A red team is typically independent of the company (target) and hired to covertly test its defences. The team consists of skilled ethical hackers whose objective is to identify and safely exploit vulnerabilities in the target's cybersecurity or physical perimeters.

By mimicking sophisticated real-world threats, the exercise is highly realistic. A red team deploys bleeding edge hacking tools and techniques designed to infiltrate systems and premises. This could extend to writing their own malware and devising new methodologies, just as malicious hackers do.

Traditional penetration testing deploys loud (typically detectable) techniques - e.g. vulnerability scanners such as Nessus - to identify gaps in security. In contrast, a red team is stealthy and will do everything it can to avoid detection.

Some organisations will be confident their systems are hard to penetrate as they have a variety of robust security measures in place. But a red team need only find the weakest link to break their perimeters wide open. This could include spear-phishing (socially engineering) employees or replicating the target's external services in a lab to find zero-day exploits.

In a red team engagement, anything goes. If this means arriving at the company's offices disguised as a delivery driver asking to "quickly pop into the post room" so be it. As they pass through, they'll discreetly insert a USB drive into a PC. Mission accomplished.

The red team’s objectives and duties

  • Compromising the target's security by extracting information, infiltrating its systems or breaching its physical perimeters.
  • Avoiding detection by the blue team. Many attacks occur over a fleeting period of time, making it extremely tricky for the blue team to neutralise the threat before the 'damage' is done.
  • Exploiting bugs and weaknesses in the target's infrastructure. This highlights gaps in the organisation's technical security that require fixing, thus improving its security posture.
  • Initiating hostile activity - including sophisticated penetration testing - giving a reliable assessment of the blue team's defensive capabilities.
  • Initial reconnaissance - open source intelligence (OSINT) for collecting information on the target.
  • Deploying command-and-control servers (C&C or C2) to establish communication with the target's network.
  • Using decoys to throw the blue team off the scent.
  • Applying social engineering and phishing techniques to manipulate employees into exposing or revealing information to compromise their machines.
  • Physical and digital penetration testing - typically done in a vacuum.