A red team is a group that helps organizations to improve themselves by providing opposition to the point of view of the organization that they are helping. They are often effective in helping organizations overcome cultural bias and broaden their problem solving capabilities.

When applied to intelligence work, red-teaming is sometimes called alternative analysis.

When used in a computer security context, a red team is a group of white-hat hackers that attack an organization's digital infrastructure as an attacker would in order to test the organization's defenses (often known as "penetration testing"). Red teams are focused on penetration testing of different systems and their levels of security programs. They are there to detect, prevent and eliminate vulnerabilities.

A red team imitates real-world attacks that can hit a company or an organization, and they perform all the necessary steps that attackers would use. By assuming the role of an attacker, they show organizations what could be backdoors or exploitable vulnerabilities that pose a threat to their cybersecurity.

A common practice is to hire someone outside the organization for red teaming — someone equipped with the knowledge to exploit security vulnerabilities, but unaware of the defenses built into the organization’s infrastructure.

The techniques a red team uses vary from standard phishing attempts aimed at employees and social engineering to impersonating employees with the goal of obtaining admin access. To be truly effective, red teams need to know all the tactics, techniques and procedures an attacker would use.

Benefits include challenges to preconceived notions and clarifying the problem state that planners are attempting to mitigate. More accurate understanding can be developed of how sensitive information is externalized and of exploitable patterns and instances of bias.

As mentioned earlier, the types of penetration tests carried out by the Red Team are highly dependent upon the security needs of the client. For example, the entire IT and network infrastructure might be evaluated, or just certain parts of them. Once this has been decided upon, then the specific functionalities of what will be tested is then critically examined. Software applications (such as those that are Web-based) could become targets, the physical infrastructure could get hit, or even a combination of both.

But whatever is pentested in the end, there is a common methodology that the Red Team follows:

1. The Scope: This part defines the entire goals and objectives during the penetration testing exercise, such as:

   • Coming up with the goals or the “flags” that are to be met or captured

   • The compilation of the “Rules of Engagement” — this defines the kinds of cyberattacks that are allowed to be carried out

   • Determine any exceptions that will not be targeted on the attack surface

   • Confirm the actual timetable for executing the penetration testing exercises in conjunction with the client.

   • Obtain a “Letter of Authorization” from the client which grants explicit permission to conduct cyberattacks on their lines of defense and the assets that reside within them

2. Reconnaissance and Intelligence Gathering: This phase involves collecting information and data about the targets that are going to be hit by the Red Team. Examples of this include the following:

   • The network IP address range that has been assigned to the business or the corporation, as well as determining any open network ports and related services

   • The API endpoints related to any mobile or wireless devices

   • Gathering both the work-related and personal information/data of each employee in the organization. This typically includes email addresses, social media profiles, phone numbers, employee ID numbers and so on

   • Any employee credentials that have been previously targeted by a cyberattack, if any

   • Locating any embedded systems that reside in the IT and network infrastructure.

3. Planning and Mapping the Cyberattacks: At this stage, the types of cyberattacks that will be launched by the Red Team are mapped out, as well as how they will be executed. Some of the factors that are taken into consideration here:

   • Determining any subdomains that are hidden from public access

   • Any misconfigurations in the cloud-based infrastructure used by the client

   • Ascertaining any weak forms of authentication

   • Making note of any vulnerabilities and weaknesses that are known to exist in any network- or Web-based applications

   • Determining how to further exploit these known weaknesses and vulnerabilities

   • Creating any phone call scripts that are to be used in a social engineering attack (assuming that they are telephony-based)

4. Launching the Cyberattacks: At this point, the cyberattacks that have been mapped out are now launched towards their intended targets. Examples of this are:

   • Hitting and further exploiting those targets with known weaknesses and vulnerabilities

   • Impacting any testing or sandboxing environments that are used for developing software applications

   • Accessing any and/or all hardware that resides in the IT and network infrastructure. This includes workstations, all forms of mobile and wireless devices, servers, any network security tools (such as firewalls, routers, network intrusion devices and so on

   • Attacking any client-side applications (primarily those that are Web-based)

5. Documentation and Reporting: This is considered to be the last phase of the methodology cycle, and it primarily consists of creating a final, documented reported to be given to the client at the end of the penetration testing exercise(s). It consists of the following components:

   • The types and kinds of cyberattacks that were launched, and their impacts

   • The discovery of any unknown security weaknesses and vulnerabilities

   • The degree of exploitation of the above by a real-world cyberattacker

   • The corrective actions that are to be taken to remediate all known and unknown (but were later discovered) security gaps and holes

   • The consequences that could occur from not taking action or implementing the recommended solutions