Cybersecurity Red Teams play the role of attacker/adversary in cybersecurity wargames. They play the bad guys to help sharpen the skills and toolset of the good guys (the Blue Team). Some companies will maintain an in-house Red Team, and some will contract that roll out to consultants. In order to simulate attacks on the friendly target company, the red team has to maintain much of the same attack infrastructure as threat actors. This includes:
- A Command and Control (C2) environment that serves as the home base for the attackers key systems.
- A group of distributed attack systems scattered in different networks, acting at the point of attack against the adversary while communicating back to the Command and Control networks.
- A set of programs for reconnaissance and penetration tools to perform their function.
- Tradecraft which helps them gather information to discover weaknesses in the target’s defenses while allowing them to remain undetected
Unlike true attackers, Red Teams have the additional challenge of remaining a fresh challenge while attacking the same company over and over again. The defensive blue teams can learn the patterns of the Red Teams and develop an unfair advantage if the attack approaches remain the same.
Challenges to Current Practices
Today, most Red Team practitioners build their toolset in company owned and registered cloud environments and use VPN connections to spoof their real network location while performing their network scans. Due to time and resource constraints, they often must reuse the same attack vectors. Internet service providers will often detect the activity on these nodes as an active threat and blacklist their traffic. This often forces Red Teams to use internal trusted networks or dedicated infrastructure to simulate attacks, presenting recognizable patterns to their Blue Team adversaries.
How Conceal.io Helps Red Teams
Conceal offers several benefits to the activities of a red team.
- Location Aware Scanning – Some networks and sites act differently depending on where it thinks a connection is originating. You may need to test a site from different egress regions to see how it really works. Red teams can use the Conceal Privacy Fabric to quickly change the egress location of the system with scanning and discovery tools to test for differences in response to the target network.
- Rotate Network Infrastructure – Most public VPN sites or personal sandbox environments used for red team hacking will eventually get tagged and marked as risky by ISPs and threat intelligence services. The ability to change egress nodes combined with the regular rotation of network nodes on the Conceal Privacy Fabric allows the red team to change the vector of attack with no additional investment in infrastructure.
- Securing C2 Environment – Keeping C2 environments save and free from discovery and counter-penetration by blue teams is important so that aren’t constantly having to be rebuilt. Keeping your C2 environments behind the Conceal network helps protect this critical infrastructure. In the case of a true discovery of the C2 environment’s obfuscated network location, the Red Team can drop that Conceal network egress tunnel and create a new one.