About the Author:
Jason Thompson (CISSP, CISA, CRISC) – Senior Director, Offensive Security, ISA Cybersecurity
Jason is a highly experienced and passionate Information Technology (IT) professional with over 20 years of experience in the field, 18 of those years in focused on IT security. Jason has proven skills in security assessments, risk management, security advisory, research, security architecture, network and application security, as well as industry and government security standards. Some of Jason’s most recent engagements have improved the security posture for high-profile customers in the healthcare, municipal/provincial government, media, financial, and retail sectors. He prides himself on offering effective, practical cyber solutions and helping customers conduct business safely in the global information landscape.
Lately, we have seen a growing interest from customers eager to explore Red Team exercises. While this enthusiasm for strengthening cybersecurity is encouraging, I always recommend validating that a strong security posture is in place before looking at a Red Team engagement. The true value of a Red Team exercise lies in its ability to assess your organization’s readiness to detect, defend against, and respond to sophisticated, real-world attacks. Since Red Teaming is the most advanced form of cyber testing, it’s important to first establish a solid security foundation to ensure you gain the maximum value and benefit from this investment.
Today I’d like to share a few considerations before pursuing a Red Team engagement (or its Purple variant). Following this structured approach will ensure your team is well prepared to get the most out of the time and effort of arranging and responding to this type of advanced testing exercise.
What is a Red Team Engagement?
The term “Red Team” originated from military exercises in which a designated group simulates the actions of the enemy during training or war games to test the defensive team’s response and resilience to attack. Use of Red Teams has grown over time to prepare responses to terrorism and other threats to national security. It is also now used by many government entities – sometimes in the form of tabletop exercises – to test their response capability based on intelligence gathered on the behaviour of identified potential threats.
In cybersecurity, a Red Team plays a similar role: it is a team of individuals with a variety of technical skills, tasked with simulating a defined cyber threat to an organization. They conduct operations that mirror those of real-world adversaries, employing methods like social engineering (including phishing), network and application-level intrusion, and simulated malware deployment to test how well an organization’s defenses hold up against sophisticated, stealthy attacks. A Red Team exercise is designed to uncover hidden vulnerabilities across people, process, and technology to provide detailed insights and actionable recommendations to strengthen the organization’s overall security posture before actual attackers can exploit any weaknesses.
The key goal of a Red Team exercise is to improve the defensive capability of the Blue Team (i.e., the defensive team responsible for detecting and responding to cyber threats). As a result, the type of results and reports coming from a Red Team operation will be quite different from other types of engagements such as penetration tests. While penetration tests report on identified, exploitable issues, a Red Team will also identify detection gaps, exploitation paths, which attack vectors worked and which ones didn’t, and so forth.
What a Red Team Engagement isn’t
A Red Team exercise can often be interpreted as a more “advanced” penetration test; however, the two engagements are quite different in purpose and in scope.
Penetration tests typically focus on finding exploitable vulnerabilities in specific systems or applications. For example, the objective may be to breach an Active Directory environment, exfiltrate business data, compromise a login, gain access to underlying support infrastructure, etc. In contrast, Red Team exercises simulate realistic, multi-layered attacks – over the course of several days, weeks, or even months – to evaluate how well the organization can detect, defend against, and respond to sophisticated threats.
What do I need to do to prepare for a Red Team Engagement?
There are several steps that you should address before a Red Team engagement to get the most value out of the exercise. Getting prepared in advance ensures that the exercise will provide meaningful insights that drive real improvement, rather than highlighting issues that could have been found and fixed earlier. By addressing basic security issues ahead of time, the red team can focus on advanced tactics, uncovering deeper vulnerabilities and testing your detection and response capabilities.
1. Baseline Security Programs and Controls
Ensure that your fundamental security controls are in place: things like current patch levels, strong password policies, multi-factor authentication, robust endpoint protection, and comprehensive event logging and monitoring. It’s essential to have a strong defensive Blue Team in place first, in order to maximize the value of a Red Team engagement later on.
2. Vulnerability Assessments
Conducting a vulnerability assessment before a Red Team exercise is an important step. This process provides a thorough scan of your networks and systems, helping you proactively identify and address areas where your defenses can be improved. By remediating any significant vulnerabilities in advance, you ensure that your Red Team engagement focuses on uncovering advanced threats and testing your organization’s true resilience, rather than highlighting basic issues that are more easily identified and remediated.
