The endangerment on companies and institutions due to targeted attacks is steadily increasing. With such an attack on your company network, we simulate an Advanced Persistent Threat, thus checking your IT security measures. For this purpose, the red team (the attackers) does not receive any other information than the company name. Therefore, it performs an attack as a black box test from an external viewpoint.

In doing so, three key aspects of corporate security are considered:

• System security
• Processes
• Know-how and raising awareness of the employees

A red teaming test is comparable to a firefighting exercise. The red team sets fire so you can check whether you are able to react appropriately in an emergency and therefore put out the fire.

Red teaming offers various findings for different corporate departments. A red teaming assessment will answer the following questions:

• CSIR: Do we recognize targeted attacks and are we able to repel them?
• Corporate management: Is an attacker able to undertake the company IT within x days?
• Compliance/revision: Are required procedures available and are they being maintained?
• Training instructors: Are further awareness measures required?

Red team projects are carried out for several months and usually run through the following project phases:

• Kick-off workshop
• Digital public footprint
• Information gathering
• Persistence in the corporate network
• Social engineering
• Compromising systems and services
• Privilege escalation
• Actions on objective
• Triggering protective systems and processes
• Rectification of the Advanced Persistent Threat simulation
• Documentation

A red teaming assessment usually also includes social engineering attack vectors. In most cases, these are difficult to implement due to internal guidelines and the corporate structure. For this reason, SySS GmbH offers the possibility of performing a solely technical red teaming assessment.

Often, a few access data can be sufficient for an attacker to invade the corporate network. Apart from technical measures, the employees’ security awareness presents the most efficient protection. In order to evaluate the awareness of your employees and train them accordingly, SySS GmbH offers a custom-fit simulation of a phishing attack for your company, as well as a follow-up analysis. You have the possibility to choose from a range of precast scenarios or propose one yourself.

Exemplary scenarios:

• New Outlook Web Access
• Receiving an encrypted e-mail
• Prize draw
• Checking of employee data

In case it is required, all phishing websites are individually customized to the corporate design of the customer. We offer phishing campaigns on different levels. Mail and website can contain either multiple or no typical distinctive features.

SySS GmbH offers three different phishing campaigns:

• E-mail with hyperlink
• E-mail with hyperlink and website for entering access data
• E-mail with malware attachment

Moreover, we offer targeted training for the used attack vectors. Those can be performed upon request as online training or on-site presentation.

The following results are to be expected from a phishing assessment:

• Statistics of the employees’ current awareness
• Raising of the employees’ awareness
• Processes are being checked

A physical assessment contains the examination of your company site’s physical security. During such a test, SySS GmbH tries to gain access to internal premises by exploiting weaknesses concerning the access control, processes and the employees’ awareness.

Possible goals:

• Server rooms
• Administration offices
• Labs
• Storages

The goal hereby is to use as little social engineering as possible. If necessary, the intensity of the respective attack method will be increased. As is the case with all projects including social engineering, the SySS social engineering ethics guide the procedure (cf. SySS White Paper, p. 84).

The following results are to be expected from a physical assessment:

• Physical security measures are being checked
• Processes are being checked
• Raising of the employees’ awareness