modern EDRs and protection mechanisms present more of a challenge and picking a provider that is suitable for your organisation’s maturity level is important. As I said before, we are here to elevate you, and the best red teams adapt to your organisation, tailoring approaches and operation to deliver you results and grow with you over repeat engagements.

  4. 3

    ‘Good’ doesn’t have to mean ‘expensive’

    The elephant in the room is of course... costing. It's a concern for all organisations, and the old adage "you get what you pay for" certainly applies here. There are tricks to limiting expense whilst maintaining good outcomes that we can apply to cost-conscious customers. At Bulletproof I make sure we always explore every option to deliver engagements within budget expectations. This comes back to both sides to being upfront and honest in terms of expectations and working towards an outcome that ultimately benefits the security of the organisation.

I hope this blog has provided a small insight into the different engagement options and approaches possible with red teaming. If you just don’t know if you need it or how to start, don’t be afraid to get in touch. We can have an impartial conversation around engagement options: we don’t want to sell you something that won’t give you value, so we’re always happy to discuss options and suggest relevant testing approaches.

Dominic Mortimer Headshot

Meet the author

Dominic Mortimer Red Team Specialist

Dominic’s role heading up Bulletproof’s red teaming division means he’s well versed in talking about adversarial security testing. You can find him writing about interesting approaches and insights across all areas of red teaming.

Get started with red teaming today

Explore the different red teaming options and find what you need to start thread-led security testing.

Discover red teaming

Related resources

Trusted cyber security & compliance services from a certified provider

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.