In today's digital landscape, organizations face an ever-evolving array of cyber threats that can compromise their critical data assets. As technology advances, so do the tactics employed by malicious actors seeking to infiltrate networks, steal sensitive information, and cause damage. To counter these threats, it is crucial for organizations to assess their security posture comprehensively and proactively. This is where the Red Team Engagements come into play.

What are Red Team Engagements?

Red Team Engagements are highly targeted assessments designed to simulate real-world threat scenarios. Unlike traditional penetration tests that focus on identifying vulnerabilities, Red Team Engagements take a more holistic approach. They go beyond simply finding weaknesses in defenses and delve into the realms of defense, detection, and response. By emulating the Tactics, Techniques, and Procedures (TTPs) of actual adversaries, Red Teams challenge an organization's security measures, testing its ability to detect and respond to potential threats.

In essence, while penetration testing focuses on the technological aspects of defense, Red Team Engagements aim to improve the detection capabilities of the defenders themselves, the people responsible for safeguarding the system.

How do Red Team Engagements work?

Red Team Engagements require collaboration between the System team and the CMS Cybersecurity Integration Center (CCIC) team. Business owners and cyber risk advisors work together to define the scope of the engagement, including identifying the system's boundaries, gathering necessary credentials, and scheduling the engagement.

During the engagement, the Red Team assumes the role of a threat actor who has already gained initial access to the system. Over the course of approximately one month, the team executes a series of MITRE ATT&CK TTPs commonly employed by real-world adversaries. They start slowly and subtly, gradually increasing their activity and noise to assess the system's resilience.

Note: Red Team Engagements do not involve social engineering attacks such as phishing or impersonation. Instead, the focus is on testing the system's ability to detect and respond to an advanced and persistent threat.

Benefits of Red Team Engagements

Regularly conducting Red Team Engagements offers several benefits to organizations looking to enhance their security posture:

1. Strengthened Defenses: By identifying weaknesses and vulnerabilities, Red Team Engagements enable organizations to bolster their defenses proactively. They provide valuable insights into potential entry points and the effectiveness of existing security measures.
2. Early Detection: Red Team Engagements test the system's ability to detect attacks at an early stage. By simulating real-world threat scenarios, organizations can fine-tune their monitoring and detection capabilities, allowing them to respond swiftly to potential breaches.
3. Damage Limitation: By uncovering vulnerabilities and weaknesses, organizations can address them promptly, minimizing the potential damage that a real-world attack might cause. Red Team Engagements help organizations stay one step ahead of malicious actors.
4. Improved Security Stance: Red Team Engagements contribute to an overall improvement in an organization's security stance. By continuously challenging and refining their defenses, organizations can maintain a strong security posture that evolves with emerging threats.

FAQs about Red Team Engagements

To provide further clarity, let's address some frequently asked questions about Red Team Engagements:

Q1: Who should be involved in the Red Team Engagements - and what support is needed from our end?

Unlike traditional penetration tests, Red Team Engagements involve the active participation of upper leadership and system personnel. It is highly encouraged for upper leadership to be involved on the system's end. This approach ensures that the engagement remains as "low profile" as possible, allowing the Red Team to effectively test the system's ability to detect and respond to their activity.

Q2: Is there a risk of potential downtime for the system?

The goal of a Red Team Engagement is not to cause any damage to the systems or disrupt their operations. The majority of techniques and tactics employed during the engagement should not cause any downtime for the given system. The focus is on identifying vulnerabilities and weaknesses without affecting the system's availability.

Q3: What documentation is provided at the end of the engagement?

At the conclusion of the Red Team Engagement, the CCIC Penetration Team will produce and deliver the following documents:

• Red Team Engagement Final Report: This high-level report outlines the overall results of the engagement, providing a summary of key findings and recommendations.
• Red Team Engagement Full Report: This in-depth documentation outlines the entire engagement, from the scope of the assessment to detailed recommendations for better securing the system/environment. It provides a comprehensive analysis of the findings and includes actionable steps for improvement.
• Red Team Log: This document outlines the specific actions performed by each tester during the engagement, detailing their activities on a given system at a specific time. The Red Team Log provides system maintainers, developers, and security professionals with all the necessary details to replicate and understand the methodologies used during the engagement.
• Vulnerability Findings: This documentation highlights specific vulnerabilities discovered during the engagement. It includes steps to reproduce the vulnerabilities and recommendations for their remediation.

Q4: What level of support is needed from our team during the engagement?

Before the engagement starts, the CCIC Penetration Team will work with your team to gather the IP addresses/Hosts that are within the scope. Additionally, they may request a "Low" level user account for the target system(s). Once the engagement is underway, the only additional support that may be needed is if the Red Team is detected and the system initiates the incident response process.

Q5: What happens if vulnerabilities are discovered? 

While the primary focus of Red Team Engagements is not on discovering vulnerabilities, if any are discovered, the CCIC Penetration Team will follow the normal process for addressing them. They will work with the system's stakeholders to properly remediate the vulnerabilities. Critical findings must be remediated within 15 calendar days, High findings within 30 calendar days, Moderate findings within 90 calendar days, and Low findings within 365 calendar days before being submitted to the CMS FISMA Controls Tracking System (CFACTS).

Q6: In which environment will the testing occur?

If the monitoring and detection capabilities of a lower environment are the same as the production environment, the Red Team prefers to conduct the test in the lower environment. However, if there are differences, it is recommended to perform the test in the production environment. This allows the Red Team to provide the most accurate and realistic results possible, considering the actual production system.

By conducting Red Team Engagements, you can proactively assess your security defenses, enhance your detection capabilities, and improve your overall security stance. With the collaboration between the System team and the CMS Cybersecurity Integration Center (CCIC) team, a stronger and more resilient cybersecurity posture can be achieved to protect critical data assets from real-world threat actors.

Interested in learning more?

To learn more about Red Team Engagements, penetration testing, and other cybersecurity measures, you're invited to attend the CCIC Final Friday Frequently asked questions (CF3) session that takes place once a quarter. If you’re interested in attending, we encourage you to send us an e-mail at cmspentestmanagement@cms.hhs.gov and we will be happy to add you to the e-mail invite for the upcoming session. This comprehensive discussion is designed to answer key questions about the cybersecurity landscape, and specifically the role of CCIC penetration testing, different types of testing, the process of reporting findings, the role of Red Teaming, and much more.

We highly recommend tuning in to this valuable session to boost your understanding of how to secure your systems effectively. The information provided will empower you to make more informed decisions about your cybersecurity strategy, enhancing your ability to protect your organization from evolving cyber threats.

Availability of this service at CMS

This service is available at the CMS Cybersecurity Integration Center (CCIC). To request a Red Team Engagement, you can contact the CMS CCIC Penetration Team via email at cmspentestmanagement@cms.hhs.gov. The team will guide you through the process, providing you with a PenTest Request form and scheduling a call to gather additional details.

Remember, the strength of your cybersecurity posture relies heavily on being proactive. Regular security assessments like Red Team Engagements are an excellent way to identify potential weaknesses before they can be exploited, enabling you to maintain a robust and effective defense against real-world cyber threats.