What is Red Teaming? Methodology and Scope of a Red Team Operation

With cyber attacks on the increase, the security of organisations is now a priority. And to respond effectively to this growing threat, Red Teaming is the strategy of choice.

This proactive approach fits in perfectly with regulatory frameworks such as ISO 27001 and the NIS 2 directive. These standards stress the importance of protecting sensitive data and ensuring rigorous information security management.

In addition, Red Teaming plays a key role in compliance with the DORA regulation, designed to strengthen the resilience of European financial institutions to cyber attacks.

In this article, we detail the methodology and objectives of Red Teaming. We also discuss the principles of the TIBER framework, while exploring the tools and techniques used by a Red Team to carry out an overall assessment of an organisation’s security.

Comprehensive Guide to Red Teaming

What is Red Teaming?

The aim of a Red Team is to assess the overall security of an organisation, through a comprehensive and realistic audit of three essential components: people, processes and technologies.

This approach is based on simulations of sophisticated attacks, reproducing the tactics, techniques and procedures (TTPs) used by cyber attackers.

Scope of a Red Team Operation

The scope of a Red Team operation is as follows:

• Regarding personnel: The Red Team analyses employees’ preparedness and responsiveness to attacks. This includes simulations of social engineering scenarios to measure security awareness (for example, recognising phishing attempts) and the ability of teams to react to security alerts.
• On processes: Security incident management protocols and methods are thoroughly tested. In particular, the Red Team assesses the organisation’s ability to detect intrusions, respond effectively to alerts and coordinate efforts in the event of an incident.
• And the technologies: The security tools and systems deployed are also tested. This includes the evaluation of exposed assets, intrusion detection systems and malware protection solutions, through realistic simulations of attacks.

Red Teaming: a realistic approach to improving cyber resilience

This methodology reproduces the potential actions of an attacker in a realistic way. In fact, the primary aim is to identify areas for improvement and optimise the ability of organisations to respond to cyber attacks.

And these attacks are often complex, exploiting various weaknesses and attack vectors.

For example, an attacker may first take advantage of human vulnerabilities to gain initial access. Secondly, they can exploit technical vulnerabilities to move laterally through the network and, finally, they can exploit weaknesses in incident response processes to maximise the impact of their attack.

What are the Differences Between Pentesting and Red Teaming?

Red Teaming and Pentesting differ in their objectives and methodologies.

On the one hand, Pentesting (or penetration testing) consists of identifying and exploiting specific vulnerabilities within a system. It is generally limited to a well-defined perimeter, with the aim of assessing the potential impact of identified vulnerabilities and proposing corrective measures.

Red Teaming, on the other hand, takes a broader, more immersive view. It simulates a real, sophisticated attack to test all of an organisation’s defences. For this reason, it is not limited to a specific perimeter or vulnerabilities; the aim is to assess an organisation’s ability to detect, prevent and respond to cyber attacks.

Nevertheless, it is important to emphasise that Red Teaming and Pentesting are not opposites, but complement each other. Pentesting is particularly well-suited to assessing the security of new applications, functionalities or infrastructures before they are deployed, while Red Teaming is recommended for testing an organisation’s overall maturity.

DORA Regulation and TIBER Framework: Guidelines for Structuring Red Team Assessments

Principles of the DORA regulation

Introduced by the European Union, the DORA (Digital Operational Resilience Act) regulation aims to strengthen the resilience of the financial sector in the face of increasing cyber threats. It establishes a robust regulatory framework to ensure that financial institutions can withstand, respond to and recover quickly from disruptions caused by attacks.

DORA applies to all players in the financial sector, including FinTech startups and scale-ups, with requirements that include:

• Security incident reporting: organisations must promptly report any major incidents to ensure greater transparency and better crisis management.
• ICT risk management: DORA requires financial entities to adopt robust practices to identify, assess and mitigate information and communication technology risks.
• Regular operational resilience testing: institutions must carry out simulations to ensure their ability to cope with cyber attacks, including Red Teaming assessments.
• Backup and recovery arrangements: guaranteeing business continuity through robust backup systems and effective disaster recovery plans.

