The Latest in FedRAMP Compliance: Breaking Down Red Teaming for Enhanced Security
For companies that sell to the U.S. government, FedRAMP is the gift that keeps on giving. Rightfully so, since FedRAMP plays a pivotal role in ensuring the security of cloud services utilized by federal agencies. Recently, FedRAMP introduced a significant update: the inclusion of red teaming exercises as a mandatory requirement.
This article provides an overview of red teaming and the phases that happen during a red teaming exercise, outlines the key differences between pen testing and red teaming, and offers some guidance for companies seeking to comply with the new red teaming requirements.
Understanding the FedRAMP Red Teaming Requirement
Before we begin, here is the specific requirement:
Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: [Assignment: organization-defined red team exercises]. CA-08 (02)
NIST Discussion from the FedRAMP controls:
Red team exercises extend the objectives of penetration testing by examining the security and privacy posture of organizations and the capability to implement effective cyber defenses. Red team exercises simulate attempts by adversaries to compromise mission and business functions and provide a comprehensive assessment of the security and privacy posture of systems and organizations. Such attempts may include technology-based attacks and social engineering-based attacks. Technology-based attacks include interactions with hardware, software, or firmware components and/or mission and business processes. Social engineering-based attacks include interactions via email, telephone, shoulder surfing, or personal conversations. Red team exercises are most effective when conducted by penetration testing agents and teams with knowledge of and experience with current adversarial tactics, techniques, procedures, and tools. While penetration testing may be primarily laboratory-based testing, organizations can use red team exercises to provide more comprehensive assessments that reflect real-world conditions. The results from red team exercises can be used by organizations to improve security and privacy awareness and training and to assess control effectiveness.
Simply stated, the red teaming requirement outlined by FedRAMP involves emulating potential adversaries' attack capabilities to comprehensively assess an organization’s security posture.
Unlike traditional penetration testing, which focuses on identifying vulnerabilities, red teaming exercises simulate real-world cyber-attacks, encompassing both technology-based and social engineering tactics. The primary objective is to test an organization’s detection, defense, and response capabilities by leveraging current tactics, techniques, and procedures (TTPs) observed in the wild.
Breakdown of Red Teaming Phases:
- Phase I – Objective Setting: Understand the business context and scope of the engagement. Define objectives and scope, aligning red team success with these objectives. Decide on the initial approach, either through external breach or assumed breach.
It's important to clarify that while the initial phase of a red team engagement might resemble a penetration test, there are key distinctions between the two. A penetration test typically focuses on identifying and exploiting vulnerabilities within a specific domain (logical, physical, or social) and is usually even more limited within that domain. In contrast, a red team engagement focuses on a broader, more comprehensive approach. These engagements should simulate realistic attack scenarios that a potential adversary or threat actor might employ against your organization and are usually not limited to the tested domain if there is relevance to the attack path.
- Phase II – Reconnaissance and Threat Modeling: Research the target extensively, gathering information such as IP ranges, domain names, and employee details. Identify potential threats and assess associated risks. Use frameworks like MITRE ATT&CK to model threat actor tactics, techniques, and procedures (TTPs).
- Phase III – Initial Access: Exploit vulnerabilities and data to gain initial access, utilizing techniques like social engineering, physical attacks, or exploiting external attack surfaces.
- Phase IV – Establish Persistence: Once initial access is gained, take actions to maintain access, such as setting up backdoors, creating new accounts, and utilizing Command and Control (C2) frameworks.
- Phase V – Escalation/Lateral Movement: Escalate privileges and move laterally within the organization, using defense evasion techniques. Exploit further vulnerabilities, crack passwords, access credential stores, or employ social engineering techniques.
- Phase VI – Data Exfiltration: Discover, collect, and exfiltrate target data as per the defined objectives.
- Phase VII – Reporting and Debrief: Present a comprehensive report of findings, including an executive summary, detailed findings, control successes and failures, and recommendations for improvement.
From setting objectives and conducting thorough reconnaissance to executing simulated cyber-attacks and delivering comprehensive reports, partnering with a cybersecurity firm enhances an organization's ability to assess and improve its security posture.
Red Teaming and Penetration Testing: How Are They Different?
A lot of companies are confused about the difference between red teaming and penetration testing. Red teaming and penetration testing share a common goal, which is to identify security weaknesses. The main difference between these is the approach and objectives.
Penetration testing primarily focuses on vulnerability identification and exploitation within a defined timeframe. In contrast, red team exercises aim to identify systemic weaknesses across an organization, providing a framework for continuous improvement in areas such as policies, procedures, and vulnerabilities rather than merely focusing on the vulnerability aspect.
If you'd like to learn more, check out this article Dahvid Schloss, Director of Offensive Security, wrote last year, Cyber Definition Problems: Red Teaming vs. Penetration Testing.
Three Considerations for the FedRAMP Red Teaming Requirement
Since this new FedRAMP requirement doesn’t require the red team engagement to be conducted by an approved 3rd party vendor, you will likely see an influx of organizations that will claim that they can fulfill this requirement. While many of them probably can, if you are going to conduct a red team assessment it is best to look out for a few key aspects to ensure you aren’t getting a pen test disguised as a red team.
Will the engagement be threat intelligence-backed?
This is the first thing and most important item you should look for. The organization you hire for a red team assessment should conduct threat intelligence through open and closed source cables so they can realistically state which threat actors and attack types are most relevant to your organization based on size and industry. From that, they should be able to put forth a few example threat actors and be able to emulate their tactics, techniques, and procedures so you can see how you defend best against that threat. A red team should be realistic, and you shouldn’t be getting tested by “APT <insert company name>”.
Does the organization deploy its own attack infrastructure?
Threat actors typically employ covert infrastructure to host their c2 and phishing platforms - many times in cloud platforms like AWS, Azure, or GCP. This is important because red team engagements are, at their core, no-knowledge tests (also called black boxes).
One of the core components of these types of tests is not only to see if there are ways to gain access but also to assess if your blue team staff or vendors are able to detect the intrusion. If the traffic never leaves your environment, it's not realistic, is it? You aren’t doing yourself any favors by skipping this step in an engagement.
Does the team have deep adversarial emulation experience?
The last big thing to look out for is team experience. Red teaming is a unique type of assessment and requires a deep understanding of adversarial emulation. While we would love to see more red team operators out there, we understand the market can be small and hard to break into because it takes a high degree of skill. This can’t be boiled down to individual certificates but more to the individual's experience conducting said assessment.
When assessing vendors, be sure to ask what their experience is in your industry around these types of assessments. Make sure you trust the individuals that are going to assess your organization since, if done right, you may not even know they are in your network.
The Bottom Line on the FedRAMP Red Teaming Requirement
The cybersecurity threat landscape is constantly evolving. Regardless of who companies are selling to, red team exercises are an effective tactic to test the technical, human, and physical elements of an organization.
FedRAMP is not a straightforward journey, so it is important to seek guidance from experts who have this specific knowledge and experience. If you’re looking for a trusted advisor in this area, don’t hesitate to reach out to our team of experts at Echelon.
Further Reading:
If you liked this topic, explore related content:
Cyber Definition Problems: Red Teaming vs. Pen Testing
Resources:
https://www.fedramp.gov/assets/resources/documents/CSP_Penetration_Test_Guidance_public_comment.pdf