red teaming

What happens when IT happens?

Standards & Certifications

Pentest_1
RedTeaming_2

Penetration testing vs. red teaming

Similar methods, different objectives and framework conditions

Pentest | How well are your security components set up?

What are you getting?
A pentest provides you with a comprehensive picture of the current status of your IT security within a short time frame and usually includes all existing assets.
How do we test?

In a pentest, we examine the breadth. This includes technical aspects as well as physical security and the human factor (social engineering).

So that we can comprehensively check all areas in a short time, we receive information from you that real attackers would have to work out (e.g. on the target network and its components).

Example:
You use an externally hosted web server. If this has not been explicitly excluded in advance, it is part of our pen test and is checked for vulnerabilities.

Red Teaming | How does your IT react to a real attack?

What are you getting?
Red Teaming allows you to find out how those responsible within the established processes react to a real attack.
How do we test?

In red teaming, we simulate a real attack as realistically as possible, for which a specific goal (objective) is set. We have more time for this, so that the information can also be obtained without your support.

The Red Team may use any means to achieve the objective that malicious attackers would use. This includes (as with pentesting) physical access and the human factor (social engineering). If one path leads to success, no additional paths are tested.

Example:
Fixed objective: Gain access to our ERP system. Your IT uses a potentially vulnerable external web server. However, this is not checked by our Red Team if this does not contribute to the achievement of the objective.

red teaming shows how responsive your responsible people and processes are in an emergency: What happens when IT happens?

Which test is right for your company?

What happens in Red Teaming?

What happens in Red Teaming?

A red teaming attack scenario always focuses on an "objective" to be achieved by the red team. To do this, the Red Team uses attacks via email, physical access or other technical options.

Your company opposes our Red Team with its Blue Team, which should recognize our attacks and ward them off as far as possible. Therefore, your company's IT team should have the resources to address and advance security issues. Ideally, your company has people who deal exclusively with IT security (Blue Team, SOC, CERT, Vulnerability Management, Security Department).

Red teaming:
Realistic endurance test for your IT security mechanisms

IT security is not new territory in your company:
You have already carried out several security assessments (e.g. penetration tests) and successfully corrected their findings technically and organizationally.

Your Security Operations Center (SOC) is excellently positioned: It continuously collects logs and monitors network traffic for unwanted activities.

In the last penetration test, your SOC detected every attack

Do your IT security mechanisms withstand every pen test? But what about attacks that are planned and carried out over a longer period of time?

PSN_KV_Red_Teaming_3

Through our Red Teaming service, you can...

... subject the entire IT security infrastructure to a realistic endurance test over a longer period of time.

This is the only way your company can get an idea of ​​how the network and the SOC will behave in the event of a real attack. Based on this, we can solve any vulnerabilities found with you and your IT security department so that such attacks no longer work in the future or at least trigger an alarm for you.

Red Teaming can show you how your security products, team and processes work together and what improvements can be made here.

Red Teaming: Scenario Examples

A large German jewelry manufacturer wanted us to audit the physical security of its main facility. Despite chip card readers at all entrances, we managed to enter one of the buildings through the official side entrance.

There, a storage room with a printer aroused our interest. First we checked whether this printer was in the domain, which IP address spaces were used and whether access data to other systems could be found in this way. We then found that there was another door in the storage room that gave access to a separate area without a key or chip card.

There were four 19 inch racks with the fire protection alarm system, server, patch panel and switches. We connected the laptop we had brought with us to a port on the switch using a LAN cable and received a DHCP lease. Through quick scans and man-in-the-middle attacks, we made ourselves the local administrator on a few Windows machines, with more to follow. Finally, we found the clear text password for a domain administrator on a server and had achieved our goal.

With one customer, we had agreed on the goal of compromising an administrator's client. But our first attempts didn't lead us any further: Externally, only a website without functionalities and the mail server could be found. Physically we could not gain access to the company. Even after dozens of attempts, spear phishing was unsuccessful: Thanks to sophisticated scenarios, the administrators actually considered our phishing emails to be valid and clicked on many of the links they contained, but the files downloaded in this way were never executed.

Finally, a Twitter post from the company gave us information that we could use: This post introduced a new employee who has been an expert on a specific endpoint protection for over 25 years. We then got hold of this same endpoint protection and developed a file that was not recognized by it. After three more phishing attempts using this file, we finally achieved our goal.

The municipal utilities of a location agreed with us on the goal of compromising their operational technology network (OT network) and maintaining access to the network. While we did not find any physical entry points during a night-time drone flight over the buildings, the company's paper containers were freely accessible on the premises.

Through dumpster diving (searching for useful information in garbage) we came into possession of a delivery note from an IT service provider. That matched our research, according to which the IT of the public utility company was mainly implemented by external service providers.

