Red Team Assessment in Corporate Situations

Every company is an attractive target for skilled attackers – including yours. Whether it’s customer, payment, communication or health data, manufacturing plans, research and development results, formulas, utility networks such as water and electricity, or simply your money, every company has assets that are worth stealing or sabotaging. The numbers confirm this: 44% of all German companies have been the victim of an espionage attack in the last three years [source: www.reuters.com ], although the number of unreported cases is probably much higher. This is where Red Teaming comes in!

OSINT & TACTICAL INFORMATION RETREVAL

TARGETED THREAT INTELLIGENCE

TIBER-DE / TIBER-EU

DIGITAL OPERATIONAL RESILIENCE ACT (DORA)

A Red Team Assessment provides a realistic analysis of how vulnerable your company really is to actions by professional groups that have targeted your company. NSIDE identifies strategies and ways that hackers can target, infiltrate, and steal your most sensitive data and sabotage your most critical systems. Our analysis lets you identify these efficient and effective pathways for intruders, close them down, and thus systematically improve your security. A Red Teaming Assessment allows you to fully test the security of your organization as a whole.

Red Team Exercises (also known as Red Team Assessments or Red Team Engagements) are full-scale attack simulations or ‘Adversary Simulations’. In them, an experienced team (the Red Team) assumes the attacker position and subjects a target organization to a practical test by a hacker attack using all the latest attack techniques. Since it is often mainly targeted attacks that are well prepared or executed over a longer period of time – what are known as Advanced Persistent Threats or APTs – that are simulated, they are sometimes also referred to as APT simulations.

At the same time, this tests your defensive capabilities: Does your security team detect the hallmarks of a serious attack? If so, how quickly? Or can attackers pentrate your systems, infiltrating and accessing your most sensitive trade secrets without you noticing?

For this, NSIDE, which has specialized in Red Teaming Assessments since its inception, employs the same techniques as real cyberattacks: social engineering, physical incursions, malware engineered for the specific application or developed from scratch, lateral movement techniques to spread between internal systems, bypassing techniques to get around firewalls and virus scanners, persistence and stealth techniques known from APTs, and many more.

Since Red Team Assessments are designed to simulate attacks as realistically as possible, they are based on the phases of attacks classically seen in cyberattacks. These phases are also called the ‘cyber kill chain’.

Red Team Assessment

Phases of Red Team Assessment

Information is gathered purely passively – in other words, without direct interaction with systems or employees of the company being assessed – using a wide variety of techniques: Open Source Intelligence (OSINT), Web Intelligence (WEBINT), Social Media Intelligence (SOCMINT), and many more. This creates the most complete map possible of the company’s attack surface and all of its assets (systems, personnel, subsidiaries, business relationships, geography, and more).

The previously created attack surface map is examined for vulnerabilities that invaders can use to penetrate an organization, e.g. using network scans, manual identification of vulnerabilities and other techniques.

Findings from the previous phases, where information about the target company was gathered, are used to prepare attacks. This includes purely technical attacks (hacking), social engineering attacks, spear phishing and phishing, and may also include physical intrusions, creation of customized malware, setting up infrastructure for execution etc.

The prepared attacks are carried out and effect access to the internal corporate network. It can be breached in a number of ways: Digital intrusion via the network, physical intrusion or intrusion by exploiting human vulnerability using social engineering.

Once NSIDE analysts have penetrated the target network, usually they have not yet reached the target directly: they still have to reach the correct target systems. Our analysts achieve this by moving from system to system (Lateral Movement) and increasing their privileges in the target network (Privilege Escalation). This requires a variety of different hacking techniques. To avoid having to penetrate again, what are know as ‘persistences’ (i.e. permanent backdoors) are set up.

As a final phase, once they have the necessary rights on the right systems, the (simulated) hackers can access the most valuable resources of the company (Critical Assets) or destroy or manipulate the most important and sensitive systems and business processes (Critical Functions). A Red Team Assessment does not take the final, destructive step, but instead merely provides evidence about the fact that – or how – it could have done.

At the end of the actual Red Team exercise, a report is prepared: How did the audited organization respond? What actions were taken by the Red Team? Where were weaknesses uncovered and how can they be addressed? How can the chances of attack success be reduced in the future? How can preventive measures be used to better detect attacks or stop them from the outset? The Red Team consults with the customer and discusses all these points to enable maximum security improvement and risk reduction.

How do Red Teaming and Penetration Testing differ?

