Red Team Assessment Methodology

Enhancing Cybersecurity Defenses: Understanding the Red Team Assessment Process

 

The Red Team Assessment is a crucial process designed to evaluate the effectiveness of your organization’s information security defenses. Through simulated targeted attacks, we aim to provide insights into your system’s vulnerabilities and strengths. Let’s delve into the details of this assessment process and how it can benefit your organization.

Red Team Cyber Security Assessments at a Glance

The Red Team Assessment is designed to evaluate the effectiveness of the Customer’s information security defenses by employing real-world adversarial tactics. To achieve this, the assessment team simulates a targeted attack, attempting to gain illegal access to the external perimeter, establish a presence within the internal environment, and carry out specific objectives mutually agreed upon by the Customer and LMNTRIX. Through this process, the Customer can assess the efficacy of their prevention, detection, and response capabilities. Possible objectives might involve accessing customer data, compromising internal domain administrator credentials, or showcasing access to email or critical business systems. To ensure a realistic assessment, the test will be executed without any prior information or access to the Customer’s IT environment. LMNTRIX will employ tactics crafted to bypass detection by IT security teams and controls, providing a comprehensive evaluation of the organization’s security posture.

HOW WE CAN HELP

  • Assess the effectiveness of your security team in dealing with a cyber attack
  • Train your team to strengthen their response to future cyber attacks
  • Measure the effort needed to breach your sensitive data or IT infrastructure
  • Spot and resolve complex security gaps before an attacker exploits them
  • Obtain data-driven risk analysis and improvement guidance

WHAT YOU GET

  • A concise executive summary of the assessment carried out by the Red Team tailored for executives and senior management.
  • A comprehensive report outlining all assessment actions and discovered vulnerabilities.
  • Fact-based risk analysis explaining the significance of each vulnerability in your environment, along with methods to confirm them.
  • Strategic recommendations aimed at long-term improvement.

The specific methodology used during this testing may be customized during the engagement based on results and findings but will generally follow the steps below:

Step 1 – Identification

The aim here is to pinpoint and evaluate potential targets, both human and technical, that could be vulnerable to attacks from outside sources.

  • LMNTRIX utilizes a combination of open-source intelligence (OSINT) collection methods and active scanning tools to locate systems and applications that can be accessed through the Internet. In the evaluation process for potential targets for further testing, a myriad of factors come into play. These include exposed ports and services, the technical architecture, the target’s functionality, potential vulnerabilities, ease of exploitation, and the value it holds for an attacker.
  • LMNTRIX might use OSINT to pinpoint potential employees of the customer for targeting through social engineering methods. This involves gathering and analyzing data from publicly available sources like search engines, social media platforms, the customer’s websites, and other online channels. This information is crucial for crafting and executing tailored social engineering attacks aimed at specific individuals.

A master list of the potential targets will be the outcome of the Identification phase. These are the targets that will be evaluated and prioritized for exploitation.

Step 2 – Exploitation 

In the Exploitation phase, LMNTRIX will use the insights gathered in the Identification phase to pinpoint promising targets. They’ll then tailor technical and social engineering attacks to these targets and carry them out to infiltrate the customer’s internal networks. This phase might involve various tactics, including:

  • Technical Exploitation – Once LMNTRIX identifies vulnerabilities in Internet-facing systems and applications, they may try to exploit these weaknesses to compromise sensitive data or to gain unauthorized access within a network perimeter. Furthermore, they may execute attacks to gather more information about the environment, including discovering additional targets or gathering more information about existing targets. Common attack methods employed during this phase include SQL Injection, uploading and executing web shells, and brute force attacks on login interfaces.
  • Social Engineering – LMNTRIX may use phone and email-based techniques to target Customer employees. LMNTRIX selects individuals from the target list based on their job roles, assumed access to critical internal systems, and perceived vulnerability. Then, customized phone and email attacks are crafted for each user, aiming to carry out actions like obtaining login credentials, visiting suspicious websites, or installing malware on the target’s corporate IT device.

The Exploitation phase aims at breaching the perimeter and accessing the internal system. Technical exploitation involves compromising Internet-facing systems and then using that access to target neighboring systems within the environment. On the other hand, social engineering exploitation involves acquiring valid credentials to access the environment remotely, such as through VPNs or executing malware on the user’s device, allowing LMNTRIX to operate within the internal environment with the user’s permissions.

Step 3 –  Post-Exploitation 

After successfully infiltrating the internal environment, LMNTRIX will try to move laterally across the intranet to achieve the predetermined objectives. In the Post-Exploitation phase, they may engage in the following activities:

  • Privileged Escalation – Immediately after LMNTRIX gains access to a system, they may use different methods to increase the privileges of the current user to the highest levels. These privileges will enable LMNTRIX to carry out various harmful activities. This includes establishing persistence, adding more malware like key loggers, and capturing credentials.
  • Internal Exploitation – To identify high-value targets within the intranet, LMNTRIX utilizes the same techniques employed during the Identification phase. This involves searching internal data repositories, portals, collaboration forums, and other internal sources that provide access to sensitive data. By leveraging these techniques, LMNTRIX can effectively locate and prioritize valuable targets within the organization’s internal network. Furthermore, LMNTRIX may pinpoint internal systems vulnerable to technical exploits, which can gain deeper access to the environment or acquire additional credentials.
  • Credential Harvesting – After gaining entry to internal systems, LMNTRIX might start gathering account credentials for authorized internal users. They’ll particularly concentrate on acquiring privileged domain credentials, as these offer broad access within the environment. Common credential harvesting attacks involve extracting information such as hashes, Kerberos tickets, and clear text credentials from local system memory or accessible virtual machine files. Additionally, attackers may identify scripts and configuration files containing hard-coded credentials for unauthorized access.

In many cyber attacks, the post-exploitation phase is a repetitive process. It includes identifying internal targets, compromising them, and extracting more information and credentials to move laterally within the intranet. As mentioned earlier, the main aim of this phase is to achieve the predetermined attack goals. To meet their goals, LMNTRIX often secures complete administrative access to vital systems like financial application servers, key databases, executive email, and file shares. They may also target internal authentication and authorization systems such as Active Directory, LDAP, and two-factor authentication, as well as the core network infrastructure like RADIUS and TACACS.

Another aim of this assessment is to gauge the information security team’s capability to detect and address threats. To do so, LMNTRIX will utilize testing approaches and attack tactics tailored to circumvent or evade current security protocols. This includes deploying custom malware that might slip past commercial anti-virus software and refraining from using scanning or exploitation methods that could raise suspicion among system users or trigger alarms on network sensors and endpoint controls. If the Customer information security team discovers the ongoing test, LMNTRIX and Customer project managers will collaborate to determine the most suitable approach for continuing the testing process.

At the project kickoff meeting, Red Team activities will be thoroughly discussed and mutually agreed upon by both LMNTRIX and the Customer. This may include the scope of the engagement, such as whitelisted and blacklisted targets. Moreover, the approval and coordination procedures required prior to exploiting targets, schedules and timeframes, data handling and communications, and the escalation policy will also be established.

In each engagement, your organization’s readiness and responsiveness to cyber attacks are tested by using real-world attacker tactics, techniques, and procedures (TTPs). These engagements follow the phases of the attack lifecycle.

The Final Word 

The Red Team Assessment offers a holistic approach to evaluating your organization’s cybersecurity defenses. By partnering with LMNTRIX, you gain valuable insights and actionable recommendations to strengthen your security posture and mitigate potential risks effectively. Let’s embark on this journey together to safeguard your digital assets and infrastructure.