In the next step, we used this information for vishing (voice phishing, fraudulent phishing phone call): We pretended to be the person responsible for the IT service provider we found and were thus able to find out where the control and control units for the OT were . It turned out that the entire OT was located on a separate air-gap network - so access from the Internet was not possible. That's why we smuggled an intern into the company – quite regularly via applications. During the management of the company on the first day of the internship, we were given access to sensitive areas of OT. We were able to place network sniffers with an LTE connection there – labeling them with the label “Please leave IT where it is”. This is how we managed to compromise the OT network despite the air gap.

red teaming by ProSec

How ProSec differs with Red Teaming

PSN_KV_Red_Teaming_5

Every company has Red Teaming very individual requirements and requirements.

We do justice to this by defining tailor-made objectives and framework conditions in coordination with your company in a threat modeling workshop.

In red teaming, we use two of our greatest strengths: Social engineering and experience testing physical access to your business.

The best security components are of little use if attackers can easily penetrate your server room or if people with network access open manipulated email attachments.

Benefits of ProSec Red Teaming

Threat Modeling Workshop

At the beginning we develop a tailor-made objective and the framework conditions for our red teaming at your company

purple team

A collaboration between Red and Blue Team, where your team gains insights into our methods and can use our knowledge to expand your security management

Technical workshop

In this workshop, we work together on the results of our red teaming and support your team in approaches to further optimizing your IT security

How our Red Teaming process works

Onboarding/Kickoff

Before the start of the Red Teaming, there will be a kickoff date. This serves to determine the group of participants and to determine which information and documents we need from your company. These include, for example, network plans, architectures, asset lists, domain lists, lists of people and locations.

Threat Modeling Workshop

The Threat Modeling Workshop marks the beginning of Red Teaming and aims to define the framework for our deployment. At this point, we must have the documentation from your company mentioned in the kickoff. It is crucial that threat modeling for all conceivable procedures of the red team is carried out during the workshop so that the team can act realistically and at the same time strictly adhere to the agreed limits.

Questions

The following questions will be answered in detail during the threat modeling workshop:

  • In what form should the Red Teaming take place?
  • How is the goal defined for the Red Team?
  • Who are the responsible contact persons in your company, what reporting chains are there?
  • What communication channels are there?
  • What is the period/duration of the Red Teaming, what are the individual phases?

Individual adaptation

The form of Red Teaming refers, among other things, to the level at which our Red Team should ideally attack your Blue Team. We adapt to the level of experience and skills of your IT department. There is also the question of whether the red teaming should be carried out covertly or openly and whether the red team and blue team should work together or act completely independently of each other during the mission.

set a goal

Threat modeling (modeling of threats) is carried out to define the objective. Among other things, we use the MITER (ATT&CK) framework. In the Threat Modeling High Level Process we go through the following steps:

  1. Identify and categorize primary and secondary assets
  2. Identify and categorize external and internal threats/threat groups
  3. Assign threats/threat groups to assets

implementation

The red teaming is now carried out according to the results of the threat modeling workshop. There are fixed milestones/status dates that we have agreed on beforehand.

Documentation

During the entire Red Teaming assignment, we document our approach and our results transparently and completely.

handover of results

After completing the red teaming, you will receive the documented results and a summary from us as preparation for the subsequent workshop.

Technical workshop

In a subsequent workshop, your Blue Team has the opportunity to talk to our Red Team about the attacks and reactions during our mission. The focus here is on the learning aspect: Our Red Team can, for example, demonstrate their attacks/kill chains to your Blue Team and show how they can be repelled. In this way, your Blue Team can empathize even better with potential attackers in the future and use appropriate countermeasures.

FAQ-Frequently Asked Questions

Your company is already well positioned in the field of IT security. Experience in penetration testing is available. Your dedicated IT security team (SOC, CERT or comparable) has already established security mechanisms and is looking for a real challenge in the verification. Then the basic requirements are met.

While a penetration test takes about 6-10 days and lasts a maximum of 1-2 months, red teaming involves significantly more effort, which, depending on the objective or security level, can take 2- 6 months results.

At ProSec, the following people are responsible for the successful implementation of Red Teaming at your company:

  • IT Security Consultant
  • Senior Penetration Tester (Red Team Operator)
  • penetration tester
  • IT project manager

This depends on the specific objective and the coordinated approach, which we agree on together in the scoping workshop. Normally, however, regulated communication takes place during the implementation. You will receive the processed overall result at the end.

This depends on the specific objective and the coordinated approach, which we agree on together in the threat modeling workshop. In most cases, however, a regulated exchange between defined key persons is necessary or useful. If necessary, we also use a "Purple Team(ers)".

This depends on the specific objective and the coordinated approach, which we agree on together in the threat modeling workshop. Experience has shown that we most often succeed in “initial access” via human or physical access.

This is an agenda item for the Threat Modeling Workshop.