Red Team Assessment Services
Test Your Organization’s Detection and Response Capabilities
What is the Difference Between a Penetration Test and Red Team Assessment?
A red team assessment is quite different as it is an assessment that measures your incident detection and response capabilities while red team members remain stealthy during the entire engagement. For this assessment, the consultants observe all areas of your organization by looking at your physical security controls, web applications, external network, wireless, and internal network. While investigating each area, the consultants aren’t trying to find every vulnerability they would on a regular penetration test but find the path of least resistance to gain access to your critical assets. While penetration testing is a crucial part of every organization’s security controls, a red team assessment accurately gauges how your security controls and detection capabilities are working against a real-life adversary.
Custom Tailored to Fit Your Organization
Artifice Security collaborates with you to customize the service to reflect the dangers your company confronts. Our Red Team members simulate real-world hostile behavior and widely used tactics, techniques, and procedures (TTP), which allows you to measure the success of your program and the reaction of your team in the event of a breach. The red team assessment shows you how to identify possible threats in your defenses, such as technological and organizational vulnerabilities, while identifying weaknesses in your security monitoring, detection, and response. To accomplish this, Artifice Security utilizes proprietary tools, malware, and cutting-edge tactics, preparing you against real-world security threats.
Red Team Methodology
To achieve this success, we organize ourselves using the following steps:
Define the Scope
- Define which assets such as IP addresses, web applications, personnel, or facilities are out of scope
- Provide a list of red team “flags” to capture during the assessment
- Confirm the dates and times for testing or ranges of dates for testing
- Collaborate with your team on activities that are allowed and not allowed, such as on-site social engineering
- Receive an authorization letter for physical social engineering (Get-out-of-Jail-Free-Card)
Information Gathering / Recon Phase
- Gather IP address information about your external network and hosting providers
- Searches for publicly exposed documents such as PDFs, DOCXs, XLSXs, and PowerPoint documents that may contain sensitive or customer information without your knowledge
- Searches on the Internet and Darkweb for leaked credentials within password breach databases
- Checks to find similar domain names as yours for domain spoofing
- Scout each physical location and view wireless setup, if found
Attack Planning Phase
- Enumerate all external IP ranges and subnets
- Analyze misconfigurations in cloud services
- Map out the wireless network to determine the range of broadcast, SSIDs, and authentication type
- Create social engineering pretexts
- Capture RFID card data on-site to use for entry
- Enumerate web applications for vulnerabilities
Attack and Exploitation Phase
- Use leaked information to gain privileged access to external network systems
- Attack external systems to pivot to the internal network
- Attack web applications to gain access to data and to pivot into the network
- Compromise cloud infrastructure
- Compromise the wireless network
- Perform on-site social engineering and phishing attacks
- Annotate all attack times and dates for later analysis
Reporting begins with an executive summary explaining the vulnerabilities and conveying the overall risk to incident detection and response. In addition to a summary of results, we also provide a list of positive findings found during testing. Next, the report explains how we determine criticality and risk for each vulnerability so you can better understand what to prioritize for remediation and how we rate severity for each finding.
For the red team assessment, we include a detailed attack storyboard with times and dates about each attack chain so you can correlate the data with your security controls.
Further in the report, we break down each vulnerability in technical detail, including a summary of the finding, affected location(s), proofs-of-concept, and remediation steps. Each detailed proof-of-concept has easy-to-follow steps for your team to recreate the process of how we exploited the vulnerability.
In addition to the report, Artifice Security also provides you with a customer-facing report and attestation letter if needed.
- Executive Summary that easily conveys risk
- Vulnerabilities rated by criticality
- Detailed walkthrough showing how we chain together attacks
- Detailed repeatable proofs-of-concept for each vulnerability
- Best practice remediation steps that are customized and realistic based on your current environment
Frequently Asked Questions
What is a Red Team Assessment, and how does that differ from a penetration test?
Red Team assessments are different from penetration tests as they focus on testing your incident detection and response capabilities. Red Team consultants will also move stealthily to mimic real-world attackers. During a Red Team engagement, the goal is not to find every vulnerability against your assets but to mimic a real-world attack and break in using the path of least resistance. For example, a person walking in the side door of your building and walking out with a server in hand could be the easiest path to get your data.
For penetration testing, the consultant will attempt to find as many vulnerabilities on your network or application during a set period and combine attacks to reach your critical data. This type of engagement is not stealthy and will often involve your IT staff, who knows about the occurrence of the penetration test.
In short, a penetration test attempts to find as many vulnerabilities in your organization as possible while not worried about being detected, while a Red Team assessment focuses on your incident detection and response capabilities.
Before engaging in a Red Team assessment, how many penetration tests should our company perform?
The first form of a security assessment conducted against a business should never be a Red Team engagement. Because Red Team assessments take longer and cost more, they would be a waste of time and money for any firm that isn’t confident in its present security posture.
Although each firm is different, it is usually advisable to complete two or three penetration tests before embarking on Red Team activities.
Companies with a mature security posture and the belief that they have created strong security defenses are suitable candidates for Red Team testing. The idea would be to put their already formidable defenses to the test.
Is there a way to correlate our incident detection with your Red Team attacks?
Our Red Team consultants annotate the date and time for each attack conducted. Your blue team can then correlate their logs and alerts to our red team operator’s attacks with our logs. After the red team engagement, we will sit down with your team, review the attack chain, and give you a report showing each attack and its time/date.
What are some common red team tactics?
During a red team engagement, we will conduct the following:
- Social engineering via email and phone. Phishing emails become a lot more convincing with a little bit of research on persons or organizations. This low-hanging fruit is often the first in attacks leading to the goal.
- Exploitation of network services. An attacker can access previously inaccessible networks or sensitive information by exploiting unpatched or misconfigured network services. An attacker would frequently leave a persistent back door to allow future access.
- Exploitation of physical facilities. People have a natural tendency to avoid conflict. As a result, getting into a guarded organization is frequently as simple as following an employee through a door. Once onsite, our consultants can plant a network device to remotely connect or go directly for the flag, such as compromising the server room.
- Application layer exploitation. Web applications are often the first thing an attacker sees when looking at an organization’s perimeter. Exploiting web application vulnerabilities (e.g., XSS, SQLi, CSRF, etc.) can give an attacker a foothold from which to execute further attacks.