Sun, Jun 12, 2022

What Is a Red Team Exercise & Why Should You Conduct One?

Ransomware, nation state attacks, and data breaches are costly, devastating problems that impact both your finances and reputation. To prevent cyberattacks, organizations invest massive amounts of capital into building up cyber defenses, but having products in place isn’t enough. The only way to know if your approach is working is to test your environment against attackers, but inviting criminals to target your business is, for obvious reasons, not an option.

The solution to this dilemma is to hire experts to stage an attack on your systems the same way real threat actors would. We call this practice “red teaming,” and it’s a vital part of any good cybersecurity program.

What Is a Red Team Exercise?

Over the last few years, the term “Red Team” has become a buzzword in the information security community. The varied uses of the term within the industry can be confusing. Some organizations call their internal offensive security teams “Red Teams,” with responsibilities ranging from web application penetration testing to full-blown red-team operations. For the sake of this discussion, we will define a Red Team engagement using a common definition that appears outside of military contexts:

“Red Teaming is a full-scope, goals-based adversarial simulation exercise that covers physical, electronic, and social attacks. This type of testing should not only test electronic attacks by targeting web applications and network infrastructure but should include social and physical attacks that test staff, their adherence to policies, and building security measures in place.”

In a red team exercise, a group of cybersecurity pros plays the role of an attacker to test the effectiveness of your security program. 

What’s the Difference between Red Teaming and Penetration Testing?

Penetration testing focuses on exploiting the vulnerabilities of only one specific system or set of systems. The goal is to test the resiliency of the technology in place. Red team testers play the role of real threat actors, concealing their movements as much as possible and trying to get as far into the target systems as they can.

In a red team scenario, only upper management is aware that the test is being performed, while the majority of the IT team (referred to as the blue team) is completely unaware that what’s happening is a drill and not a real attack. Furthermore, a red team operation extends beyond software and into social engineering, employing phishing methods or even attempts to enter the premises. 

Penetration testing is usually the methodology of choice in order to evaluate systems, while a  red team exercise provides an evaluation of the defenses as whole, including technical controls, processes, and training.

Which Is Better?

Ideally, you should regularly perform both penetration testing and red teaming exercises. As our blog about red teaming for enterprises explains, pen testing and red teaming are complementary. Frequency and intensity will vary based on what industry you work in and what is happening in the world at large. If your business provides infrastructure services in an area where military activities are taking place, for example, your defensive capabilities would demand more frequent and intensive testing. Organizations with a mature security posture often conduct regular red teaming exercises and engage in continuous penetration testing.

Why Conduct a Red Team Exercise?

Red teaming tests your organization against the top threats facing your particular industry, whether that’s a data breach, a sophisticated ransomware attack, or an attack from nation-state actors. While it’s best to test against different types of attacks, what industry you work in will decide which type of attacks you should prioritize when it’s time to test. A good partner will help you figure out what you should be testing against based on your business.

Red Teaming and Data Breaches

Between 2020 and 2021, the average cost of a data breach in the U.S. has risen from $8.64m USD to $9.05m USD, according to IBM’s 2021 Cost of a Data Breach Report

Red Team exercises can be used to hone detective and protective controls as well as a security staff’s response skills. Your internal security team is the blue team, and is tasked with stopping adversary emulation of the red teamers in a simulated attack. 

 The  “Cost of a Data Breach report 2020” from IBM provides detailed quantitative data that shows that businesses who conduct Red Team exercises have reduced costs when a data breach occurs. The following year’s report lays out an updated list of the root causes of data breaches—all of which can be tested for and improved as part of a Red Team engagement—and identifies core test cases covered in a Red Team assessment. 

Red Teaming and Ransomware

According to the aforementioned IBM report from 2021, the average total cost of a ransomware attack is $4.62m USD, and that number doesn’t account for the actual ransom that many organizations end up having to pay to keep their business moving. Ransomware is a top threat in part because attacks are continuously becoming more sophisticated and harder to stop. 

Ransomware poses a particularly dangerous threat to industrial organizations that need to meet tight deadlines and play their part in the supply chain to continue doing business. In these cases, it’s difficult to put a price on the damage because much of it can be reputational — other organizations are less likely to work with a company that’s been hit by and proved unprepared for ransomware. Criminals know that manufacturers in particular need to keep their business moving at a steady pace, and this has led to an increase in ransomware attacks against them. Penetration testing is a good tool, but you won’t know for sure if your defenses are good enough without running red teaming exercises.

Red Teaming and Nation-State Actors

The danger of nation-state actors has risen recently, and stands apart from breaches and ransomware because of the intended effect. Ransomware attacks and data breaches are committed to make a profit; ransomware attackers want their ransom money, and data breaches are committed to get user credentials that can be sold or used for other purposes. In the case of nation-state actors, the goal is damage. 

Critical infrastructure is at particular risk to nation state attacks. In these cases, the attacker’s goal is to disrupt or disable the systems to gain leverage or achieve strategic goals. This is one of the reasons that the U.S. government saw it fit to issue a primer on increasing cybersecurity during the conflict in Ukraine. 

If your business is a likely target for this group of threat actors, red teaming is a must. Because the attack is a mission rather than a job, nation-state attackers will throw everything they have at a target with the intention of breaking a system rather than exfiltrating data or locking it down to pose a ransom. Red teaming is the only type of testing that provides an accurate picture of an organization’s security in regard to these threats.  


Focusing on maturing your prevention, detection, and response controls to protect against the most prevalent adversary tactic is a wise decision. Red team exercises are a core element of improving the security posture of your organization.

