Red Teaming
Our Methodology
Our Approach at a Glance
Kick-off Workshop
In preparation for the assessment, we hold a kick-off workshop with your responsible contact persons. During this workshop, the threat perspective, the attacker model, and other framework parameters are defined in consultation with you based on the recommendations of our experts.
Execution
The assessment is conducted according to the framework specified in the kick-off. To simulate an external attack realistically, the Red Team typically receives little or no information in preparation for the assessment. Furthermore, we recommend a test period of four weeks on average for the execution of the test activities, depending on the defined objective.
Reporting
We report on the results of the Red Team Assessment in writing in the form of a results report. This includes a management summary and a detailed description of exploited vulnerabilities and security gaps as well as the detailed procedure and recommended measures for achieving the agreed goal.
Debriefing & Presentation of Results
In addition, a holistic view of your company's risk is taken with regard to the Red Team Assessment, in which we address the implemented security measures and make recommendations for improving them as well as your IT (security) organization. At your request, we present the results of the assessment in a joint workshop with the defenders from your side, where suggestions for improvements of a technical and organizational nature can also be discussed. If required, we can demonstrate the conducted attacks again.
Framework parameters of the Red Team Assessment
Defining the framework parameters of the Red Team Assessment is of central importance for the subsequent gain of knowledge and success of the attack simulation. In general, we are guided by the renowned MITRE ATT&CK® Framework. In particular, the following aspects are taken into account:
Ihr Titel
Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.
Identification of your high value targets
High value targets are the crown jewels of your company. For example, they may be trade secrets such as research results or sensitive information about a new product. However, it is just as possible to define specific IT systems or applications as the target of the attack. This could be, for example, database servers with highly confidential customer data or the entire Active Directory (AD) infrastructure, the compromise of which could mean the complete takeover of the company network.
Furthermore, it is possible to simulate certain scenarios, for example to find out how long an attacker can move through the network before being detected. Or what damage he could cause with a ransomware attack.
Definition of the threat perspective
We define this as the starting point of the attack. An attack from the internet by an external hacker is often just as conceivable as one by an insider with knowledge of the environment and access to the company's internal network. Likewise, a successful phishing attack can be defined as the starting point. In this case, for example, the attacker has control over a workstation in regular operation with - depending on the role/function of the actual user - quite different authorizations within the corporate network.
Technical security measures
For an attack simulation that is as realistic as possible, we recommend that (technical) security mechanisms, such as web application firewalls (WAF) or intrusion detection/prevention systems (IDS, IPS), are not switched off.
Involvement of your IT (security) organization
If desired, we can carry out the Red Team Assessment "undercover", i.e. with the knowledge of only a few authorized persons. In order to give our experts the opportunity to act carefully and covertly, we generally recommend a period of several weeks for the assessment. It is up to the attacker to decide when to carry out the assessment during this period, but this can be coordinated with the contacts on your side who have been initiated into the process. We will take these and other parameters into account when defining the attacker model.
Dos and don'ts
In general, exclusions from certain test activities can be agreed in advance of the assessment. This can relate to certain technical tests or specific systems or system environments. Furthermore, certain attack methods such as denial of service or social engineering methods can be excluded. It is particularly important here that the mission of the assessment, i.e., the attainability of the target, is not impaired.
More Insights