Based on the DORA regulation, the European Union has also put forward the TIBER-EU framework for structuring Red Teaming missions, in order to standardise these critical exercises.

What is TIBER-EU?

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming for the European Union) is a framework developed by the European Central Bank. It aims to define common standards for Red Team operations throughout the European Union.

Stemming from the objectives set by the DORA regulation, this framework offers a structured methodology for Red Teaming missions. It establishes clear rules to guarantee the rigour of the processes, while allowing a degree of flexibility to adapt to the specific features of each organisation.

TIBER-EU has the following objectives:

• Strengthen the resilience of organisations to cyber attacks, and more specifically that of players in the financial sector.
• To standardise and structure the conduct of Red Team operations throughout the European Union.
• Provide guidance on the methodology and scope of Red Team assessments, while offering a degree of flexibility.

The TIBER-EU framework follows a specific methodology. Let’s take a closer look at the tools, the players involved and the different phases of a Red Teaming operation.

The Teams Involved in a Red Teaming Assessment

At Vaadata, we use the principles of the TIBER-EU framework to structure our Red Team operations.

Although we have adopted the broad outlines, we have adapted this methodology to our own use cases in order to meet the specific challenges of our clients.

A well-orchestrated Red Team mission relies on the coordination of several distinct teams, each with a key role to play:

White Team

On the client side, this team acts as the main intermediary between the client company and the service provider. It provides essential information to the Threat Intelligence team to develop realistic attack scenarios. It remains in contact with the Red Team throughout the mission to ensure the smooth running of operations, without divulging test details to the Blue Team.

Blue Team

The Blue Team represents the client’s internal security teams. Its role is to detect and respond to the attacks simulated by the Red Team, just as they would during a real cyber attack. To preserve the authenticity of the tests, this team is not informed of the nature, timing or details of the attack scenarios.

Threat Intelligence Team

On Vaadata’s side, this team is responsible for the test preparation phase. It gathers and analyses information on threats relevant to the client company. Based on this data, it develops attack scenarios tailored to the organisation’s systems, processes and personnel.

Red Team

Also on Vaadata’s side, the Red Team carries out simulated attacks following scenarios defined by the Threat Intelligence Team. It tests the organisation’s overall security, targeting human, technological and organisational vulnerabilities.

Methodology and Different Phases of a Red Teaming Assessment

Before going into detail about the various phases of a Red Teaming operation, it is essential to stress one key point.

As each Red Team assessment is unique, we adapt our methodology to the specific characteristics of our clients and the key objectives of the mission. This customisation ensures that the attack scenarios faithfully reflect the real threats faced by our clients.

It also ensures that the results are relevant and exploitable, taking into account the specific characteristics of the systems, processes and teams of each of our clients.

Planning and coordination

The initial phase of a Red Teaming operation mainly involves two teams: the White Team and the Threat Intelligence Team. The mission begins with a pre-launch meeting between Vaadata’s sales team and the client’s representatives.

The aim here is to understand the client’s needs (challenges and context), to set the terms and conditions of the Red Team assessment (dates, duration and scope of the tests) and to exchange the information needed to draw up and sign the Rules of Engagement (ROE).

In the following days, the client must provide the composition of its White Team and any additional information required to ensure smooth communication throughout the operation.

Finally, a kick-off meeting is organised to deepen understanding of the scope and objectives of the Red Team assessment. The aim here is twofold:

• Enable the White Team to present a detailed view of its infrastructure, including the tools and services used (SaaS, internal tools, etc.), the network architecture, the authentication methods in place, etc.
• Enable the Threat Intelligence Team to define the precise objectives of the mission, which may include, for example, obtaining the source code of a product developed by the organisation, accessing the emails of members of management, exfiltrating sensitive documents (R&D, strategy, etc.), compromising and escalating to the role of Administrator of an Active Directory domain.

