Standards & Certifications

Pentest_1
RedTeaming_2

Penetration Testing vs. Red Teaming

Similar methods, different objectives and framework conditions

Pentest | How well are your security components positioned?

What do you get?
A penetration test provides you with a comprehensive view of your current IT security within a short timeframe and typically covers all existing assets.
How do we test?

In a pentest, we assess broadly. This includes both technical aspects and physical security, as well as the human factor (social engineering).

So that we can comprehensively assess all areas in a short amount of time, we need information from you that real attackers would have to obtain themselves (e.g., information about the target network and its components).

For example:
You use an externally hosted web server. Unless it has been explicitly excluded in advance, it is part of our penetration test and will be checked for vulnerabilities.

Red Teaming | How does your IT respond to a real attack?

What do you get?
Red teaming helps you discover how your responsible individuals within established processes respond to a real attack.
How do we test?

During Red Teaming, we simulate a real attack as realistically as possible, defining a specific target (objective). We have more time for this process, allowing us to conduct information gathering without your support.

The Red Team is allowed to use any means to achieve the objective that malicious attackers would use. This includes, as in penetration testing, physical access and the human factor (social engineering). If one approach leads to success, no additional methods are tested.

For example:
Defined Objective: Gain access to our ERP system. Your IT uses a potentially vulnerable external web server. However, this server will not be tested by our Red Team unless it contributes to achieving the objective.

Red Teaming assesses the responsiveness of your designated personnel and processes in a real incident scenario: What happens when IT happens?

Do you want to know what our customers think about our collaboration?

What happens in Red Teaming?

What happens in Red Teaming?

A Red Teaming attack scenario always focuses on an "Objective" that the Red Team aims to achieve. For this, the Red Team employs attacks via email, physical access, or other technical means.

Your company deploys its Blue Team against our Red Team, which is responsible for detecting and ideally thwarting our attacks. Therefore, your company's IT team should have the necessary resources and capabilities to focus on security issues and drive them forward. Ideally, your company should have individuals dedicated exclusively to IT security, including roles such as the Blue Team, Security Operations Center (SOC), Computer Emergency Response Team (CERT), Vulnerability Management, and a Security Department.

Red teaming:
A realistic stress test for your IT security mechanisms.

IT security is not new territory in your company:
You have already conducted several security assessments (such as penetration tests) and have successfully addressed their findings both technically and organizationally.

Your Security Operations Center (SOC) is well-established: it continuously collects logs and monitors network traffic for any unwanted activities.

In the last penetration test, your SOC detected every attack

Does your IT security mechanism withstand every penetration test. And, how do they perform against attacks that are planned and executed over an extended period?

PSN_KV_Red_Teaming_3

Through our Red Teaming service, you can...

... subject the entire IT security infrastructure to a realistic stress test over a longer period of time.

This is the only way your company can get an idea of ​​how the network and the SOC will behave in the event of a real attack. Based on this, we can solve any vulnerabilities found with you and your IT security department so that such attacks no longer work in the future or at least trigger an alarm for you.

Red Teaming can show you how your security products, team and processes work together and what improvements can be made here.

Red Teaming: Scenario Examples

A large German jewelry manufacturer wanted us to audit the physical security of its main facility. Despite chip card readers at all entrances, we managed to enter one of the buildings through the official side entrance.

There, a storage room with a printer aroused our interest. First we checked whether this printer was in the domain, which IP address spaces were used and whether access data to other systems could be found in this way. We then found that there was another door in the storage room that gave access to a separate area without a key or chip card.

There were four 19 inch racks with the fire protection alarm system, server, patch panel and switches. We connected the laptop we had brought with us to a port on the switch using a LAN cable and received a DHCP lease. Through quick scans and man-in-the-middle attacks, we made ourselves the local administrator on a few Windows machines, with more to follow. Finally, we found the clear text password for a domain administrator on a server and had achieved our goal.

With one customer, we had agreed on the goal of compromising an administrator's client. But our first attempts didn't lead us any further: Externally, only a website without functionalities and the mail server could be found. Physically we could not gain access to the company. Even after dozens of attempts, spear phishing was unsuccessful: Thanks to sophisticated scenarios, the administrators actually considered our phishing emails to be valid and clicked on many of the links they contained, but the files downloaded in this way were never executed.

Finally, a Twitter post from the company gave us information that we could use: This post introduced a new employee who has been an expert on a specific endpoint protection for over 25 years. We then got hold of this same endpoint protection and developed a file that was not recognized by it. After three more phishing attempts using this file, we finally achieved our goal.

The municipal utilities of a location agreed with us on the goal of compromising their operational technology network (OT network) and maintaining access to the network. While we did not find any physical entry points during a night-time drone flight over the buildings, the company's paper containers were freely accessible on the premises.

Through dumpster diving (searching for useful information in garbage) we came into possession of a delivery note from an IT service provider. That matched our research, according to which the IT of the public utility company was mainly implemented by external service providers.

