Red Team Testing: Mimicking a Real-World Attack

TraceSecurity employees will use a variety of tools, tactics, and manipulation techniques to execute this service. It accomplishes this by linking together multiple services, to be conducted in phases: reconnaissance, remote social engineering, penetration testing, onsite social engineering, and wireless testing. Some of these phases are done remotely, and the others are done onsite. Each phase builds off the last to strengthen the attack. Our ISAs will conduct information gathering and remote social engineering attempts to help them gain knowledge of the company and discover the best ways to access to the organization’s resources and facilities. When they arrive in person, they are armed with this information to perform onsite social engineering and penetration tests at a higher level than during the standalone services.

This greatly differs from our typical service offerings, which end whenever the analyst completes their single task. An advanced attacker will not stop when they find an exploitable attack vector, like we typically do to alert the organization and write a report about it. They will use their expertise to capitalize on the attack vector, attempting to steal information or cause damage to what they are able to access. The Red Team Test aims to make companies aware of this larger and more complex attack method, rather than focusing on each threat individually.

According to IBM, it takes organizations an average of 206 days to identify a data breach. This glaring statistic makes it crucial to fully understand the possible pathways an attacker could take to compromise an organization, and it highlights how methodical and careful attackers are in the real world. The Red Team Test simulates this by building and crafting the test for several weeks, using the same strategies and techniques as real-world attackers. The Red Team Test also casts a much larger net than a typical social engineering engagement. It accomplishes this by targeting multiple points in the organization such as emails, text messages, phone calls, and in-person interactions. This large-scale social engineering testing will provide the organization with a greater understanding of all their employee weak points in one thorough test.

The organization could become compromised at any point during the engagement. It could be early on through a malicious email, or maybe not until the ISA arrives onsite and manages to plug in a USB to a workstation. Rather than make the organization aware of any compromise, the ISAs will attempt to secure and exploit that attack vector(s) during other aspects of the Red Team Test. No matter where the ISA was (or was not) able to exploit a vulnerability, all details will be included in the final report.

One of the most crucial things to understand about the Red Team Test is how all the phases mesh to create a more personalized and effective engagement. For example, in a typical phishing engagement, employees will receive a standardized phishing email like a fake coupon or tax return. In the Red Team Test, the ISAs will conduct information gathering and use their development skills to craft personalized emails with malicious attachments. These emails could reference employees in the organization, their vendors, and other real-world factors to manipulate employees into believing the email is legitimate, opening attachments, and/or clicking links. Before arriving onsite, the ISAs will also conduct vishing engagements over the phone, with attempts to extract more information and set up the false pretense of their onsite visit. By extracting information from employees and giving them fake authorization for appointments, the onsite engagement gains a false sense of credibility and has a higher chance to succeed.

Using information gathered from the other phases, the ISAs perform a variety of penetration tests in attempts to compromise networks and systems. Most standard penetration tests involve whitelisting the cybersecurity provider on the organization’s networks for the most thorough testing. This means that the organization performing the testing knows the target IP addresses in advance. With whitelisting, it can be easier to brush off the revealed threats because these vulnerabilities wouldn’t be accessible without inside knowledge.

During the Red Team Test, the ISAs have no prior knowledge of company IP addresses, having to discover them via network scans, social engineering attempts, and/or rogue device installation. External IP addresses and wireless SSIDs are generally discoverable through network scanning, while internal IP addresses should only be accessible through internal systems. Without advance knowledge of the organization’s IPs and SSIDs, the efforts of the ISA more accurately represent that of a real-world attacker and provide a stronger legitimacy to their findings during testing.

Each phase of the Red Team Test is designed to build upon one another and work in concert to mimic the efforts of a real-world attack. By combining our core testing services, TraceSecurity is now able to provide a wholistic view of your cybersecurity preparedness based on the most real-world testing we offer to date.