Thought Leadership

Apr 12, 2022

Making the Right Red Team Setup & Tooling Choices

Explore the key technology decisions to be made when setting up the environment and selecting toolsets for your Red Team.

In a recent blog for Help Net Security, SafeBreach’s VP of Product Yotam Ben Ezra explored the concept of cybersecurity Red Teams, including what they do, their goals, and the weaknesses in their methodology. We built on his ideas in a follow-on blog that discussed the high-level steps organizations can use to build a modern Red Team program from the ground up.

In this post, we’ll deep dive into the key technology considerations that are necessary to enable an effective Red Team, including environment setup and tool selection. We’ll also discuss how Red Teams can move toward a more continuous approach by leveraging breach and attack simulation (BAS) tools to automate the majority of the operational steps, including attack TTP and target selection. 

Set Up the Environment

Red Team environments should be set up in a simple, safe, and flexible fashion. The goal is to mimic the environment an attacker would face in the presence of a Blue Team, without disrupting live production systems or requiring significant configuration changes in firewalls and other security tools. Above all, the security of sensitive data must be a top priority—any information Red Teams dig up should always be encrypted whenever it is outside an organization’s private data center. 

For this reason, it’s best to install a Command and Control (C2) server on a machine in a private data center or, at a minimum, in a virtual private cloud (VPC). Smart Red Teams vary their look by using different cloud hosts, geographic locations and availability zones for data centers, DNS domains and registrars, and domain categories. Each aspect plays an important role in enabling the opportunity for multiple attack paths, so Blue Teams cannot easily find a single attack path and block traffic. 

Choose the Tools

Red Teams break down their tools and activities into a handful of basic functions that relate to the type of data access they are given to start the exercise. 

  • White box access: Offers full or partial access to internal code and even scan or control configuration data.
  • Black box access: Offers zero access to Red Teams and is most analogous to attacks from the wild.
  • Gray box access: Offers a mixture of white box and black box access, with Red Teams getting access to certain types of information. 

In more common black box or gray box exercises, the Red Team approaches the exercise with little-to-no data access or knowledge about the target. In these situations, Red Teams will typically rely on tools for reconnaissance, access, and analysis. Fortunately, there are dozens of free and open source tools. A strong list can be found at SecTools.org. Many of the tools are built into common Linux distributions, as they have utility for network and system administrators.

Reconnaissance Tools

To build a picture of the components of the target, Red Teams use reconnaissance tools. Below, we’ve included a partial list of tools available for this purpose. While there are other open source tools for most of these capabilities, we have found these to be among the most popular.

  • Nmap is a commonly used network scanner that integrates with many popular security tools and frameworks. Red Teams can use it to learn about the operating system, drivers, hardware, and much more to identify reachable devices on a target network. 
  • Shodan functions as a search engine for Internet-connected devices and is particularly useful for finding poorly defended connected systems, like printers, smart monitors, bluetooth headsets, and more. Devices are often the easiest path to gain access into networks and trusted environments.
  • Slurp is a tool used to scan insecure AWS cloud storage buckets. With Slurp, Red Teams can scan by domain or keyword, looking for buckets that might have secret keys or other sensitive information that can be used to access AWS accounts. 
  • Dnsrecon finds and identifies domain names and associated IP addresses on a target network. This is useful for attack targeting and more sophisticated attacks leveraging weaknesses in DNS redirects or DNS misconfigurations.

Network Access & Analysis Tools

Once reconnaissance efforts have provided a decent idea of the target and its security posture, Red Teams apply various exploit tools to crack passwords or mount social engineering attacks. After a Red Team gains access to protected assets, they then need to conduct internal analysis of the network and decide how to proceed to achieve their goal of system compromise, surveillance, or data exfiltration. Below, we’ve identified several popular tools that can be used by Red Teams as they attempt to exploit and breach systems. 