In the next step, we used this information for vishing (voice phishing, fraudulent phishing phone call): We pretended to be the person responsible for the IT service provider we found and were thus able to find out where the control and control units for the OT were . It turned out that the entire OT was located on a separate air-gap network - so access from the Internet was not possible. That's why we smuggled an intern into the company – quite regularly via applications. During the management of the company on the first day of the internship, we were given access to sensitive areas of OT. We were able to place network sniffers with an LTE connection there – labeling them with the label “Please leave IT where it is”. This is how we managed to compromise the OT network despite the air gap.

Red Teaming by ProSec

How ProSec differs with Red Teaming

PSN_KV_Red_Teaming_5

Every company has individual requirements and conditions when it comes to Red Teaming.

We do justice to this by defining tailor-made objectives and framework conditions in coordination with your company in a threat modeling workshop.

In Red Teaming, we use two of our greatest strengths: Social engineering and experience testing physical access to your business.

The best security components are of little use if attackers can easily penetrate your server room or if people with network access open manipulated email attachments.

Benefits of ProSec Red Teaming

Threat Modeling Workshop

We begin by establishing a personalized objective and the guidelines for our Red Teaming efforts at your company.

purple team

A collaboration between Red and Blue Team, where your team gains insights into our methods and can use our knowledge to expand your security management

Technical workshop

In this workshop, we work together on the results of our red teaming and support your team in approaches to further optimizing your IT security

How our Red Teaming process works

Onboarding/Kickoff

Ahead of the Red Teaming exercise, we conduct a kickoff meeting to identify the participants and ascertain the information and documents needed from your organization. This could encompass network diagrams, architectural details, asset inventories, domain listings, personnel records, and site locations.

Threat Modeling Workshop

The Threat Modeling Workshop takes place at the beginning of the Red Teaming process and is intended to establish the parameters for our engagement. At this stage, we need the documentation mentioned during the kickoff meeting from your organization. The critical aspect of the workshop is to conduct threat modeling for all potential approaches by the Red Team, enabling the team to act realistically while strictly adhering to discussed boundaries.

Questions

The following questions will be answered in detail during the threat modeling workshop:

  • In what form should the Red Teaming take place?
  • How is the goal defined for the Red Team?
  • Who are the responsible contact persons in your company, what reporting chains are there?
  • What communication channels are there?
  • What is the period/duration of the Red Teaming, what are the individual phases?

Individual adaptation

The form of Red Teaming refers, among other things, to the level at which our Red Team should ideally attack your Blue Team. We adapt to the level of experience and skills of your IT department. There is also the question of whether the red teaming should be carried out covertly or openly and whether the red team and blue team should work together or act completely independently of each other during the mission.

set a goal

Threat modeling (modeling of threats) is carried out to define the objective. Among other things, we use the MITER (ATT&CK) framework. In the Threat Modeling High Level Process we go through the following steps:

  1. Identify and categorize primary and secondary assets
  2. Identify and categorize external and internal threats/threat groups
  3. Assign threats/threat groups to assets

Execution

The red teaming is now carried out according to the results of the threat modeling workshop. There are fixed milestones/status dates that we have agreed on beforehand.

Documentation

During the entire Red Teaming assignment, we document our approach and our results transparently and completely.

Handover of Results

After completing the red teaming, you will receive the documented results and a summary from us as preparation for the subsequent workshop.

Technical workshop

In a subsequent workshop, your Blue Team has the opportunity to engage with our Red Team to discuss the attacks and responses during our operation. The main focus here is on learning: our Red Team can, for example, demonstrate their attacks/kill chains to your Blue Team and show how they can be thwarted. This way, your Blue Team can better understand potential attackers and implement appropriate defense measures in the future.

FAQ-Frequently Asked Questions

Your company is already well positioned in the field of IT security. Experience in penetration testing is available. Your dedicated IT security team (SOC, CERT or comparable) has already established security mechanisms and is looking for a real challenge in the verification. Then the basic requirements are met.

While a penetration test takes about 6-10 days and lasts a maximum of 1-2 months, red teaming involves significantly more effort, which, depending on the objective or security level, can take 2- 6 months results.

At ProSec, the following people are responsible for the successful implementation of Red Teaming at your company:

  • IT Security Consultant
  • Senior Penetration Tester (Red Team Operator)
  • penetration tester
  • IT project manager

This depends on the specific objective and the coordinated approach, which we agree on together in the scoping workshop. Normally, however, regulated communication takes place during the implementation. You will receive the processed overall result at the end.

This depends on the specific objective and the coordinated approach, which we agree on together in the threat modeling workshop. In most cases, however, a regulated exchange between defined key persons is necessary or useful. If necessary, we also use a "Purple Team(ers)".

This depends on the specific objective and the coordinated approach, which we agree on together in the threat modeling workshop. Experience has shown that we most often succeed in “initial access” via human or physical access.

This is an agenda item for the Threat Modeling Workshop.