This preparatory phase is crucial to aligning expectations and ensuring that the Red Teaming operation meets the specific needs of the client.

Threat Intelligence and risk modelling

This phase involves three main actors: the White Team, the Threat Intelligence Team and the Red Team.

Production of the Threat Intelligence Report

The Threat Intelligence Team uses the data collected from the White Team to create a comprehensive report, structured in several sections and including:

• Identification of critical functions, key systems and sensitive assets likely to be targets for testing.
• Assessment of potential vulnerabilities detected at this stage through in-depth analysis of the information obtained (e.g. network diagrams, technologies used).
• Modelling of specific threats to the organisation, taking into account documented groups of attackers (e.g. ransomware or data theft groups), types of attack (targeted phishing, network compromise, etc.).
• Mapping of TTPs (techniques, tactics and procedures) according to the MITRE ATT&CK framework, with details of the planned stages of the attack, the type of threat involved and its final objectives (e.g. data exfiltration, system compromise).

Presentation of the report and validation of the scenarios

An interim meeting is then organised to:

• Validate, refine or complete the attack scenarios with additional details to enhance this first report
• Enable the Threat Intelligence Team to incorporate the necessary adjustments to produce a final version of the report. This will serve as a basis for guiding the Red Team’s actions in the subsequent operational phases.

This phase plays a key role in the success of a Red Teaming operation. It ensures that the attack scenarios are aligned with the realities of the organisation and reflect plausible threats.

Red Team test execution

The actors involved in this phase are the Red Team and the White Team.

Drawing up and validating the Red Team Plan

Before launching the tests, the Red Team prepares a key document called the Red Team Plan. This plan includes:

• Detailed attack scenarios: Reworking and extending the scenarios from the IT report, with a precise chronology of stages and planned actions.
• Management of leg ups: Leg ups are predefined solutions for getting around a possible blockage at a given stage. They ensure that tests progress despite specific limitations encountered by the Red Team, such as time constraints, limited resources, etc.

A meeting is then held at the start of the Red Team with the White Team to validate the plan. This meeting clarifies the roles and responsibilities during the execution phase, ensures that the plan meets the objectives and rules of engagement (ROE), and finalises the timelines and leg ups.

Implementation of attack scenarios

Once the plan is approved, the Red Team launches the tests following the defined scenarios. During this phase, regular communication is maintained to signal key stages and manage any incident requiring intervention.

In addition, each action (success, failure, workaround) is documented to feed into the final report.

Interim report and results of the phase

At the end of the tests, the Red Team produces a first version of the Red Team report. This interim report details the actions taken and their results (success or failure), the access gained (for example, taking control of accounts or access to critical systems) and the objectives achieved (data exfiltration, system compromise, etc.).

This interim report is shared with the White Team for initial validation, before moving on to the next phase of feedback and recommendations.

Closure phase: final report and recommendations

The final phase of a Red Teaming operation focuses on analysis of the results, collaboration between the teams and recommendations for improving the organisation’s security posture. All the actors (Red Team, Blue Team, White Team) are involved at this stage.

Once the tests have been completed, the Blue Team is informed that a Red Teaming operation has taken place. It is then asked to draw up a Blue Team Report, which summarises the actions or attacks detected during the tests, the defence measures implemented and the incidents blocked or managed.

This document is essential for assessing the effectiveness of existing security mechanisms.

A collaborative work session called Replay Workshop is organised between the Red Team and the Blue Team to:

• Compare the Red Team Report (offensive actions) and the Blue Team Report (detections and responses).
• Analyse the discrepancies in order to understand why certain Red Team techniques, tactics and procedures escaped the defence mechanisms.
• Simulate new defences in order to test protections adapted to each TTP identified.

The Replay Workshop ends when the Red Team’s techniques, tactics and procedures (TTPs) have all been detected or rendered inoperative by the Blue Team.

At the end of the workshop, the Red Team produces a final report providing an overview of the results of the mission. This report details:

• The initial vulnerabilities identified during the tests; and the improvements made thanks to the interactions with the Blue Team.
• Concrete recommendations for strengthening defences on critical systems: tools, processes, etc.

