Red Teaming

Image


With the significant increase in the number of reported cyber-attacks, organisations of all sizes should conduct red team assessments as part of their cyber security strategy to assess their overall security posture and to help reduce the risk of becoming a victim.

Red Team assessments are a full-scope, multi-layered attack simulation designed to measure how well an organisations people, networks, applications, and physical security controls can withstand an attack from a sophisticated and determined threat actor.

WHAT IS AT RISK

        Impacting Critical Assets

Most organisations are dependent on business-critical systems to run their day-to-day operations. If a situation occurred where a threat actor can take down or impact a business-critical asset an organisation may begin to lose money by the second or become unable to operate. Testing the resilience of core business systems is a vital and first line defense against preventing an incident from occurring and identifying any weaknesses or flaws.
      Intellectual Property

Organisations of all sizes can suffer intellectual property theft and the prevalence of orgnisaions falling victim such attacks is increasing yearly. Whether an organisation holds plans for a next generation product or simply proprietary ideas or processes they can become an attractive target for threat actors who look to steal R&D material for resale.
      Personal Information

Data such as personally identifiable  information (PII) can be valuable in bulk, especially if the information contains government issued identification details such as passport or Identity Card details. Once PII details have been compromised the regulatory fines and follow-up audit process from regulatory or Privacy Commissions can also deal a devastating reputation and financial blow to an organisation.
      Reputation Damage

Some incidents may cause limited damage in themselves but may harm an organisations reputation. For example, the compromise and defacement of a low risk website may pose little technical impact but can still be an embarrassment for the organization. It is worth remembering that some threat actors, such as the hacktivist group Anonymous use their attacks to spread a message and are motivated solely by causing reputation damage.

PENETRATION TESTING VS RED TEAMING

Penetration Testing
1

Scope

Primary objective is to identify as many vulnerabilities as possible, in a limited scope.
2

Visibility

Made known to all the stakeholders of the business including Development and IT Operations.
3

Approach

Execution aligned to industry recognised technical methodologies such as OWASP.
4

Limitations

Attack methods such as Social Engineering and Physical Security are out of scope.
Red Team Assessments
1

Scope

Objective and goal-based with an open-scoped, individually designed to demonstrate critical impact to an orgnisation.
2

VISIBILITY

The exercise is covert and only the Exercise Working Group is aware it is being conducted.
3

APPROACH

Execution aligned to mimicking Tactics, Techniques and Procedures of real-world adversaries.
4

LIMITATIONS

Social Engineering and Physical Security attacks can be used with the approval of the Exercise Working Group.

OUR METHODOLOGY

1) Planning

The assessment starts with a “planning phase” where the scope of the assessment is defined and described. An Exercise Working Group is formed and communication protocols are defined.

2) Attack Preparation

Attack preparation involves the creation of scenarios based on the defined critical assets, key objectives and any available threat model. Attack preparation aims to address the following key points:

  • Define the Goals and Scope.
  • Defining Exercise Parameters.
  • Determine the Degree of Secrecy of the Exercise.
  • Select the Exercise Director and Exercise Working Group.
  • Define Exercise Data Handling Protocols.
  • Assess the Impact to Production Systems and Operations.

3) Attack Execution

The execution phase involves the execution of the attack on the identified critical asset based on the attack plan and scenarios that were formulated in the previous phase. The approach for the attack execution is designed as a feedback loop, whereby information and access is gained and used to obtain more information and access - with the goal of accomplishing the established objectives. Attack execution follows the following key steps.

  • Recon.
  • Exploitation.
  • Lateral Movement.
  • Privilege Escalation.
  • Information Gathering.
  • Accomplish Goal or Objective.

4) Exercise Closure

The closure of the exercise involves a wrap-up and debrief session to share information with all relevant stakeholders and delivery of the report.  The Final report provides an analysis of the organisations resilience and capabilities. It include security strengths, comprehensive analysis of organisational capability, with recommendations for remediation and enhancements. 

ASSESSMENT GOALS

Red Team assessments consist of a realistic attack scenario being simulated against an organisation. Our red team uses any non-destructive methods available to accomplish a set of jointly agreed upon objectives and goals while replicating an attacker’s behaviour and techniques.

Engagement goals are agreed upon during the early planning phase of the project and represent a “worst case scenario” that may occur to an organisation. Specific goals and objectives of the assessment may be suggested by the Red Team during planning or from previously identified risks by senior management, board, or executive staff.

 

Sample Red Team Assessment Goals

  • Use phishing methods to compromise the email account of a senior executive or board member.
  • Gain remote access to the production ATM network.
  • Obtain Domain Administrator permissions on the corporate AD.
  • Bypass physical security controls and gain access to a restricted location or premise.
  • Compromise the corporate cloud environment and gain access to SharePoint.

Vantage Point Security