Google’s actions and initiatives in the key area of ​​cyber security, Google presented today in Athens at an informative event on “Hacking Google”, highlighting the work of the Red Team, which supports all the efforts made by the company in order to create secure products, in a way that, at first glance, seems rather unorthodox and is none other than… hacking Google’s own systems.

He also presented the informative video series “Hacking Google”, which consists of 6 episodes in Greek subtitles and is available HERE

Daniel Fabian, Senior Staff Manager, Offensive Security & Red team of Google, was in Athens, together with Emanuela Locci, Communication Manager, Google Italy & Greece and presented the actions in this field.

As mentioned, creating safe and secure products for everyone is a top priority for Google’s security teams.

“We work systematically globally to stay informed about current threats, improve security controls, detect and prevent attacks, and neutralize entire categories of vulnerabilities, developing a new and better security framework.

Our teams are also actively monitoring potential adversaries, ensuring we have all the necessary knowledge and information to be prepared for malicious activities and targeted attacks against Google employees or the people who use our services every day,” said Daniel, among others Fabian.

The Red Team and how it works

The Red Team, as mentioned, supports all these efforts in a seemingly nonsensical way, namely by hacking Google itself.

“The term “Red Team” originates from the armed forces, which used it to describe activities in which a predetermined team assumed the role of an adversary (Red Team) against the home team, which attempted to adopt the “hostile ” these activities of the red team and thus to neutralize it.

Over time these terms have been adopted by the field of information security (InfoSec). Google’s Red Team is a group of “attackers” who simulate a wide range of hostile actions, from states and known Advanced Persistent Threat (APT) groups to hacker activists, individual criminals or even malicious insiders.

Whatever the simulated actions, the Red Team mimics the strategies, motivations, goals, and even the tools the attackers choose, trying to penetrate their minds and the ways they try to harm Google.” refers to a briefing note provided.

The benefits of Red Team exercises

Running these simulations provides value in several ways.

First, it gives Google’s teams tasked with detecting and countering real threats a unique opportunity to identify areas for potential improvement.

It also allows determining whether an attack could have been detected or countered earlier.

As mentioned, in collaboration with the security and other subject matter experts, the collective experience in such matters and the diverse backgrounds of the Red Team members enable the identification of blind spots that can be turned into opportunities for improvement.

The Red Team started in 2010 as part of the “20% Project” program, an internal initiative in which Google employees are free to work on projects they feel are worth spending time on outside of their day-to-day responsibilities.

The team soon proved its worth, and management recognized its positive impact on Google’s infrastructure and the importance of applying an attacker’s mindset to security problems.

Since then, the Red Team has been an integral part of engineering safety activities, simultaneously running multiple exercises and working collaboratively with other teams on multiple continents.

Cooperative rivalry

Although the exercises conducted by the Red Team at Google simulate the action of an agent that is often hostile and/or disruptive, there is a clear distinction between the simulated threat and the engineers playing their role.

Red Team engineers are, that is, Google employees whose main concern is the safety of its people.

There is very close collaboration between the team that simulates the actions of the attackers and the teams that act as defenders, such as the Threat Analysis Group (TAG) and detection/response teams, which can detect suspicious activity and take the appropriate actions.

Since, at any given time, many exercises are performed simultaneously, there is variation between the types of exercises and post-detection response.

One of the main purposes of most exercises is to test the detection process and make it as efficient as possible so that defenders can verify that a signal is associated with a specific exercise. In this way, they avoid using resources that could be used to prevent malicious activities directed against users of the services or the wider infrastructure.

Safety is a priority

Given the sensitive nature of the work the Red Team does, special attention is paid to protocols, and all exercises are overseen by senior engineers.

Ensuring that an exercise is conducted in a safe and responsible manner is as important as any other team goal.

This means that a realistic simulation may be delayed in order to spend more time ensuring that every action is documented, that sensitive data is not accessed unattended, and that applicable laws and regulations are followed.

For the Red Team, accurately simulating the technical capabilities of highly sophisticated threat actors in a safe and responsible manner is a core element of its mission.

For detection-focused exercises, team actions are accessible to defenders at all times to ensure we can quickly rule out malicious action by an external actor.

Although this is not required, the team reports in detail its activities to consider any new findings that arise during the conduct of an exercise.