This final version of the Red Team Report is presented at the feedback meeting attended by all those who took part in the Red Team.

Purple Teaming: a Collaborative Approach to Strengthening Cyber Resilience

Purple Teaming is a collaborative approach in which the Red Team (offensive teams) and the Blue Team (defensive teams) work together to improve an organisation’s security posture.

It encourages the exchange of information in real time, enabling the teams to work together to refine defences and strengthen detection capabilities.

The main aim of Purple Teaming is to raise the overall level of security by exploiting the Red Team’s tactical insights to adapt defence mechanisms, while helping the Blue Team to better understand the techniques, tactics and procedures (TTPs) used by real attackers.

This model is based on structured exercises, often framed by frameworks such as MITRE ATT&CK, to ensure a precise mapping of the techniques used and the measures to be implemented. The emphasis is on continuous improvement, where each simulated attack results in concrete learning for both teams.

MITRE ATT&CK: a Key Framework for Red Teaming

MITRE ATT&CK, (Adversarial Tactics, Techniques, and Common Knowledge) is a framework used to understand, organise and analyse the behaviour of cyber attackers.

It provides a complete matrix of the tactics and techniques used by attackers at each stage of an attack, from initial access to achieving an objective.

The MITRE ATT&CK matrix is organised into several columns representing the different stages of an attack, such as initial access, execution, persistence, defence and evasion, among others. Each column contains several techniques associated with that specific stage of the attack.

Each technique is described in detail, including general descriptions, examples of use by attackers, commonly associated tools and means of detection and prevention.

This granularity enables organisations to better understand the tactics and techniques used by attackers and to strengthen their defences accordingly.

MITRE ATT&CK is used by organisations for a number of use cases, including improving threat detection, security posture assessment, attack simulation (such as Red Teams) and defence planning.

Red Teaming Tools and Techniques

During a Red Team, a number of tools can be used to achieve the defined objectives. These tools include (but are not limited to):

• Implants (malware): programs designed to execute instructions given by a command and control server (called C2) on an infected machine. These implants can also enable the Red Team to use the infected machine as a bounce point to an internal network. They are usually deployed via a loader to bypass security solutions. To find out more, read our article: Antivirus and EDR bypass techniques.
• Phishing utilities such as EvilNginx, which enable ‘Man in the Middle’ attacks that can bypass certain types of MFA (multi-factor authentication).
• Password spraying tools for testing common password combinations against multiple user accounts. For more information on this type of attack, please refer to our article: Brute force attacks: principles and security best practices.
• Scanning tools to discover assets exposed on the Internet and known vulnerabilities.
• Finally, if the Red Team manages to gain access to an organisation’s internal network, there are a number of tools for discovering misconfigurations, vulnerabilities and recon, so that they can be lateralised or escalate their privileges in an Active Directory.

Carry Out a Red Team Operation with Vaadata, a Company Specialised in Offensive Security

Vaadata is a leading offensive security company specialising in Penetration Testing and Red Teaming services. Leveraging our extensive expertise, we assist various organisations in addressing complex cybersecurity challenges across all critical assets, including web platforms, mobile applications, connected devices, network infrastructure, cloud services, and employee awareness.

Vaadata is certified with ISO 27001 (Information Security), ISO 27701 (Privacy Information Management), and holds the CREST accreditation for Penetration Testing. Our commitment to these certifications ensures we deliver security audits that adhere to industry best practices and the highest security standards, providing our clients with top-tier services that protect their information and personal data.

We support over 500 clients ranging from startups to large enterprises across various sectors in Europe and North America. All our services are performed by our in-house team based in Lyon, with security consultants holding certifications that reflect our deep understanding of a wide range of cybersecurity technical challenges and our proficiency in effectively addressing them.

Authors: Amin TRAORÉ – CMO @Vaadata & Arthur LE FAOU – Pentester @Vaadata