Best practice #1: Perform routine assessments
A red team assessment can include more than just penetration testing, it can also include social engineering exercises, physical penetration tests, and threat modeling as well. Tactics, techniques, and procedures (TTPs) that emulate real-world cyber attacks are critical red teaming elements. Routine assessments help keep the company prepared and can expose new vulnerabilities in the software being used or the employees that are accessing the data. Of course, these routines should always include a follow up with the results, but it is important to keep the initial assessment under wraps from the majority of the organization (except perhaps the security team, which should be determined ahead of time when negotiating the scope of assessment) to ensure an authentic representation of the existing security. runZero delivers network visibility that can expose links between assets, helping you determine the severity of risk based on the results. For example, if someone with access to customer data succumbs to a phishing attack, you can identify systems in the network an attacker could have gained access to. runZero also offers vulnerability integrations, which will enrich your asset inventory with your vulnerability scan results. With a centralized view of your assets and their vulnerability results, you can identify high-risk assets and assess the risk to your network. This creates increased value in the security assessment results and may be a great way to encourage more thorough security training throughout the company.Best practice #2: Record everything
runZero offers more accurate asset information so you can track and identify assets that are connected on the network. This makes those security comparisons easier, as well as the overall identification of what assets are accessible. As your red team conducts security assessments and penetration tests, the team should be recording everything–from the methods used to the assets that were accessed. This allows your team to routinely repeat the process to either validate remediation or mitigation efforts or to look for new weaknesses. Having clear documentation will allow for better analysis, as similar assets can be easily compared for the same security risks. Knowing the assets that can be compromised is critical for identifying so many other issues and risks on your network. Users can be identified making it easier to track:- Remote access services
- Software versions with unique vulnerabilities
- Individual assets that are linked to sensitive data
Best practice #3: Choose the best tools
One of the first things that red teams focus on is reconnaissance. During this initial phase, it is critical to gather as much information as possible from target networks and systems. Discovery usually entails enumerating domains owned by the organization and scanning internal networks to collect information about the devices connected to them. Red teams generally perform both passive and active methods of reconnaissance, leveraging a myriad of tools to support their efforts. With runZero, you can scan public facing and internal assets to gather details about them, like their OS, open services, installed software, and SSH versions. Once the red team has enough information about the target systems, they can leverage this data to find misconfigurations, identify potential vulnerabilities, and better plan their attack methods. As a part of regular penetration tests, the red team is responsible for finding creative ways to exploit vulnerabilities. This means being aware of current system and application vulnerabilities and looking for new vulnerabilities in company software using unique methods to extract data. While this data is ultimately taken back with an intent to strengthen the security against such exploitation, the practice of being able to think like an attacker is valuable to red team practices. Red team exploitation exercises are meant to bring weaknesses in data and network security to light and can result in preventative measures. Exploitation requires choosing the right tools. For the exercise to be as authentic as possible, the tools used often need to balance effectiveness with being undisruptive. Red team methods should safely work with fragile systems with the goal of not raising any alarms or disrupting work flow.Stay tuned for more
This is the first post for the runZero cyber security awareness month blog series. In this post, we covered best practices of routine assessments and detailed recording. We also went over the importance of vulnerability exploitations and how runZero can be applied to help in your red team endeavors.About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.