  • Ncat is a general-purpose tool for reading, writing, redirecting, and encrypting data across a network. It can perform a wide variety of security testing and administration tasks, including acting as a simple TCP/UDP/SCTP/SSL client and server to interact with web servers, telnet servers, mail servers, and other TCP/IP network services and the clients who use them. It can also act as a connection broker, a network gateway, and a proxy/redirect service to push traffic to other ports or hosts. Ncat is also useful for reconnaissance and is published by the same security expert who created Nmap. 
  • Wireshark, built by a team at Sysdig, is a widely-used network protocol analyzer that provides packet-level insights into what’s happening on a network. Wireshark lets you capture live traffic or analyze recorded traffic with a huge array of filters. It can parse all commonly used communications protocols and reads many common file formats for network monitoring or security tools. ​​Wireshark provides deep inspection of hundreds of protocols, with more being added all the time.
  • Aircrack-ng is a suite of tools with everything you need to analyze and crack Wi-Fi networks. It covers monitoring (packet capture and export to analysis tools), attacking (replay attacks, fake access points, packet injection), testing (checking Wi-Fi cards and drivers), and cracking for multiple security protocols, including WEP and WPA 1 and 2. A popular alternative is Airgeddon
  • Hashcat is a password hash cracker with GPU support, allowing it to brute-force any eight-character Windows password (the default minimum length) in a couple of hours. For Macs and Linux machines, John the Ripper is a viable alternative, supporting hundreds of hash and cipher types. 
  • Dradis is a reporting and collaboration tool used by information security teams to save time and ensure everyone is on the same page. The free community version has 19 integrations with widely used security tools, visual dashboards with charts and progress reports, one-click report generation, and easy online access. 

Leverage Breach & Attack Simulation

Breach and attack simulation (BAS) has emerged in the past few years as a viable solution to augment Red Team exercises and, in some cases, replace some Red Team tools by automating adversarial simulation. BAS allows security teams to rapidly test their applications and infrastructure for security gaps and weaknesses against a wide range of exploits used by attackers, including the newest and most relevant threats.  

BAS augments both penetration testing and Red Team exercises by providing a systematic method to validate which security controls are working and which attacks will not be blocked by defenses. Because BAS tools are automated and run in a sandboxed environment segmented from actual production assets, they can run continuously and cover far more of the attack surface. This continuous capability is crucial in emulating modern attack patterns and providing the type of continuous feedback required to fight security drift. The broad coverage enabled by BAS allows Red Teams to provide metric-driven assessments of security posture, based on business-centric risks. 

BAS tools can also export results into Red Team tools for attack coordination. Red Teams can use BAS to run precise targeted attacks, eliminating much of the required reconnaissance grunt work and freeing them to be more creative in their approaches. And, if the BAS tool continuously adds new vulnerabilities from leading databases and frequently upgrades attack playbooks and TTPs—like the SafeBreach BAS platform—Red Teams gain the benefit of using the latest security vulnerabilities as part of exercises. This, in turn, increases the security metabolism of organizations and reduces security drift by upping the frequency of security control testing and reconfiguration. In some cases BAS can even replace Red Team tools, reducing overhead, while increasing coverage without adding headcount or headaches. 

The Future & Continuous Red Teaming

Because attackers are continuously probing and attacking, cybersecurity never rests. This is more true today than ever, with the number of newly reported vulnerabilities having hit record levels in each of the past four years. Red Team exercises are a valuable way to combat these threats by stress-testing your security posture with simulated attacks that use a diverse array of TTPs and attack surfaces to ensure existing controls and processes work and to identify areas for improvement. 

Just as software development has moved toward continuous integration and continuous delivery (CI/CD) to support more frequent, reliable, and automated code changes, we believe Red Teaming will begin to transition away from specific bounded exercises toward a more continuous approach that continuously and reliably tests security posture. 

To do this, Red Teams will have to change the way they operate, the tools they use, and the mindset with which they plan their approach. To keep up with code velocity and rapid iterations, Red Teaming must become an “always-on” capability, rather than a special exercise requiring months of planning and execution. While this may sound challenging, a BAS platform can provide the tool Red Teams need to enable continuous simulations of a wide variety of TTPs and playbooks of known attacks customized to the needs and risks of an organization. 

Interested to see if the SafeBreach BAS platform can help your Red Team? Connect with a SafeBreach cybersecurity expert to discuss your use case or schedule a personalized demo today.

Get the latest
research and news