Hackers are actually a company’s worst nightmare – and yet more and more companies are hiring them to identify vulnerabilities in their IT systems through targeted attacks. “Red Teams” play a special role in this. In this interview, experienced security expert Nico Leidecker from NVISO explains the advantages of ethical hacking and the aspects to watch out for.
Mr Leidecker, what exactly is “Red Teaming” and how does it differ from other forms of ethical hacking?
Red Teaming is a specialised form of ethical hacking in which a team of security experts (the “Red Team”) is tasked with simulating realistic attack scenarios on a company. These simulations are designed to uncover vulnerabilities in the IT infrastructure, processes, but also the employees and physical security of the company that could potentially be exploited by malicious actors. Red Teams use tactics, techniques and procedures (TTPs) based on known real threat actors to test a company’s defence mechanisms.
The main distinction between Red Teaming and other forms of ethical hacking, such as penetration testing, lies in the scope and approach. While penetration tests typically focus on identifying and exploiting technical vulnerabilities in specific systems, Red Teaming includes physical and social attack methods, such as social engineering or physical infiltration. The objective is to test the response of the entire security apparatus of a company, including the human and organisational components.
Another difference is the goal of the exercise. Red Teaming aims to assess and improve an organisation’s overall security posture by testing its ability to respond to complex, multi-layered attacks. In contrast, penetration tests are often geared towards identifying and remediating technical vulnerabilities without considering the context of a specific attacker. Through this comprehensive approach, Red Teaming provides valuable insights into how well a company is prepared to defend against advanced and targeted attacks.
Why is Red Teaming becoming more important in today’s cloud-based IT environment?
Red Teaming is becoming increasingly important in today’s cloud-based IT environment because it enables companies to test their security measures against advanced and realistic threat scenarios. With the ongoing migration of IT infrastructure to the cloud, companies face new security and data protection challenges. Cloud environments are often dynamic and complex, making it more difficult to identify and address all potential vulnerabilities.
In addition, Red Teaming helps companies to continuously improve their security strategies. The insights gained from the simulations allow companies to close existing security gaps and enhance their ability to respond to real threats. In an era where cyberattacks are becoming increasingly sophisticated and the threat landscape is constantly changing, Red Teaming offers a proactive approach to strengthening security in cloud-based IT environments.
Could you provide concrete examples of how Red Teaming has uncovered critical security vulnerabilities in cloud infrastructures?
In past Red Team exercises, we identified several critical vulnerabilities. One notable example involved a hybrid cloud environment in which users were managed via an on-premises Active Directory. Through targeted internal phishing attacks, we were able to obtain the access credentials of an employee with administrator rights in the cloud in a very short time. The lack of two-factor authentication (2FA) when logging into the cloud environment was crucial in the next step. This short chain of attacks ultimately led to the complete compromise of the cloud infrastructure without the attack being detected. If 2FA had been implemented, this attack vector would not have been successful. We would have had to take significantly more risks, which might have led to detection. This example highlights how important even seemingly minor security measures can be in protecting the integrity of an entire IT infrastructure.
Technical security is one thing, but what role does social engineering play in simulated hacking attacks?
Social engineering is a central aspect of real and simulated cyberattacks, as it specifically exploits human vulnerabilities in the security architecture. While technical security measures provide important barriers against unauthorised access, humans often remain the most vulnerable element. Social engineering employs techniques that use psychological manipulation to trick individuals into disclosing sensitive information or performing security-critical actions.
A common example of social engineering is classic phishing, in which attackers use convincingly crafted emails to lure users into clicking on malicious links or disclosing sensitive data.
Another variant is “vishing,” or voice phishing, in which attackers use phone calls to steal information. Techniques such as caller ID spoofing are used to make calls appear legitimate. Combined with deepfake technology, which uses artificial intelligence to create convincingly realistic voices, it is becoming increasingly difficult to detect such attacks. While phishing via email is often part of awareness training and employees are sensitised accordingly, people are less familiar with vishing attacks.
Hiring hackers is mostly associated with large corporations or critical infrastructure operators. How can SMEs benefit from this and why should they consider this step?
SMEs are increasingly the target of cyberattacks, often due to having fewer resources available for IT security than large corporations. Attack simulations also play an important role here. When planning a simulation of this kind, we consider the specific needs and resources of the company. This means that we can also carry out realistic attack scenarios for SMEs, such as simulating a ransomware attack. Simulations like this help SMEs to evaluate the effectiveness of their existing security measures and implement targeted improvements. Furthermore, they raise employee security awareness and better prepare the company for potential cyberattacks.
How does one become an “ethical hacker”? What skills are required and are there standardised training programmes?
In addition to formal training in information security, practical skills are particularly important. Ethical hackers need to familiarise themselves with various hacking tools and techniques in order to effectively identify and exploit system vulnerabilities. Certifications such as Offensive Security Certified Professional (OSCP) or Certified Red Team Operator (CRTO) offer structured learning paths and are widely recognised qualifications that validate the knowledge and basic skills of an ethical hacker. Equally, the mindset should not be neglected. I am convinced that a good ethical hacker has a strong interest in continuous learning and adaptation and that they want to understand the cause of the vulnerabilities found and experiment with them. This fosters ongoing personal and professional development.
Thank you for the interview, Mr Leidecker!
