Red Team Security Assessment

Meet the Domain Admins you never knew you had.

For organizations that have attained a higher level of infosec program maturity, Red Team Security Assessments can be a powerful enabler of even further gains in defensive capabilities. This is a real-world test of your security controls' ability to prevent a highly-skilled adversary from compromising your data. Red Team Testing differ from traditional Penetration Assessments in that they provide increased timelines and often multiple concurrent assessors. This additional time and work capacity allows for more advanced tactics, techniques, and procedures (TTPs) such as evasion, social engineering/physical attacks, and the ability to achieve very specifically defined goals.

Red Teaming Answers Important Questions
  • Can an external attacker compromise my network while completely evading my detection?
  • Is my organization capable of stopping a determined attacker after detection?
  • What's the worst that could happen if some of my employees click something they shouldn't?
  • Is my team capable of detecting a threat prior to exploitation, post-exploitation, or never?
  • Can an attacker acquire control of my CFO’s email and Active Directory credentials all from the internet?
  • Could an external attacker compromise my most sensitive databases, even without relying on social engineering or physical access?
  • Are my employees credentials already out there in existing breaches?
  • How would I respond to an adversary not so time-limited as during a pentest, willing to attack wherever it takes to meet goals? 
  • Am I ready to withstand attacks from technical, physical, social engineering, or a mixture of many domains?
Penetration Testing vs. Red Teaming

Characteristic

Penetration Assessment

Red Team Security Assessment

Value Prop

Identify a wide range of vulnerabilities and demonstrate attacks against exploitable vulnerabilities

Measures organizations’ ability to defend against and respond to skillful attackers

Price

Typically less expensive than red teaming.

Can be more expensive than pen tests due to increased timeline, resources, extreme goals, etc.

Maturity Level

Should be performed regardless of maturity

Usually performed by more mature InfoSec organizations. Often performed when traditional pen tests cease to yield significant results.

Timeline

Shorter, typically weeks

Longer, often one month+

Resources

Often a single assessor

Frequently involves two or more assessors

Recurrence

Usually performed tactically, often once per year/quarter

Can be performed tactically or continually

Evasion

Typically not evasive in order to meet shorter timelines

Project timelines allow for evasive techniques to test security controls and staff

Goals

Opportunistic: Let’s see what we can come up with in X time

Purposeful: A called shot to center-left field, often driven by one or more specific goals, e.g.

  • Get CXO’s email/creds
  • Access X or Y database
  • Steal Intellectual Property
  • Access host banking system

Scope

Usually involves just the server-side domain

Often includes multiple domains in addition to server-side like client-side, social engineering, phishing, wireless, and physical.

Security Controls

Assessor often exempt from IPS, anti-recon, etc. to facilitate greater testing coverage/value

Non-exempt, testers battle with blue team personnel and controls