External Attack Surface Management for Red Teaming

Attack Surface Management for Red Teaming

Last Updated on 22 February 2024 by Alastair Digby

The modern cyber threat landscape sees an ever-expanding influx of malicious actors using a slew of tactics, techniques, and tools to break into networks.

One approach that has gained popularity in recent years is Red Teaming, a simulated attack exercise that tests an organization’s security posture by emulating the tactics, techniques, and procedures (TTPs) of real-world attackers.

External attack surface management tools have become a key component of Red Team engagements, enabling organizations to gain a comprehensive understanding of their attack surface, identify potential vulnerabilities, and assess the effectiveness of existing security controls.

While the motivation for cyber attacks is often financial in nature, some threat actors want to access confidential data for intelligence-gathering, and others seem to enjoy wreaking havoc for the sake of it.

Organizations attempt to build robust information security programs to help fend off threats and better manage risks to information and systems. But merely studying common attack tactics and putting controls in place doesn’t equate to actually experiencing a real-world threat, which is why red teaming is on the rise.

In this article, we will explore how attack surface management tools are used in Red Team engagements, and why they are essential for organizations seeking to enhance their cybersecurity defenses.

What is red teaming and how does it work?

Red teaming is a cyber security engagement in which ethical hackers emulate real-world tactics, techniques, and procedures (TTPs) to assess an organization’s cyber resilience.  These ethical hackers are experts in offensive security—a more proactive approach that tests security postures using an adversary’s perspective to actively seek out problems and flaws.

It’s important not to conflate red teaming and penetration testing because even though they sound similar and both fall under the umbrella of ethical hacking, there are crucial differences.

Pen testing attempts to find and exploit as many technical vulnerabilities as possible along with assessing their risk levels. A red team assessment is more focused on getting inside your network by any means possible to achieve a specified objective, such as accessing sensitive data or compromising a critical business application.

The underlying goal of red teaming is to test detection and response capabilities rather than compiling a comprehensive list of exploitable vulnerabilities. In other words, a red team exercise is a thorough test of the people, processes, and technologies used to manage your security risks.

When looking at other types of security testing, a good way to understand the differences is to use two dimensions: breadth of testing and depth.

Here is a brief breakdown:

  • Vulnerability assessments systematically analyze your applications and hardware for a wide range of known vulnerabilities.
  • Penetration testing goes slightly deeper and narrower than vulnerability assessments by exploiting any vulnerabilities found in a system, network boundary, or app in an effort to assist with vulnerability prioritization.
  • A red team engagement is the most in-depth but narrowest of these three testing approaches because it goes deep with a specific objective to test the full gamut of security operations but only exploits vulnerabilities to the extent that they’re impactful enough t help the red team move further into your environment.

Rather than waiting for a costly real-world breach to learn about weaknesses that vulnerability tests or even pen tests failed to reveal, red teams inform you of these flaws before attackers get to them. Professional ethical hackers working on red team engagements excel at challenging assumptions about your security stance and running through red team scenarios based on “what if?” questions.

Red team testing originated as a military exercise that some sources attribute to the German army in the 19th century while others date the origin as far back as Antiquity. Its use in cybersecurity became popularized during the early to mid-2000s, although early pacesetters such as Huawei used these engagements during the 1990s. Today, some surveys report that the proportion of businesses using red teaming reaches as high as 72 percent.

What are the challenges red teams face?

Being truly authentic

The goal of red teaming exercises is to emulate real-world threat actors as authentically as possible. A major challenge is incorporating the blunders or mistakes that real-world adversaries often make into a red team attack simulation exercise. Malicious threat actors are technically adept, but they aren’t always perfect; they could use an old tool that’s suboptimal for achieving their goals.

The best red teams base their exercises on studying toolkits and tactics used by known cyber gangs in addition to reports available within the cyber intelligence community. This allows for a better reflection of what adversaries “in the wild” often do when hacking into networks. Authenticity is better than perfect stealth even if it means using an outdated tool or process.

Infrastructural complexity

The infrastructural complexity of modern IT environments poses difficulties for red teams attempting to follow the attack kill chain. An increased digital footprint from multi-cloud deployments, SaaS applications, and remote workers makes it hard to account for attack surfaces dynamically changing as assets connect and disconnect from your network. Limited resources and tooling to deal with this infrastructural complexity can ultimately hamper visibility for red teams who need an outsider’s full perspective.

What are red teaming attacks?

Red team attacks use a methodical approach to simulate real-world cyber attacks. Red team assessments typically begin with a planning phase that involves setting objectives and agreeing on the ground rules of the engagement.

After performing reconnaissance and identifying different potential avenues for achieving objectives, the first active attack element begins with gaining access to your environment. Next, the red team establishes and deepens their foothold in your network before finally completing objectives. When the attack exercise is complete, the red team provides you with a comprehensive report documenting weaknesses, attack flow diagrams, and observations that allow you to improve security operations.

Importance of asset discovery and inventory for red teams

Any red team activity improves in effectiveness and efficiency when there is a complete, accurate, updated inventory of all your external IT assets available. This ideally should include any shadow IT assets that employees use outside the knowledge and approval of your IT team.

Part of the reconnaissance phase of real-world cyber attacks is enumeration, which uses tools to extract the machine names, network resources, apps, and services that make up your external attack surface. The problem is that the red team tools typically used to replicate this enumeration don’t scale well enough to encompass the full complexity and ever-changing nature of a modern attack surface.

Solutions that provide dedicated attack surface discovery and inventory capabilities can map out the assets that make up an organization’s systems, networks, and applications. Due to resource and time constraints, it’s not feasible for traditional red team assessments to access a comprehensive asset discovery and inventory. Whether the goal is to exfiltrate data or get inside a target system, asset discovery and inventory solutions make red teaming activities more accurate and reliable.

How can red teams use external attack surface management?

Working from an accurate map of assets helps red teaming on its own, but when used as part of a wider external attack surface management (EASM) solution, the impact becomes even more profound.

Red teams exercises can involve a lot of guesswork as the team performs various scans and searches for footprints and vulnerabilities. With a fully mapped out and monitored list of assets, EASM solutions then present users with continuous vulnerability insights and alerts about risky misconfigurations or changes within an IT environment.

For red teams, this is great news because it saves a ton of time in guesswork and allows them to focus on the most impactful vulnerabilities. There is no real discrepancy between the purpose of red teaming and the use of attack surface monitoring. Red teams (and definitely real-world black-hat hackers) will eventually find out this information.

External attack surface management makes red team activities far more efficient. Instead of constantly running manual scans for open ports, the solution automates visibility and removes low-value manual tasks. Saving time and getting more purposeful results are two compelling ways red teams can benefit from EASM.

Informer’s attack surface management platform

Start improving red team visibility into known and unknown assets to better reflect what adversaries see with Informer’s external attack surface management solution.

The platform discovers and maps your external attack surface in minutes, which enables red teams to get a holistic view and focus on the most impactful ways to achieve the objectives of their engagements. The outcome is a more accurate appraisal of your security operations that reflects fluid and complex modern IT infrastructures, automates menial tasks, and focuses on the most high-risk vulnerabilities.