If the following points apply to your company, our Red Teaming Service is just right for you: IT security is not new territory in your company. You have already conducted several security assessments (e.g. penetration tests) and successfully remediated their findings technically and organizationally together with your team.
Your Security Operations Center (SOC) is in excellent shape: It continuously collects logs and monitors network traffic for unwanted activity. During the last penetration test, your SOC detected a large number of attacks.
In short: Your IT security mechanisms can withstand any pentest! But what about attacks that are planned and executed over a longer period of time?
Our red teaming service enables you to subject your entire IT security infrastructure to a realistic endurance test over a longer period of time. This is the only way your company can get an impression of how your network and your security management (Security Operations Center (SOC)/ Computer Emergency Response Team (CERT)/ Blue Team/ Vulnerability Management/ Security Department) will behave in the event of a real attack. Based on this, we can solve found vulnerabilities with you and your IT security department, so that such attacks will not work in the future or at least trigger an alarm in your company.
Red Teaming can show you how your security products, your team and the processes work together
and what improvements can be made.
A large German jewelry manufacturer wanted us to check the physical security of its main site. Despite chip card readers at all entrances, we managed to enter one of the buildings through the official side entrance.
There, a storage room with a printer aroused our interest. First, we checked whether this printer was in the domain, which IP address spaces were used, and whether access data to other systems could be found along the way. We then discovered that there was another door in the storage room, through which it was possible to access a separate area without a key or smart card.
There were four 19 inch racks with the fire alarm system, server, patch panel and switches. We connected our laptop we had brought with us to a port on the switch via a LAN cable and received a DHCP lease. Through quick scans and man-in-the-middle attacks, we made ourselves the local administrator on a few Windows machines, followed by others. Finally, we found the clear-text password for a domain administrator on one server and had achieved our goal.
We had agreed with a customer on the goal of compromising an administrator's client. However, our initial approaches did not lead us any further: Externally, all we could find was a website without functionalities and the mail server. Physically, we were unable to gain access to the company. Spear phishing did not lead to success even after dozens of attempts: Thanks to sophisticated scenarios, the administrators actually thought our phishing emails were valid and clicked on many of the links they contained, but the files downloaded in this way were never executed.
Finally, a Twitter post from the company revealed information we could use: The post featured a new employee who had been an expert in a particular Endpoint Protection for over 25 years. We then obtained this very Endpoint Protection and developed a file that was not recognized by it. After three more phishing attempts with this file, we finally achieved our goal.
The municipal utility company of one location agreed with us on the goal of compromising their Operational Technology (OT) network and maintaining access to the network. During a nighttime drone flight over the buildings, we found no physical entry points, but the company's paper containers were freely accessible on the premises.
Through dumpster diving (searching for usable information in the trash), we came into possession of a delivery bill from an IT service provider. This matched our research, according to which the IT of the municipal utility was mainly implemented by external service providers.
In the next step, we used this information for Vishing (Voice Phishing, fraudulent phishing call by phone): We posed as the responsible processor of the IT service provider we found and were thus able to find out where the control and management units for the OT were. It turned out that the entire OT was located in a separate Air Gap Network - access from the Internet was therefore not possible. Therefore, we snuck an intern into the company - quite regularly via applications. Already during the company tour on the first day of the internship, we were given access to sensitive areas of the OT. We were able to place network sniffers with LTE connectivity there - labeled "IT Please leave it". In this way, we managed to compromise the OT network despite the Air Gap.
A red teaming attack scenario always focuses on an "objective" to be achieved by the red team. For this purpose, the Red Team uses attacks via mail, physical access or other technical means.
Your company is countering our Red Team with its Blue Team, which is supposed to detect and, if possible, defend against our attacks. Therefore, your company's IT team should be resourced to address and drive security issues. Ideally, your company should have people dedicated exclusively to IT security (Blue Team, SOC, CERT, Vulnerability Management, Security Department).
Every security mechanism can be overcome - with enough time!
Example: Your company has a Network Access
Control (NAC), which we include in the pentest. If the NAC
does not reveal any vulnerabilities within a day, you give us access to the network
access to the network through you in order to test there further.
Example: You have a NAC that actually doesn't allow us to attack. So members of our Red Team try to gain physical access to the building in order to overcome the NAC that way.
Our Red Teaming service gives us much more time than a pentest, so we can simulate more realistic attacks.
simulate more realistic attacks. This puts your SOC to the test in its entirety.
Every company has its own individual requirements and prerequisites for Red Teaming. We do justice to this by defining precisely tailored objectives and framework conditions in a Threat Modeling Workshop in coordination with your company.
At Red Teaming, we leverage two of our greatest strengths, among others: social engineering and experience testing physical access to your organization.
Because the best security components are of little use if attackers can easily break into your server room or people with network access open manipulated mail attachments.
Before the start of the Red Teaming, a kickoff meeting takes place. This serves to identify the group of participants and to determine which information and documents we need from your company. This includes, for example, network plans, architectures, asset lists, domain lists, lists of people and locations.
The Threat Modeling Workshop happens at the beginning of the Red Teaming and aims to define the framework of our engagement. At this point, we must have the documentation of your company mentioned in the kickoff. It is crucial that during the workshop, a Threat Modeling is performed for all conceivable approaches of the Red Team, so that the team can act realistically and at the same time strictly adhere to discussed boundaries.
In detail, the following questions will be answered during the Threat Modeling Workshop:
The form of Red Teaming refers, among other things, to the level at which our Red Team should ideally attack your Blue Team. In doing so, we adapt to the level of experience and skills of your IT department. In addition, it is a question of whether the Red Teaming should be carried out covertly or openly and whether the Red Team and Blue Team should work together or act completely independently of each other during the mission.
Threat modeling is performed to define the objective. Among other things, we use the MITRE (ATT&CK) framework for this. In the Threat Modeling High Level Process, we go through the following steps:
Red Teaming is now carried out according to the results of the Threat Modeling Workshop. There are fixed milestones/status dates that we have agreed on beforehand.
After the Red Teaming you will receive the documented results as well as a summary as preparation for the following workshop.
In a subsequent workshop, your Blue Team has the opportunity to exchange ideas with our Red Team about the attacks and reactions during our mission. The focus here is on the learning aspect: Our Red Team can, for example, demonstrate its attacks/kill chains to your Blue Team and show how they can be fended off. In this way, your Blue Team will be able to put itself in the shoes of potential attackers even better in the future and use appropriate defensive measures.
Your company is already well positioned in the area of IT security. You have experience in penetration testing. Your dedicated IT security team (SOC, CERT or similar) has already established security mechanisms and is looking for a real challenge in testing. Then the basic requirements are met.
While a Penetration Test takes about 6-10 days and a maximum of 1-2 months to complete, Red Teaming requires much more time and effort, resulting in an implementation time of 2-6 months, depending on the objective or security level.
At ProSec, the following people are responsible for the successful implementation of Red Teaming at your company:
This depends on the specific objective and the coordinated approach that we agree on together in the scoping workshop. Usually, however, there is regular communication during the implementation. You will receive the prepared overall result at the end.
This depends on the specific objective and the coordinated approach that we agree on together in the Threat Modeling Workshop. In most cases, however, a regulated exchange between defined key persons is necessary or useful. If required, we also deploy a "Purple Team(s)".
This depends on the specific objective and the coordinated approach that we agree on together in the Threat Modeling Workshop. Experience has shown that we are most often successful with "initial access" via humans or physical access.
This is an agenda item of the Threat Modeling Workshop.
This is an agenda item of the Threat Modeling Workshop.