Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

How to Improve Red Team Effectiveness using Obfuscation

Setting up an obfuscated network in the cloud gives a red team the flexibility to test security against different cloud vendors

Setting up an obfuscated network in the cloud gives a red team the flexibility to test security against different cloud vendors

In the cybersecurity field, red teams are unsung heroes. These are the “ethical hackers” or white hats that test an organization’s defenses by staging controlled attacks that simulate a real-life breach. This kind of penetration testing can yield invaluable information to help the defensive “blue teams” build defenses to protect the system before an attack happens. 

For red teams to do their work, they need to operate in the most realistic way possible, the better to spot the vulnerabilities that could put your network’s security in danger. Yet, at the same time, the testing procedure needs to protect the system so the pen testing itself doesn’t end up accidentally crippling operations. This is where obfuscation comes in. 

What is Obfuscation 

At its most basic, obfuscation is camouflage, making things look like something else. In cybersecurity, it’s making data and code look unlike themselves. 

Attackers use obfuscation to conceal their tracks and data that is being exfiltrated. Defenders can use it too; to protect intellectual property or hide IP addresses or network identities that could expose the system to attack. Obfuscation using VPNs, browser plug-ins and virtual desktops is an effective way to reduce attack surface, making it harder for bad guys to target networks and slowing down their lateral moves. 

For red teams, using an obfuscated network for testing offers the advantage of hiding who is performing the attack and where it is originating, for a more real-life context. It lets the red team blend in with the normal network traffic while performing reconnaissance and test attacks in a more realistic manner. 

How it helps red teams 

As cybercriminals keep developing ever more sophisticated attack tactics, techniques and procedures (TTPs), it’s important for red teams to keep pace in their simulations. A thorough red-team exercise can last weeks or even months—just as attackers can operate undetected in your network before they are found or assert their demands. Obfuscation allows pen testing to appear as benign activity, much like a criminal would want their own lateral moves to appear, to give defenders a real-time exercise and a wide range of observations from inside the network. 

By using Software-Defined Networking (SDN) to build a virtual network, the red team can shift traffic dynamically across multiple network providers, making it nearly impossible to track their location, identity or user information. Redirectors can mask the control and command (C2) infrastructure of the red team by routing traffic between the system being tested and the team’s main server housing the infrastructure orchestrating the attack. That way, if the blue team spots malicious traffic and is able to identify and block the IP address, the red team can just deploy another redirector and continue its work. 

Dumb-pipe redirectors are just what they sound like: a server in the middle of the flow, meant to hide the C2 server. They’re easy to set up, but have no control over the incoming traffic. On the other hand, filtration, or smart redirection, lets the red team drop incoming packets before they reach the C2 server or reroute them to another, legitimate website. 

Along with redirection, beaconing is another valuable tool for red teams. Attackers use beacons to exfiltrate data or to communicate with a C2 server to get instructions on which commands to execute. For red teams, beaconing serves a similar purpose; the beacon lets the team get progress reports while reducing the risk of the attack in progress being detected by the blue team. The beacons can be configured to report back on intervals of minutes, hours or even days, depending on the expected duration of the attack. They can also be configured to delete when a machine reboots,  which makes them harder to detect by the blue team. 

Setting up an obfuscated network in the cloud also gives a red team the flexibility to test security against different cloud vendors. With companies now operating in multicloud environments, defenders need to see how attackers can exploit different cloud provider security controls. 

Obfuscation can be a useful tool for red teams, just as it works for attackers. As cybercriminals continue to evolve their tactics, adopting their tools for the use of red teams is only fair play. With red teams running more realistic pen testing, blue teams’ defenses can only get better. 

RelatedRandori Arms Red Teams With New Automated Attack Platform

Written By

Gordon Lawson is CEO of Conceal, a company that uses Zero Trust isolation technology to defend against sophisticated cyber threats, malware and ransomware at the edge. Previously, he served as president at RangeForce Inc. Gordon has nearly two decades of experience in the security sector with a focus on SaaS optimization and global enterprise business development from global companies including Reversing Labs, Cofense (formerly PhishMe) and Pictometry. As a naval officer, Gordon conducted operational deployments to the Arabian Gulf and Horn of Africa, as well as assignments with the Defense Intelligence Agency, US Marine Corps, and Special Operations Command. He is a graduate of the US Naval Academy and holds an MBA from George Washington University.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...