What is a Red Team? Cipher analyses it from within

Roberto Lopez, Head of Offensive Security Services of the company in Europe, answers the 6Ws of these services, which simulate spontaneous and real attacks on a company to test, detect and improve its cybersecurity systems.

What is a Red Team Services (RTS) team and how does it work? From Cipher, the Cybersecurity business unit of Prosegur, we explain the keys to these teams, which are essential for checking and repairing possible cybersecurity breaches in a company. A Red Team simulates a real attacker, without prior knowledge of the other areas of the company, to thoroughly test it to the limit.

However, before carrying out this simulation, the RTS must complete a series of previous processes. One of the main objectives is to assess the company's security. The first step is to identify access points to the company's network: all companies, large or small, have a large exposure to the Internet.

An increase in exposure increases the number of vulnerabilities. This is how hackers can find a way to gain access: through emails with malicious software (malware); by accessing Wi-Fi networks... there are many possible access points. That's why Red Teams try to put themselves on the other side. They simulate the control of the company's resources in order to show and evidence a series of failures; they verify all the controls; and they monitor the company's security to know if it is working.

The big difference between a Red Team and a real attacker is time. That's where a sponsored attacker has an advantage: he can extend the process by one, two, three weeks or even months.



The RTS provide many benefits to a company. Evaluating the procedures and protocols of security systems is critical, and with RTS, risks can be measured in real time. What's more, the RTS alert the Blue Team: the “reverse” of these teams and the ones that are in charge of activating the company's defence mechanisms. By doing so, the Red Team forces the analyst to manage the alerts as if they were real.

For an RTS to work, one of the main keys is that it is made up of a multidisciplinary team, with experts in different areas and that all of the work is always carried out as a team.



Prior intelligence analysis is fundamental. A wide range of aspects such as the number of employees or the design that the company has in the cloud are some of the parameters to be considered. However, this analysis will always be determined by the duration of the project.

After this first phase, the recognition and mapping of the attack surface begins. For example, by analysing what assets the company may have in the cloud, what type of cloud provider it uses (such as Amazon Web Services or Google), or the applications it uses and whether they are up to date or not. This in-depth picture allows better detection of what are known as attack vectors: small breaches to steal the company's data. Once the target has been set, the next phase is identifying the exploitation and consolidation of a main attack vector.

After the previous analysis, there are several ways to access, for example, gain access via webmail or VPN, in order to find out how well the company's cybersecurity is implemented. If the security systems can detect this intrusion, it is essential to install the so-called backdoors in order to have a way out in case this failure is blocked.

As intruders in the company's systems, the next step of an RTS team is to identify and take control of administrator accounts. The goal is to have privileged access to the infrastructure. It is at this point that the cyber-exercise begins.

Once all this has been completed, training on prevention of this type of attack is provided. One of the most popular training exercises is the internal attack simulation, which standardizes the real intrusion techniques, tactics and procedures used by ransomware (data theft).



A good offence is the best defence and, therefore, it is vitally important to lay down the first foundation stones of a cybersecurity strategy. In addition, it is important to have the support of a SOC (Security Operation Centre) and to carry out audits to keep these vulnerabilities under control.

Prevention is, therefore, essential. Launching regular awareness campaigns among employees and, above all, checking whether they are effective. Protection also stands out as a premise: understanding the different levels of protection, working on possible failures and whether they are basic, advanced or the result of human error. In short, to determine which are more complex and which are simpler.

The company has to make sure that the detection team is working efficiently, and if alerts or security incidents take place. Once an alert is detected, an analysis of the incident is conducted to determine whether it is malicious, what it has done, what equipment it has "stolen". With all this information, the analysis and the equipment of the company are matched up. That’s when the company will be ready to counterattack.