3. Penetration Testing
Conducting a penetration test before a Red Team exercise is critical for maximizing the value of the engagement. Penetration tests (or “pen tests”) systematically identify and help you remediate known vulnerabilities, ensuring your foundational defenses are strong before exposing your organization to the more advanced, covert tactics of a Red Team real-world attack scenarios.
4. Patching and Remediation
Once you’ve completed a vulnerability assessment and appropriate penetration testing, be sure to address those areas of concern with the latest patches and any appropriate configuration adjustments. Address high-priority vulnerabilities first, and implement security controls and monitoring to put yourself in the most favorable defensive position for handling a threat.
5. Vulnerability Management
It’s also important to have a robust vulnerability management program in place before advancing to a Red Team exercise. A vulnerability management program ensures that identified weaknesses are not only addressed promptly, but are also continuously monitored and remediated as new threats emerge, maintaining a stable and secure environment. It will include continuing scheduled vulnerability scans to ensure there are no critical, high-risk issues; periodic penetration tests (both internal and external) to identify exposures; and a patch management program to address any findings. Only consider a red team engagement if test results are consistently clean and show limited findings.
6. Security Awareness Program
Having a solid cybersecurity awareness program in place before conducting a Red Team exercise is essential for several reasons. First, awareness training equips employees to recognize and respond to social engineering tactics, such as phishing, which are commonly used in Red Team scenarios. Second, it ensures that staff are familiar with reporting procedures, enabling faster detection and escalation of simulated attacks during the exercise. Third, a well-trained workforce reduces the likelihood that basic human errors will undermine your security posture, allowing the Red Team to focus on testing more advanced threats and understanding your organization’s true resilience.
Now You’re Ready!
Now you’re set to get the most out of your Red Team exercise. By establishing the right conditions for a thorough and meaningful test, you’ve ensured that your organization is ready to face a realistic simulation of an advanced threat. You can feel confident knowing that any vulnerabilities uncovered by Red Team experts will be exposed through sophisticated, cutting-edge attack techniques – not just the routine threats that your standard security measures can handle.
“Purple Team” Exercises – an Alternative to a Red Team Engagement
A purple team exercise – combining the efforts of a Red team and a Blue team in a coordinated operation – can be considered as an alternative to a Red Team engagement alone. Purple team exercises facilitate collaboration between the Blue and Red teams; most importantly, these simulated attacks test your monitoring, detection, and response capabilities. In these engagements, a Red Team will coordinate exercises with the Blue Team instead of conducting simulated attacks unannounced. This is an excellent way to prepare a Blue Team to respond to an incident, as there is real-time communication and sharing of knowledge.
Risks of Premature Red Team Exercises
You might wonder why it’s valuable to identify vulnerabilities yourself, when a Red Team exercise can reveal them for you. I believe there are several important benefits to taking a more proactive approach:
- Overwhelming your security analysts: If faced with an unexpected attack in the form of a Red team exercise, your unprepared IT analysts may become overwhelmed, leading to decreased morale and potential burnout.
- Wasted resources: Without proper preparation, a Red team exercise may not yield actionable insights. If dozens of deficiencies are found, or it’s too easy for ethical hackers to breach your systems, they aren’t going to give you useful information on what should be prioritized, wasting time and money.
- Missed learning opportunities: Without a solid foundation, your team may fail to recognize or learn from the sophisticated attack techniques delivered by an experienced Red team service.
I think Red team exercises are one of the most powerful ways of testing your organization – and your team – on their ability to detect and respond to a cyber attack. It’s always better to hear about issues from a friend than an enemy! But Red team exercises shouldn’t be a starting point: they’re best left to a later stage of your cybersecurity maturity journey. A staged approach not only optimizes resource allocation, but also provides clearer insights into your organization’s true resilience and incident response under pressure. Do yourself a favour, and make sure you set up the best conditions for success when you get your test done.
I’d love to hear your thoughts on Red team exercises – your challenges and your successes. Contact me at ISA Cybersecurity anytime to discuss.
