A red team is a service where some security experts attack an organization as if they were a real advanced attacker, but being careful about not damaging or interrupting the business of the hiring organization. Its objective is to identify the same security vulnerabilities that a real attacker could identify, and exploit them to reach valuable assets.
Sometimes organizations think that the security vulnerabilities identified by internal security teams are not that important. When hiring external red teams, they can see that anyone from outside the company could reach valuable and confidential information by exploiting some of those known or unknown vulnerabilities.
The red team exercise also helps evaluate if the detective and reactive controls work. A good read team provider will try to identify and exploit these vulnerabilities without generating noise and without alerting the SOC of the organization. And even in the case they are detected, it is an interesting exercise for the SOC to react, and for the attacker to hide and continue with the attack.
Is our supply chain vulnerable? Is having this system exposed to the Internet really a threat or is it worth keeping it exposed because it makes it easier for collaborators to access? By hiring a good red team you can evidence if that are really a problem or not.
A red team is different from a penetration test or pentest. In a red team exercise the scope is much wider, and the objective more flexible. In a pentest the scope is usually very limited to a specific asset or range of assets. In a pentest the main objective is identifying potential vulnerabilities while in a red team it is important to try to exploit them.
It is important that the red team provider is external because we want them to no have insider information. Sometimes, with insider information, we might think that the reason they were able to breach into something was because the privileged information they had. This is not usually he case, but by hiring an external red team you reduce the possibility of thinking so.
It is interesting that the people from the company that have to detect and react to attacks does not know that the red teams is going to be done. If possible, only the minimum number of people should know. This way everything will be more realistic. If you know that a red team is being performed you can react in a different way, for example investigating more things.
Additionally, hiring a red team is a good way of having a real measure of how well we are doing and identifying the most important vulnerabilities. Without it, it is easy to have a fake sense of security. Are we not being hacked because we are doing well or because we are not being a target? Or maybe we are already breached but we are not detecting it?
Hiring an external red team, not a penetration test, is a good way of measuring how well we are doing at security. The objective is not to embarrass anyone but to have a realistic view of our current status and learn what we are doing better and what worse.