What Should a Red Team Exercise Provide?

At its base, make sure that red team techniques are modeled after real-life threats to your industry.  You are having the assessment to test your ability to prevent, detect, and respond to real-world attacks. And, in the end, you need the assessment to provide tangible data for speaking to executives about your abilities to detect and eradicate a particular threat that concerns your business. You should know at which points in the attack chain your detective and preventive controls enable you to identify the threat, how long your team takes to eradicate the threat, and what blind spots need to be addressed going forward.

A well executed Red Team engagement is about more than just an attack simulation. The report after the assessment should be actionable, and provide data and metrics that are designed to inform executive decision making about future security spend. Along with a complete list of findings and remediation advice, a Red Team report should contain the following metrics:

  • A “heat map” of your organization’s detection and protection maturity, mapped to individual attacker tactics, techniques, and procedures (TTPs)
  • An analysis of which tools your organization uses, which TTPs each tool should catch, and any identified execution or coverage gaps 
  • Mean Time to Detection
  • Mean Time to Remediation
  • The eradication success rate

These metrics can help you decide whether it’s best to buy new products, invest in fine-tuning the products that you already have to improve their performance or invest in hiring or training for your team.

Am I Ready for Red Team Exercises?

In order to get the most value out of a Red Team exercise, your organization should meet a certain minimum level of maturity. You should have alerting, logging, and monitoring in place—either in-house or through an MSSP. You should have some idea of the TTPs that you should be able to detect in your environment. Vulnerability management and patching programs should also be in place. Full-scope Red Team engagements tend to be longer than traditional penetration testing engagements because of the different domains that are targeted, so budget may also be an important factor.

Let’s expand on this topic by using a boxing analogy. A Red Team exercise is intended to be a sort of sparring exercise between the Blue Team and the Red Team, whereas a live incident would be more like an actual fight. The purpose of sparring (Red Teams) is to practice and drill for the real event, to do so repeatedly and develop “muscle memory” so that dealing with a real threat becomes second nature. That said, when a novice walks into a gym and says they’d like to learn how to box, they don’t get thrown in the ring to spar with a champ on the first day. It’s important that they learn the basics first: conditioning and knowing how to punch, block, and move. A mastery of the basics is required to be successful in the ring, and Red Teaming is no different.

What Can I Do if I Don’t Think I’m Ready Yet?

A Red Team exercise is simply one type of adversarial simulation exercise, and it certainly isn’t the only thing you can do to improve your organization’s security posture. Any phase of a Red Team exercise can be broken out and conducted on its own. 

Collaborative adversarial simulation exercises (sometimes referred to as Purple Team exercises) can fill many of these gaps. These exercises can be as simple as agreeing on a set of TTPs to be tested and having a team execute attack scenarios around each TTP as a unit test. 

In these instances, Red Teams often work alongside Blue Teams and explain each attack, how it works, and what the implications are before execution. Notes about whether the Blue Team has detected or prevented the scenarios can be turned into a heat-map that outlines the organization’s detection and protection maturity, mapped to a standard framework such as MITRE ATT&CK, to give a quick visual representation of the current state of the program. 

These tests are highly repeatable, can be executed quickly, and can provide immediate feedback to improve an organization’s detection and protection posture. 

Similarly, if you have concerns about having a team attempt to break into your facilities, you can scope a physical assessment that instead consists of a walk-through and evaluation of the physical security controls and policies that are in place. 

If your intention is to baseline your exposure to help focus future efforts, an external and/or internal network penetration test will give you an asset inventory and actionable steps that will immediately decrease your areas of highest risk.

The key is that you should never feel forced to choose a full-scope Red Team engagement just because it maps neatly to a specific offering from your vendor. Your vendors should adapt and work with you to provide value to your organization that fits with both your current security program’s maturity and your budget.

How to Select a Red Team Partner

Once you’ve decided that red teaming services are the right choice for your business, the next step is finding a partner to carry out the project. In order to keep your team unaware and ensure that the results you get reflect a realistic image of your ability to respond to an attack scenario, it’s best to bring in an experienced partner. 

When selecting a vendor for your red team program, look for a provider with specific experience and knowledge of your industry. Also be sure that your vendor is investing in R&D to support their red teaming practice. 

A strong R&D department is often an indicator of a good red teaming partner. Because red teaming revolves around real-world scenarios, it can only be effective if the people who are testing your systems are simulating TPPs that are relevant to the current landscape. Attackers are constantly evolving, a red team needs to keep up. Conducting a red team exercise using an out-of-date methodology can be dangerous because you run the risk of thinking that your critical assets are protected when they are not. 

This is why Kroll maintains a dedicated Red Team R&D group — to ensure we are always testing using the latest tools and techniques. We also have direct access to their cyber intelligence and incident response data to inform our red teaming practice.

If you’re ready to take the next step, contact us to speak to one of our advisors about how our Red Team Services can help you improve your ability to defend against, and respond to, attacks that put your operations, data, and reputation at risk.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Threat Exposure and Validation

Proactively identify your highest-risk exposures and address key gaps in your security posture. As the No. 1 Incident Response provider, Kroll leverages frontline intelligence from 3000+ IR cases a year with adversary intel from deep and dark web sources to discover unknown exposures and validate defenses.

Penetration Testing Services

Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.

Cloud Security Services

Kroll’s multi-layered approach to cloud security consulting services merges our industry-leading team of AWS and Azure-certified architects, cloud security experts and unrivalled incident expertise.