Red Teaming: Simulate the impact of a cyberattack
[et_pb_section fb_built= »1″ admin_label= »section » _builder_version= »3.0.47″][et_pb_row admin_label= »row » _builder_version= »3.0.48″ background_size= »initial » background_position= »top_left » background_repeat= »repeat »][et_pb_column type= »4_4″ _builder_version= »3.0.47″ parallax= »off » parallax_method= »on »][et_pb_text admin_label= »Text » _builder_version= »3.0.74″ background_size= »initial » background_position= »top_left » background_repeat= »repeat »]
Red Teaming: what are we talking about?
Before discussing Red Teaming, it is worth mentioning penetration testing, as well as the evolution of attack methods that lead security teams to reinvent their defense techniques.
When performing a pentest, we will searching for vulnerabilities within a frequently limited scope ; Whether it's a security flaw within an application, or a misconfiguration of the Windows domain, the idea is to identify vulnerabilities and provide recommendations on a specific scope to the client, in a controlled time, with significant predictability regarding the auditor's actions.
When we created the offer Red Teaming, About three years ago, it was primarily to address the new security challenges faced by businesses. With the evolution of TTP (techniques, tools, and procedures), particularly the scheme APT (Advanced Persistent Threat), And with cybercriminals becoming more skilled, corporate security teams must to adapt and train in the detection and response to incidents over a much wider scope and duration.
The Red Teaming approach is based on the idea that no one is immune to attacks using targeted methods and that assessments must be conducted using realistic parameters, without introducing a narrow perspective from the outset: minimizing constraints on the method, scope, and time. The objective takes precedence; a company's security must also consider a logic Assume-breach, according to which the information system is already compromised or inevitably will be.
When creating a Red Teaming setup, one begins by identify the most sensitive assets of the company that has a strong impact on it and that it is therefore imperative to protect (what are called the Trophies). Then, our Red Team tries to reach these through various compromise scenarios, by being as discreet as possible and striving not to be detected by the client's defense teams (the Blue Team).
The idea here is not to list all the vulnerabilities present within a well-defined scope, as in a penetration test, but rather to’assess the capacity Blue Team incident detection and response, and to train the latter to react to concrete cyberattacks, spread out over time and mixing physical, social and logical attack.
We are convinced that knowing and experiencing the simulated impact of a cyberattack, and then trying to remedy it, is the best training an organization's defense teams can have.
To learn more about our offers, feel free to subscribe to our bi-monthly newsletter.
Can the client define a limit that must not be crossed within the framework of a Red Teaming?
Of course. Just like with a traditional penetration test, this approach can raise concerns regarding compromise scenarios and the sensitive data that could be recovered. Therefore, we establish clear guidelines with the client from the outset. limits that must not be exceeded.
Four main golden rules are followed to the letter by our Red Team: we do not provoke no disruption to our clients' business beyond what he has previously agreed to, we do not Let's not reduce the current level of security, we do not have access to personal data of the employees of the company in question, and finally we are not applying irreversible action. The exercise aims to truly test the incident response process and detection capabilities.
For example, if a trophy involves sensitive data, according to the rules of engagement, it can be securely exfiltrated or simply viewed. If the exfiltration of strategic data is not desired, markers can be placed to illustrate and validate a compromise scenario.
What is the value of Red Teaming for a company's security?
Red Teaming is aimed at mature companies wishing to challenge their defense teams, or needing a change of approach in their evaluation. Our approach draws its strength from the complementarity of our different areas.
Exercises in Purple Teaming are carried out internally between our defense activities (SOC, CERT) and Red Team. Each benefits from the expertise in attack, defense And accompaniement from different teams, in order to continuously improve detection schemes, and the effectiveness of intrusion and escape techniques.
Furthermore, the CERT-Intrinsec is able to provide TTPs (Tactics, Tools and Procedures) derived from the observation of real malicious activities, or from intelligence missions aligned with the Mitre matrix, and which provide technical information for carrying out attack scenarios.
On the other hand, our cell of Cyber Threat Intelligence It provides information on specific sensitive data leaks that could impact a Red Teaming service client and that could be exploited in a compromise scenario. Finally, thanks to Cyber Threat Intelligence mapping and monitoring, we can quickly retrieve sensitive data concerning the client (login credentials, server URLs, etc.) and leverage specific circumstances throughout the duration of the mission.
Red Teaming Case Studies: Recovering Sensitive Assets
from 3 companies via compromise scenarios
If you would like to learn more about our compromise scenarios within a Red Teaming context, please feel free to consult our Article: Feedback and Experiences, or you can contact us directly: [email protected]
What Red Team approaches does Intrinsec propose?
Red Teaming is a bespoke service, tailored to the client's specific challenges. We therefore offer different approaches:
The Full Red Team approach : we only start with the client's name and the trophies to be collected.
The Assume Breach approach : the client gives us initial access (access to the premises, execution of a program), then we try to retrieve the trophies via this access.
The Story Line approach : we collect trophies via the client's most feared compromise scenarios (spear phishing, physical intrusion, etc.)
The Serious Game approach This mode is very interesting and stimulating for training defense teams. It's a playful approach between the Red Team and the client-side operational teams (the Blue Team), with the latter aware of the upcoming exercise. The Blue Team's objective is to detect our intrusion, reconstruct the attack scenario, and return to the initial state. If the Blue Team has difficulty resolving a situation, we provide them with clues (such as IP addresses, IOCs, etc.).
Our goal is not to embarrass the security teams, but rather to position ourselves as partner and to help them continuously improve their security.
This approach can be gamified in a logic of CTF (Capture the flag: team game mode), time-based competition depending on the successes of each player.
Please feel free to contact our team if you have any questions, or if you need further information at: [email protected]
[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row _builder_version="3.9"][et_pb_column type="4_4" _builder_version="3.9" parallax="off" parallax_method="on"][et_pb_button custom_button="on" button_text_color="#ffffff" button_text="Découvrez notre page Red Teaming" _builder_version="3.9" button_font="||||||||" button_alignment="center" button_url="https://www.intrinsec.com/red-teaming/%22][/et_pb_button][/et_pb_column][/et_pb_row][/et_pb_section]
