For many companies, targeted attacks are a real threat. Within a Red Teaming Assessment such targeted attacks are simulated by specialized auditors. The focus is on the execution of real attack scenarios that are targeted towards infrastructures with high maturity of IT security (e.g. by a company’s own Blue Team). The aim of these projects is to evaluate and improve the detection and reaction capabilities for such attack scenarios.
Assessment of the ability to detect and react to real attacks by simulating targeted and realistic attack scenarios
How effective are existing protective measures in the company and can attacks be detected or repelled?
All IT systems and components as well as employees and possibly company buildings / premises
Depending on the perspective and scenario, all local/cloud-based IT infrastructure and components, as well as employees, facility and service providers are in scope of the attack attempts. These range from exploiting of central systems over the infection of clients with Trojan horses up to social engineering. Attack attempts leverage so-called multistaging, in which the combination of multiple successfully exploited vulnerabilities is used. This should lead to the achievement of the set goal (e.g. persistent access to customer infrastructures or gaining access to a central database with sensitive data / information).
At no point does the Red Team Assessment pose a real threat to your company values or your production. Attacks to achieve a predefined target should be carried out as inconspicuously as possible and thus remain undetected. This also corresponds to the approach taken by real attackers. A disruption to business operations would be conspicuous and therefore counterproductive.
When carrying out Red Team Assessments, we are guided by the TIBER-EU standard, among other things. Usually one of the following threat scenarios and approaches is considered:
- Advanced Persistent Threat: Attack from an external perspective
- Assumed Breach: Attack from an internal perspective
The Red Teaming Assessment usually includes the following points:
- Definition of goals to be achieved during the attack simulation
- Collection of publicly or internally (within Assumed Breach) available information that can be used for an attack (OSINT)
- Capture of the relevant IT assets of a company
- Iterative testing of different attack methods and approaches
- Infiltration of the internal company network, or penetration into further network ranges using attacks on available systems, phishing, social engineering, etc.
- Escalation of privileges
- Achieving persistence in the target area
- Analysis of the results in cooperation with your IT administration / IT security team (or Blue Team if available)
- Documentation including risk assessment and description of measures
In all Red Team Assessments, every step during the project is documented in detail. In this way, after the project has been completed, it can be traced which factors led to a successful attack but also which defense mechanisms (e.g. by the company’s own Blue Team) have already been sufficiently implemented.
As a result of the assessment we will provide a detailed report. Depending on the type and scope of the project, the final report will include the following parts:
- Management summary with a description of the results and the security level
- Description of the project approach, scope, schedule and methodology
- Detailed description of identified vulnerabilities in order to understand underlying issues and to enable reconstruction of possible attacks (where necessary with proof-of-concept implementation)
- Detailed description of the iterative exploitation process when using chained vulnerabilities
- Risk assessment of identified vulnerabilities taking into account the IT environment or the application context (risk classification: low, medium, high, critical)
- Description of measures to remedy the vulnerabilities
- If necessary, a description of higher-level strategy, concept and process-related measures or optimization suggestions.
Differences to a Penetration Test
In a, targeted attacks are carried out in a limited time frame and on a limited scope (e.g. for a specific IP address range or for a specific threat scenario). In contrast to that, a Red Team Assessment usually takes place over a longer period of time and aims to test your defense mechanisms. In a penetration test, it is usually not important that attacks remain undetected, as these are carried out as transparently as possible for all parties involved. The focus is on performing the penetration test as efficiently as possible.
The focus of red teaming, on the other hand, is on the implementation of the most realistic attack scenarios possible, which are particularly geared towards infrastructures with a high degree of IT security maturity. The aim of these projects is to improve the detection and reaction capabilities for such attack scenarios.