Red Teaming

Your partner for comprehensive attack simulations to strengthen your cyber resilience.

Red Teaming

Red Teaming

Would you like to put the effectiveness of your defense systems to the test?


Do you need a comprehensive evaluation of your security mechanisms under realistic circumstances?


Our expertise is at your disposal.


CONTACT US

Holistic Attack Simulations

Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), and incident response processes are essential defense mechanisms that must work effectively in the event of a cyber attack. In order to be well prepared for potential incidents and to sustainably enhance your company’s resilience, we offer comprehensive cyber attack simulations under real-world conditions as part of our Red Teaming campaigns. These simulations assess your existing security mechanisms to uncover potentials for improvement. Besides examining vulnerabilities in individual systems, evaluating your company's overall cyber defense measures is a key part of the campaign.

Our Offer for You

Every company’s IT environment and security measures are unique. Therefore, attackers need to adapt accordingly, tailoring their cyber attacks to fit each specific organization. Potential attacks might include targeted phishing attempts to obtain a user’s login credentials or exploiting vulnerabilities in publicly accessible services. Once an attacker gains initial access, they will further explore and traverse the company's network.

We offer various scenarios that reflect real-world attacker tactics. Each scenario sets the starting point for the campaign and outlines the methods the simulated attacker will use to infiltrate your corporate network:

Assumed Breach

This scenario assumes that an attacker has already gained access to internal IT systems or that an internal perpetrator is misusing their existing access. To simulate this scenario, you provide us with an internal point of access. Based on this, our Red Team will assess how such an attacker could expand their access rights and compromise further systems.

Examples:

  • We simulate that an employee's computer in the HR department was compromised through a phishing mail.
  • The computer of an employee in the finance department was compromised with a malicious USB stick, granting the attacker remote access.

Physical Breach

We act like an attacker who tries to bypass the physical perimeter protection through targeted deception and install a prepared device on the company’s premises. The goal is to overcome on-site security measures and covertly gain access to the company network (e.g., by planting a mini-PC).

Examples:

  • Your company has multiple branches connected to the central company network. The attacker attempts to infiltrate the local infrastructure of a branch office and use it to gain access to the corporate network.
  • One of your company’s locations has various areas, some of which are public – ranging from the lobby and cafeteria to the offices and production facilities. An attacker tries to exploit access routes for guests, employees and suppliers and gains access to the production facilities.

Technical Breach

With this approach, we take on the role of an attacker conducting cyber attacks over the internet. Using various information gathering techniques, we identify vulnerabilities in the external perimeter and attempt to exploit them to infiltrate the corporate network.

Examples:

  • An outdated test system with known vulnerabilities is exposed on the internet. The attacker attempts to compromise this system.
  • Due to a misconfiguration, internal credentials are publicly available on the internet. The attacker leverages these credentials to gain access.

Social Engineering

Social engineering focuses on exploiting human factors, aiming to entice employees in their respective roles to disclose sensitive information or to carry out certain actions. Starting from a successful compromise, the objective is to infiltrate the company’s infrastructure.

In addition to email phishing, alternative communication channels such as messaging services or social media are possible.

Example:

  • Relevant targets are identified through LinkedIn. Combined with a login page exposed on the internet, a tailored spear-phishing campaign is designed to obtain login credentials.
  • An attacker poses as someone who has a trusted relationship with the victim and invents a scenario to persuade the victim to hand over sensitive information.

Red Teaming Assessment Process 

Before commencing the campaign, we will analyze relevant threat scenarios in a joint kick-off meeting, define appropriate scenarios, and determine the attack targets. This information is then documented in the Rules of Engagement, which the campaign is based on.

The attack simulation in a Red Teaming campaign unfolds through nine, partly iterative stages:


In a Red Teaming campaign, the following roles are defined:

  • The Blue Team acts as the defender, protecting the infrastructure against attacks. This typically involves your company's IT department. To ensure the simulation is as realistic as possible, the Blue Team is generally not informed about the campaign.
  • Our experts operate according to the Rules of Engagement and represent the attackers as the Red Team.
  • The White Team oversees the campaign and maintains regular communication with the Red Team. It consists of one or two individuals who are knowledgeable about the company's infrastructure. The primary responsibility of the White Team is to ensure that any potential disruptions are resolved promptly and with minimal delay.

The phases of the Red Teaming campaign are defined as follows:

Reconnaissance

During the reconnaissance phase, information about the company is gathered. This information is obtained from publicly available sources through Open-Source Intelligence (OSINT) techniques.

The aim is to obtain a picture of the situation and identify possible attack paths, which are essential for subsequent phases of the Red Teaming campaign.

Initial Access

Initial network access is obtained through the entry point agreed in advance. The following entry points may be used:

Persistence in the Corporate Network and Expanding Access (Post-Exploitation)

The post-exploitation phase is the core phase of the campaign and includes several recurring steps:

  • Implementing measures to ensure continued access to the compromised system (Persistence)
  • Collecting data about the system (Situational Awareness)
  • Analyzing the network environment, additional systems, users or applications from the compromised system (Internal Reconnaissance) 
  • Elevating permissions by exploiting misconfigurations or vulnerabilities (Privilege Escalation)
  • Expanding access to other systems, users or applications within the network (Lateral Movement)

Demonstrating the Achievement of the Campaign’s Objectives (Objectives)

The achievement of the campaign’s objectives is demonstrated to the White Team through jointly defined actions, such as:

  • Creating a user with elevated privileges
  • Gaining access to key servers
  • Exfiltrating sensitive company information

Reporting

Upon completion of the attack simulation, a report is provided, which includes the following:

  • Management summary including an overview of the initial situation, objectives of the red teaming campaign and a summary of the campaign's progress
  • A comprehensive documentation of the actions taken and findings discovered during the campaign
  • Detailed description of the identified vulnerabilities, including their impact and recommendations for remediation

Debriefing

In the final debriefing, the identified vulnerabilities and recommended actions are discussed with the Blue Team and responsible IT personnel. Any outstanding questions are addressed.

Even after the Red Teaming campaign concludes, we remain your point of contact and are available to answer any questions you may have.

Methodology and Frameworks

There are many established methodologies and frameworks that guide a Red Teaming campaign, ensuring that the results are consistent and compliant with regulations such as the Digital Operational Resilience Act (DORA) or NIS-2.

  • The MITRE ATT&CK Framework  (Adversarial Tactics, Techniques & Common Knowledge) outlines tactics, techniques and procedures based on real-world observations of cyber attacks documented by security experts.
  • The Lockheed Martin Cyber Kill Chain  details an attacker’s approach through a series of progressive stages, describing the consequences of actions taken during a cyber attack.
  • Threat-Led Penetration Testing is an evolution of the Threat Intelligence-based Ethical Red Teaming (TIBER ) framework, which is used for Red Teaming campaigns in the financial and banking sectors and is applied in conjunction with the DORA regulation.
 

Contact us!