The test object of a Red Team Assessment is always an organization or organizational unit, whereas the test object of penetration testing is a technical development or environment. Red Team Assessments are also usually goal and statement driven: How can an intruder get to my ‘most valuable assets’ (Critical Assets) or compromise sensitive systems and business units (Critical Functions)? How good is my organization’s Cyber Resilience and Posture? In other words, how well can my team and its tools detect, block, and contain such attacks? What do my processes look like?
Pentests, on the other hand, are focused on detecting technical vulnerabilities. They try to disclose them as fully as possible, while Red Team Assessments act like aggressors and focus only on those vulnerabilities that would allow the intruder to reach his target – but in the area of technology, people and processes/organization.

The following table illustrates the differences between penetration testing and red teaming:

RED TEAM EXCERCISE

Test object:
Organization or organizational unit

Dimensions:
Holistic: Technical, human, organizational.

Perspective focus:
Strategic and tactical, as well as technically and operationally in part.

Test objective:
To answer the question: “Can aggressors gain access to my ‘most valuable resources’ (Critical Assets) or gain control of my most important systems or business processes (Critical Functions)?” If so, how? What are my detection measures and countermeasures?

Statements and questions:
How secure is my organization as a whole? What gateways do I have that help attackers gain Critical Assets and Critical Functions? How good are my response processes? How well can I proactively block attacks? How well can I detect and respond to attacks?

Knowledge gain:
What are my organization’s key technical, human, and organizational/process vulnerabilities? How well is my defense set up? What are the risks to my business as a whole?

Completeness:
Key vulnerabilities of the organization in the area of technology, processes/organization, and people.

Recommendations and results:
Eliminate blind spots in detection, address vulnerabilities in the three dimensions (technical/process/organizational/human), strengthen response to attacks against the organization, improve proactive and preventive measures for corporate security, strengthen general defenses against attacks (cyber resilience and posture), improve processes, provide direction for security strategy, risk assessment

Attacker model:
Professional human aggressors with malicious intent against my own organization

Insiders on Client Side:
Only one or two key people, no one else

PENETRATION TEST

Test object:
Technical systems, applications, environments, infrastructures.

Dimensions:
Technical

Perspective focus:
Technical-operational, in part strategic and tactical.

Test objective:
To detect as many technical vulnerabilities as possible

Statements and questions:
How secure is the test object and what vulnerabilities exist

Knowlege gain:
What are my organization’s key technical, human, organizational/process vulnerabilities? How well is my defense set up? What are the risks to my business as a whole? What are the risks to the test object, the data stored on it, and their users? What exactly are the security vulnerabilities and how can I fix them?

Completeness:
As complete as possible, uncovering as many technical vulnerabilities in the test object as possible.

Recommendations and results:
Securing the test object against hacker attacks and technical risks, recommendations and guidance on how to fix the vulnerabilities.

Attacker model:
Any attacker

Insiders on client side:
Project and system managers, no special restrictions.

Frequently asked questions

Red Team Assessments are useful when:

  • You want to examine the shielding of an organization or organizational unit against attacks
  • You want to check if and how hackers can access the most sensitive systems, data and business processes (Critical Assets & Critical Functions)
  • You want to assess the security risk situation for your company
  • You want to holistically review your enterprise security (team and security products/solutions) instead of waiting for a real emergency, i.e. attack
  • You want to gain insights to prioritize and align your corporate security strategy
  • You want to subject your own organization and all its security measures to a practical test with as realistic conditions as possible.
  • You want to examine not only technical protection, but also human security (vulnerability to social engineering, (spear) phishing, other human error) and organizational processes holistically.

“Red Team Penetration tests” do not actually exist, even though this term is used from time to time. The differences between Red Team Assessments (or Red Team Engagements) and Penetration Tests are explained in the table above.

MITRE ATT&CK is a compendium of attack techniques used in cyber attacks. ATT&CK stands for ‘Adversarial Tactics, Techniques & Common Knowledge.’ TTPs are ‘Tactics, Techniques and Procedures’ and mean the individual steps, hacking techniques or methods used by attackers. A Red Team uses a variety of TTPs, many (but not all) of which are captured in MITRE ATT&CK. Specific TTPs can also be integrated into the Red Team Engagement at the customer’s request if the customer wishes to validate its defenses against specific attack techniques or methods.

The Cyber Kill Chain is a chain of steps that are often (but not always) followed in professional hacking attacks against organizations. Not every attack always proceeds in the same way and includes all phases. Different security organizations also have slightly modified ‘Kill Chain’ models that reflect their particular experience and approach.

Red teaming exercises are not very standardized because attackers are also creative. However, individual techniques can be aligned with MITRE ATT&CK. In the financial and banking environment, there is a preferred approach that has been captured in the TIBER standard, where TIBER stands for ‘Threat Intelligence-based Ethical Red Teaming’. The standard exists both as a European model (TIBER-EU) and as a German adaptation (TIBER-DE).
Contact us to uncover and close your security gaps.

OFFENSIVE CYBER SECURITY

Contact us to uncover and close your security gaps.