Think like an Attacker

10925372100?profile=RESIZE_400xIn 2023, companies and organizations are cope with more sophisticated and higher levels of widespread cyber threats with a dwindling set of competent security resources. And the technologies they use to bring services and applications online are perpetually changing, while their operations and development teams remain under constant scrutiny to execute and employ updated or new features and services faster than ever needed before.  Bring all these factors together and they create an even riskier, more vulnerable security environment.  Oye, it never ends.

To stay ahead of these hackers, businesses need to view their applications and infrastructure from the perspective of an attacker.  They need to think outside of the box to find gaps and vulnerabilities in their applications and defenses that could allow the bad guys to penetrate their organization. This is no different than a police detective thinking as a burglar would.  IT needs to pressure test their security infrastructure but employing red, blue and purple teaming; penetration testing services, and bug bounty programs.  Each security methodology has its distinct benefits and all play a role in helping organizations expose attackers and strengthen their security posture.[1]

Red, blue and purple teams: A Security Strategy built on Competition

Red, blue and purple teams exist to learn by challenging an organization’s defenses.  Red teams focus on the attacker’s mindset.  Thinking like an attacker (criminal), red teams infiltrate an organization using any means possible to establish a foothold in the infrastructure and find sensitive information.  At the same time, blue teams or defenders try to detect and respond to any anomalous activity the red teams create.

When red and blue teams work closely and in coordination, versus in opposition, it is called purple teaming.  The once competitive “game,” must now be a collaborative “game.” Together, their goal is to maximize cyber capabilities through continuous feedback and knowledge transfer.  The red team uncovers a breach, exploits it, and reports every step to the blue team.  The blue team either confirms they mitigated the breach or works with the red team to improve detection and adapt defenses to prevent the breach and exploit.

Understanding Red Teaming vs. Penetration Testing

Penetration testing is another strategy organizations can use to spot security weaknesses in computer systems, networks or web applications.  The objective of red team exercises and pen testing is the same: uncovering flaws in an organization’s security posture to increase its resistance against attacks.  There are, however, important differences between the security methodologies.

To begin, red teams focus primarily on processes, deep penetration, and lateral movement inside an organization. Pen tests, on the other hand, emphasize technologies and uncover and report on flaws and vulnerabilities in specific applications and configurations.  They do not exploit them to establish a foothold or move inside an organization.

Compared to pen tests, red teaming is generally more involved.  Red teams assess software, hardware and human vulnerabilities.  They also uncover intrinsic security flaws that could expose corporate secrets, sensitive data or weaknesses in personnel and processes.  Because red teams often deal with sensitive information, some organizations prefer to put them on the payroll rather than outsource them.  In contrast, pen testing is usually outsourced and can be performed periodically through automated services. Penetration testers discover and report on flaws but do not leverage and abuse the flaws to gain access to internal systems or sensitive data.

Red teams and penetration testers also take a different approach to gaining access to an organization’s network.  Red teams, for instance, can leverage pentesting tools for initial access, but they do not stop there.  Red teams will perform OSINT, craft spear phishing messages, and USB drops.  Once they gain access through a shell, red teams will elevate privileges and move laterally across a network.  They will go as deep as possible to uncover and exfiltrate sensitive information, showing how much of the network they can impact without actually taking advantage of the access and information to extort the organization.

When accessing an organization, pen tests will typically be “much noisier” than red teams, running brute force cracking and fuzzing tools on the network and applications, full spectrum scans, etc.  Red team operations are supposed to be covert — working undetected, unblocked and unbeknownst to the blue team.  Unlike red teams, pen testers can receive privileged access to improve the depth of their tests and face less resistance.  While performing penetration tests, the SOC is aware of the activity and ignores alerts triggered by the probes.

Crowdsourcing security with bug bounties

To further test their security posture and their applications, organizations can also start a bug bounty program.  This crowdsourcing initiative incentivizes and rewards individuals outside the organization, typically professional bug hunters and white hats, to test the security and uncover vulnerabilities in an organization’s publicly exposed applications and services.  Upon discovery and disclosure of a vulnerability, the organization financially compensates the bug hunter or white hat based on the severity of the reported vulnerability.

Because bug bounty programs invite third parties to search for security vulnerabilities across an organization, they come with risks.  For example, bug hunters and white hats do not always agree on the payout amount and might publish their research findings before a fix can be deployed, which could impact the reputation of the organization.  The best way to start a bug bounty program is to work with experienced groups that know how to manage the dialog between white hats and organizations.

A Necessity

For organizations to gain real visibility into how they are protected against malicious actors, they must learn to “think and act” like them.  That is why simulating real-life attacks as closely as possible is becoming so important.

In today’s threat landscape, methodologies like red, blue and purple teaming as well as pen testing and bug bounty programs are no longer a nicety.  IT teams are in a posture to HAVE these type cyber security teams when it comes to improving organizational security posture.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or      

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings  


E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!