
Red Team Definition
These definitions have been created and agreed upon by our Advisory Working Group as standardised descriptions.
Comparative definitions
A confused commissioning landscape is driven by a lack of standardised definitions about what red teaming exercises actually involve, as well as a perceived (but not necessarily accurate) belief that red teaming is ‘better’ then pen testing – with the result that a client follows unregulated advice or is budget-driven and isn’t asking for what they actually need.
The Cyber Scheme have created the following standardised definitions, on behalf of and in conjunction with industry, allowing the prospective scope to be more reflective of actual need in contracts.
The following definitions have been created after extensive consultation with The Cyber Scheme and industry partners.
Red Teaming
Red teaming is the practice of mimicking an adversarial approach/attack designed to evade detection and to test the organisations’ defence capabilities (Blue Team / SOC and wider IT department).
By defining an organisations’ likely threat actors*, attack vectors can be created using knowledge of real-world threat actor capabilities which would allow the red team to play out the scenario most likely to be used by an adversary. A Red Team is a live fire stress test designed to simulate an attacker scenario.
Playing out these scenarios rigorously challenges the commissioning client’s assumptions of readiness to manage an attack and to enact defence strategies, security policies and procedures all tested against a live simulation of an attack.
The client may specify any reporting requirements and any quantitative metrics. The report should include but not be limited to an executive summary which details the commercial implications of any critical findings, a technical report detailing findings and methodologies, tactics and techniques deployed and any tool output specific to successful attack vectors. These should be supported with actionable recommendations.
* Threat actors range from Script Kiddies to Nation State; the tactics, techniques and procedures deployed by each is different in maturity and capability.
Core elements of Red Team methodology
Core attributes of a balanced methodology which is focused on client/customer need
Define
The requirement and agree the TASKS that need to be delivered to satisfy the requirement
Develop
Agree the PLAN for the execution of the agreed TASKS in link with agreed Risk tolerance, Budget and Resources.
Manage
The DELIVERY of the PLAN and how identified issues and risks will be managed/mitigated.
Measure
The OUTCOMES, consequences, remediation recommendations and residual risks.
Vulnerability Assessment
VA – The process of finding vulnerabilities on a system, environment, or enterprise by running well established automated scanning tools, the output of which will be the standard vulnerability tool findings report. Usually repeated on a regular basis to identify vulnerabilities for internal remediation teams, it forms the basis for basic security hygiene.
VA+ Builds upon a VA exercise by requiring the testing team to remove false positive results.
No exploitation of the findings is conducted. Usually repeated on a regular basis to identify vulnerabilities for internal remediation teams and it is one of the initial activities in a penetration test.
In both cases the tests are automated with little skilled tester input, such input would come from an internal team or external consultant.
Penetration Testing
Internal (from within an organisation) and External (from outside an organisation) testing:
The process of finding vulnerabilities or chains of vulnerabilities, misconfigurations and data breach risks through enumeration and then exploitation (or proof of concepts where exploitation is considered unnecessary or too great a risk*) within a scope defined by the commissioning client.
Usually, such tests are performed on a subset or section of infrastructure, a defined target environment, application, API or product. Reasonable proof that the vulnerabilities exist through tool and manual review is expected (i.e. removal of false positives**) and remediation advice is expected to be presented.
The client may specify any reporting requirements and any quantitative metrics (i.e CVSS). It is reasonable for the client to expect an executive summary to support a technical report detailing findings and tool output to prove the existence of issues discovered by the penetration test, these should be supported with actionable recommendations.
* Where a client scope highlights no exploitation to be undertaken, this would be considered a vulnerability assessment.
* * Where vulnerability detection consists of running a set of automated tools and interpreting the results the activity should be considered vulnerability assessment.