Red Teaming as a Culture: Beyond Just VAPT
By Gladson, Threat Analyst
“VAPT shows you what’s broken Red Teaming shows you how you’ll be breached.”
That’s what one client confidently shared with us just weeks later, our Red Team simulated a targeted phishing campaign, gained domain admin privileges, and exfiltrated simulated customer data while never triggering a single alert. With a realistic attack simulation, their “bulletproof” defenses underperformed, and we found vulnerabilities that a pentest would never have discovered. Sadly, this scenario is not unique. This reality is occurring across the board, in every industry from financial services to healthcare, at organizations that are learning the hard wayjust because you pass a Vulnerability Assessment and Penetration Test (VAPT), does not mean you’re protected from sophisticated threat actors.
Don’t get me wrong VAPT is a critical foundational component of any security program — these assessments are effective in identifying significant technical vulnerabilities such as the following system misconfigurations, missing security patches, and known Common Vulnerabilities and Exposures (CVEs). A VAPT provides a formal, predefined and systematic way to find security gaps that could be exploited to compromise the organization.
That said, VAPT will only get you so far in protecting your organization from today’s threats. There are significant limitations in doing a point in time VAPT, with limited scope, that follows a checklist and methodology through a controlled testing space, and that doesn’t risk the age old adversarial human element — which is often the weakest link in the security chain.
Real cybercriminals do not follow penetration testing methodologies. They do not confine themselves to limited time slots, nor do they consider their attack vectors to be limited to their original scope. Cybercriminals explore many different angles, through technical vulnerabilities and human psychology, and they can be persistent in ways that normal penetration testing cannot replicate.
Red Teaming embodies a radical change in security testing philosophy. Red Teams don’t just highlight vulnerabilities; they provide insight into your organization into what an Advanced Persistent Threat (APT) group would do when targeting your organization. Specifically, Red Teams will give you an excellent idea of your real security posture by simulating what type of access and privileges a real threat actor can obtain given an opportunity to attack your organization to its fullest potential.
Comprehensive Red Teaming engagements often adopt multiple attack vectors that imitate real-world attacks. For example, phishing campaigns and social engineering attacks identify employee awareness and human co-dependence within the organization. Testing of custom malware evasion tactics (often seen only in the wild), as well as evaluation of command and control (C2) infrastructure, to test capabilities to detect C2 operations with your organization’s standard network monitoring.
Their job, however, is not done after initial compromise. Red Teams pay great attention to lateral movement – what a threat actor (in this case representative of a nation state adversary) will do once initial access is gained. Can the threat actor maintain a method of access and/or establish persistence once they have gained access? Red Teams focus on evaluating the organization’s tools used to detect malicious file activity, to include evading EDR, endpoint and client-side defenses, as well as Antivirus and Office 365 protocols. Most importantly, they also assess the effectiveness of your Security Operations Center’s (SOC) ability to monitor and identify adversary methodologies, through threat detection with real-time information available to respond and investigate sophisticated threats.
Consider a recent engagement with a midsized financial technology company that has invested heavily in cybersecurity. They maintained an impressive security posture on paper: annual VAPT assessments with clean reports, enterprise grade EDR deployment across all endpoints, multifactor authentication on critical systems, and a state-of-the-art Security Information and Event Management (SIEM) platform with 24/7 monitoring.
Their confidence was understandable but misplaced. Our Red Team engagement began with a carefully crafted phishing email disguised as a routine invoice from a trusted vendor. The email contained a weaponized document that deployed a Cobalt Strike beacon a legitimate penetration testing tool that’s also favored by sophisticated threat actors.
The attack progressed using “Living off the Land” techniques, leveraging legitimate Windows utilities and PowerShell commands that appear benign to most security tools. Within six days, our team had escalated privileges to domain administrator level and began exfiltrating decoy personally identifiable information (PII) from their customer database.
Throughout this entire process, not a single security alert was generated. The SIEM logged the activities but categorized them as normal business operations. The EDR solution, despite its reputation and cost, failed to identify the malicious behavior patterns. Most shocking to the organization’s leadership was the realization that their incident response procedures were never activated because the breach was never detected.
This exercise not only identified technical deficiencies, it revealed serious deficiencies in their ability to detect and respond to incidents which no conventional penetration test could have revealed. The boardroom discussion that followed resulted in a complete rethink of their approach to security monitoring and significant investment in threat hunting capabilities.
In many respects VAPT and Red Teaming are not in competition with one another but are indeed complimentary experiences. An analogy is to look at a VAPT as working through an exercise of checking unlocked doors or open windows. The tasks accomplished in Red Teaming are much more complicated than asking the question “what happens if the attacker picks the lock, uses another entry way or convinces someone else to let he/she into the building?.” This combination of actions opens up the entire security landscape for examination. While VAPT can discover technical security weaknesses for the organization to remediate, Red Teaming can establish contingencies should an advanced attacker circumvent those technical controls. Both methods can prepare an organization for the totality of modern cyber threats.
The combination also provides context for security investments. You just paid for the most robust endpoint protection or detection system money can buy. If a Red Team is able to circumvent that functionality using basic social engineering techniques, the organization will know where to focus security awareness training.
Red Teaming isn’t appropriate for every organization at every stage of security maturity. Organizations should consider Red Team exercises when they’ve developed a mature security posture but lack real-world validation of their defenses. If you’ve invested significantly in security tools and want to validate their return on investment, Red Teaming provides that crucial proof of concept.
Organizations with established Security Operations Centers or incident response teams particularly benefit from Red Team exercises. These simulations provide invaluable training opportunities for security staff and help identify gaps in detection and response procedures before real attackers exploit them. Companies that want to prepare for Advanced Persistent Threat style attacks rather than just opportunistic malware find Red Teaming essential for developing appropriate defensive strategies.
Regulatory requirements often drive the need for Red Teaming as well. Industries subject to strict compliance frameworks increasingly recognize that meeting regulatory checkboxes doesn’t guarantee protection against sophisticated threats. Red Teaming helps bridge the gap between compliance and actual security effectiveness.
The cybersecurity industry has constructed a potentially dangerous misconception that compliance is security. Organizations that have been breached in recent years have always compliant with relevant regulations and industry standards. They conducted their required security assessments, maintained their documentation, and checked all regulatory boxes but fell victim to sophisticated attacks.
This disconnect exists because compliance frameworks are often inconsistent with the evolving threat landscape, describing a baseline of security controls effective against historically relevant threat vectors, but irrelevant against an attacker’s evolving techniques. Compliance audit assessments will always lead to the previous state of compliance. Compliance audits will verify that security control exists but will not verify the extent to which the security control is effective against a determined adversary.
Red Teaming fundamentally breaks down compliance by determining the effectiveness of a security program rather than the level to which compliance exists. Red team exercises provide actual answers to the questions that often make executives lose sleep at night: “Are we actually secure, or do we just look secure on paper?”
Organizations taking the step to implement Red Teaming gain several strategic advantages, beyond immediate improvements to security. From a board-level perspective, Red Teaming provides visibility into actual security risks, which permits leadership to make strategic investment and operational prioritization based on informed assumptions related to risk and security investment. Organizations may build greater confidence in their security function by demonstrating security measures under pressure or defining exactly where security measures require improvements.
You may also like to know about this: Do you know the dark side of your vehicle stickers?