Chapter 1 Overview of the red team and the red team
Contributors: Tony Kelly @infosectdk # translator BugMan
What is the red team? Where is it from?
Red team's origins are military origin. It is recognized that in order to better defense, you need to attack its own defense system to detect weak points, then better defense. Evolved into a "war game", in which the guard marked in blue or friendly fire, the enemy is red. Red Teaming be regarded as general assess their security posture of useful tools , Red Team therefore play the role of aggressor or "bad guy" in. Bad guys do not follow the rules, but in a controlled manner to take advantage of the ability to simulate and simulate the bad guys can help defender Red team found that response and stop the attacks, and to strengthen and improve the defense. Despite the "offensive", but first step the natural field of information security, the red team is defender. It also enables organizations to better defend against hostile invaders, learn and improve. Offense is the defense of the secret. Defense is attack plan Therefore, in order to better defense, you need to know how to attack and stop the attack. Red Teaming is what most called penetration testing. In the field of information security, Red or the Teaming test is considered offensive security testing organization. In general, many organizations hire or blue team defender, they only test for compliance purposes, once a defense annually. This way of thinking may make to leave the organization vulnerable to attack. In order to challenge and assess their posture, organizations can conduct their own tests can be carried out by a special team functions inside the red or purchased outside experts and in accordance with the expertise to deploy
So, the blue team and the red team What is the difference?
Red Team
然后,他们将对威胁采取行动,以一种本质上反应灵敏的方式,他们正在等待事情发生。红队积极进取,将模拟真正的攻击者,并尝试突破防御 未被发现。它们的作用是突出防御方面的漏洞并提高对
Blue Team
例如,Blue Team可能会使用漏洞扫描和测试来查找和查看补丁管理层,根据相关组织的不同,可能会将漏洞标记为假设漏洞 “嘿,如果我们不打补丁,可能会发生这种不好的事情”,并且不会受到重视。红队然而,他们也会在评估中使用这种方法,但是更进一步,他们将演示如何利用发现的漏洞,并将利用这些漏洞,并提供成功的证据。结合一份详细说明该漏洞,其风险评分可能性以及剥削的证据,这会带来更大的负担,并有助于获取东西
There are two ways to use the red team
External independent testing
Internal test team
首先让我们看看外部红队如何运作外部独立的笔测试团队可以根据不同的能力从事 客户要求,这些要求包括但不限于:
physical
测试对建筑物的物理访问,包括对员工区域,基础设施的访问。 暖气/公用事业,数据中心
Social engineering / analog crack security control evade social engineering phishing attacks fake network infrastructure firewalls bypass the router test / configure the DNS proxy server footprint exploits invasion and the use of Web applications - both physical and cloud wireless unauthorized access points default password encryption protocol application testing - database - physical and cloud operating system to construct a standard Iot secure server move
External pen testers may use or "white box" and "gray box" in a fully simulated attack at work, which means they operate must use their skills and knowledge in black box mode in these cases, they minimal information as an external attacker infiltration
defense
将利用上述所有方法以及更多方法来实现其目标。对于合规性练习,他们可能需要遵循参与测试特定内容的范围。 例如,他们可能会尝试提升权限以获取域管理员权限,测试工作站/服务器版本,
检查[补丁](https://www.peerlyst.com/tags/patching),密码破解和防火墙规则检查.内部团队可以与蓝色团队坐在一起,并且可以与他们紧密合作,或者 可以在自己的部门(例如审计)中运作,并以独立的名义运营 提供诚实的行为。他们可以以此身份测试现有的防御措施,审核/检查日志,
Evaluation of published vulnerabilities and to test and evaluate the risks and threats to its infrastructure. Internal internal team will have an extra advantage because they will know the infrastructure organizations already exist, and independent testers may or may not depend on the scope of participation. In some cases, there may be war game. Red and blue. These can take different forms depending on the scope and practice of the goal.
Red may be an external attacker, the task is to deploy with minimal information from Black Box and is responsible for the company and external penetration data with a specific target to penetrate. Such exercises and simulation as real as the real threat of attack from the real participants. You may need to consider the value obtained from this exercise. One example is, if the red team use social engineering and other methods to penetrate the sites, assess its value to the blue team to assess their network defenses if the red team for the first time be kind to defend members of thunder, the zero stage. The element of surprise will be lost, and therefore the value of the red team exercises can be ended early if the exercise will get lost. It really depends on the organization's business-related. Defense companies are dealing with high-value data and IP might seriously consider their physical security, but as a separate exercise test, then you can propose "what if" question hypothetical attacker then will go to a different deployment on site. These deployments can take two directions - the blue team understand these invaders, what their targets are, so that they can monitor and try to prevent them, or do not know the blue team exercise. This provides a real proof of malicious insiders. Threats can do it. This exercise provides a good test scenarios to test incident response. If the red team and blue team was beaten, they may be proud, but these are important lessons, practice. In terms of security, we have 100% of the time to stop the bad guys, and bad guys need only succeed once. Thus, pressure is applied in order to successfully detect blue. Red plays a key role in helping to improve their processes and Blue detection process.