Red Teaming: when assumptions aren’t enough
Modern Fortune 500 software companies operate with millions of servers, tens of thousands of employees, and limitless connectivity. These companies invest heavily in standards and regulatory compliance, vulnerability scanning, application security, and other security defenses to help harden their massive footprints and improve their ability to respond to cyberattacks. However, validating these security investments requires more than just assumptions, especially in a world where cybercrime incidents continue to rise, and the cost to companies has skyrocketed.
Red teams play a critical role in eliminating assumptions related to a company’s readiness to disrupt cyberattacks. While traditional “blue teams” focus on strengthening their defense strategy and responding to incidents, red teams take an offensive approach to identifying potential weaknesses and breaking through the company’s cyber defenses. By performing exercises that mimic the tactics of real-world adversaries, red teams act as a company’s practice squad — like those employed by sports teams — helping the organization be better prepared to detect and mitigate the impact of actual incidents.
Over the past several years, the Adobe Security red team has matured from humble origins to a robust and comprehensive team equipped with an in-house-developed “red team toolkit” tailored specifically to Adobe’s environment, systems, and products. This evolution has turned the Adobe Security red team into one of the company’s best adversaries.
Adobe Security’s Red Team capabilities
Since its inception, the Adobe Security red team’s value has been felt across the company. By performing active testing using customized toolkits, we effectively evaluate Adobe’s preparedness to defend against various real-world adversaries.
Let’s go into more detail about the Adobe Security red team’s capabilities:
Emulating Adversaries
Adversaries and their actions are tracked across the globe to better understand their motivations and possible future actions. Mitre ATT&CK is a global knowledge base that tracks adversary tactics and techniques based on real-world occurrences. Using Mitre ATT&CK, companies can gather cataloged and recorded threat intelligence to determine whether their industry could be targeted by a particular adversary group.
The Adobe Security red team leverages this information to conduct adversary emulation operations, using the actual techniques employed by adversaries known to target our industry. By applying real-world techniques, we engage with the security blue team to assess and enhance our ability to detect and respond to specific, known adversary groups and their evolving methodologies.
Simulating Adversary Attacks
Another important capability of red teaming is anticipating and getting ahead of adversary attacks before they may occur. The Adobe Security red team uses adversary simulation techniques to explore theoretical paths that could potentially lead to the compromise of a service.
During adversary simulation, our red team explores hypothetical scenarios for what an attacker could do to, for example, escalate privileges, move laterally between systems, and ultimately cause harm to Adobe’s services. Through these exercises, we gain a more in-depth understanding of the service and analyze a myriad of possible attack vectors.
After the exercise, the red team shares our findings with key internal stakeholder teams, enabling them to address the identified issues by implementing controls that would have prevented the red team from being successful with our attack vector.
Customizing our Toolkit
Performing adversary emulation and adversary simulation operations requires a customized red team toolkit to help us perform exercises similar to advanced attackers. Our arsenal of tools includes:
- Custom exploits through which we exploit systems and gain initial access for further attacks;
- C2 (Command and Control) software that uses specialized agents and servers to communicate with compromised machines; and
- Post-exploitation modules that target Adobe services and execute after a system is compromised to advance our attack exercise.
The Adobe Security red team began developing our toolkit from day one, and we continue to improve and build upon it daily to better emulate the growing number of increasingly complex adversarial attacks.
Improving Blue Team capabilities
One of the most significant ways our red team provides value is by empowering our blue teams to enhance their detection and response capabilities. We do this through two (2) types of activities:
- Red Team Exercises: Conducting simulated attacks as friendly “adversaries” without giving prior notification to the blue team, enables real-time feedback and insights in a low-stakes context for the blue team to digest and build upon.
- Purple Team Exercises: In collaborative engagements between the red and blue teams, called “purple team” exercises, the red team creates a “signal” by simulating attack actions to the blue team, which then verifies that it has sufficient logs to detect our actions. This partnership helps Adobe Security to develop new and more effective threat detection methods.
Using these two exercises, we help Adobe continuously improve its security posture by aiding our blue teams to become more robust and effective when responding to real-world scenarios.
Providing security recommendations
Another way our red team helps improve Adobe’s security posture overall is by providing security recommendations to product teams. During our red team exercises, we set goals and create objectives based on the most significant impact an adversary could achieve if they successfully compromise a service.
After completing our objectives, we offer our detailed analysis, lessons learned and go-forward recommendations to product teams on how to harden their services against real threat actors who would seek to perform a similar attack pattern. We also provide a detailed analysis of our actions for further review. By sharing this information, our red team is able to empower product teams with specific guidance around how to better defend their services against potential attacks of a similar nature.
What’s next?
Our investments to proactively understand, anticipate, and get ahead of our adversaries has helped Adobe focus our security resources and remediation activities where they are most impactful. Looking ahead, the Adobe Security red team plans to scale and advance our operations, to support Adobe’s efforts to continuously improve our ability to thwart real-world adversaries from reaching their malicious objectives.
Currently, we’re exploring the implementation of AI and automation into our workflows to scale our team’s capabilities and reach across the company. As we grow and evolve as a team, we continue to drive the culture forward at Adobe Security, emphasizing that assumptions alone are not enough to secure modern enterprise companies. It’s crucial to remove these assumptions by testing for weaknesses wherever possible and, ideally, well before real-world attackers have a chance to exploit them.