Red Teaming: Targeted Attacks to Test the Security of Your Company

Simulating APT – Improving Resistance

The threat posed by targeted attacks on companies and institutions is forever on the rise. In a targeted attack against your company's network, we simulate an Advanced Persistent Threat (APT) and put your IT security measures to the test. Apart from the name of the company, the red team is given no information whatsoever, i.e. it carries out its attacks from an external perspective in the form of a black box test.

The three most essential aspects of the company's security are assessed:

• System security
• Processes
• Awareness and know-how of employees

A red teaming test can be compared to a firefighting exercise. The red team purposefully lights a fire and you can check that your emergency response is correct and whether you can put the fire out.

Lessons Learned

Red teaming provides different insights for the different departments in a company. The following questions are answered by a red teaming assessment:

• CSIR: Do we recognize targeted attacks and can we defend them?
• Business management: Is it possible for an attacker to take over the company's IT in x days?
• Compliance/revision: Are the necessary processes in place and are they adhered to?
• Training officer: Are further awareness measures necessary?

Project Scope

Red team projects are carried out over several months and usually involve the following project phases:

• Kickoff
• Analysis of publicly accessible data [optional]
• Information gathering [optional]
• Persistence in the company network [optional]
• Social engineering [optional]
• Compromising of systems and services
• Privilege escalation
• Achieving defined objectives
• Willful triggering of protective systems and processes [optional]
• Exfiltration of data [optional]
• Access to the backup [optional]
• Clearing the advanced persistent threat simulation [optional]
• Documentation

If the individual phases do not fit your requirements profile, we will be happy to develop a suitably tailored service offer as part of a joint workshop.

External Actors

The external actor scenario asks the question: "What damage can an attacker do with no knowledge of the company?" Typically, attempts are made not only to penetrate the company network through the internet, but also through other ways, such as physical assessments and social engineering measures. In cases where the red team does not breach the network successfully, it can be useful to define "leg-ups" with the help of the designated contact person. For example, a minicomputer could be inserted into the network by the contact person to enable network access.

 

Project scope

From 40 person days up

Prerequisites for the external actor scenario

Customer evidence of the sovereignty of individual systems identified in the RECON phase

 

Characteristics

• Overview of possible attack vectors
• Little preliminary work necessary, lower minimum quantity of persons involved
• Greater minimum project scope than for the internal actor scenario

Lessons learned

From an external actor scenario, you can expect the following results:

• Attack capabilities from the internet
• Overview of building security
• Security in the internal network
• Gaps in logging
• Response of the blue team

Internal Actors

The internal actor scenario asks the question: "What damage can negligent employees, or even employees with malicious intentions, cause to the company?" Possible examples would be a stolen turned-on device or a device with login details, blackmailing of employees with ATPs or anger with the company.

 

 

 

Project scope

From 20 person days up

Prerequisites for the internal actor scenario

• Valid login details
• Client device [optional]
• VPN access [optional]
• Knowledge of internal structures and processes [optional]

Characteristics

• Reduced minimum project scope than for the external actor scenario
• Faster breaching of sensitive areas and, consequently, faster results
• No conclusion drawn on the first layer of protective measures

Lessons learned

From an internal actor scenario, you can expect the following results:

• Security in the internal network
• Gaps in logging
• Response of the blue team