RED TEAMING ATTACK SIMULATION

Perform a targeted offensive simulation leveraging the latest in offensive tooling and tradecraft to assess resilience to a real-world cyber attack. 

 Overview of Red Team Attack Simulation

Red Team Attack Simulation (referred to as ‘Red Team’) exercises are designed to evaluate an organisation’s susceptibility to cyber-attack. A Red Team exercise spans the entirety of an end-to-end attack from the perspective of an external cyber attacker. It holistically assesses all areas of the organisation, across people, process and technology, to determine how these factors can be abused and exploited by a malicious actor to achieve a set of relevant attack objectives.

A Red Team exercise replicates the tactics, techniques and procedures (TTPs) used by advanced threat actors, performing a covert simulation exercise designed to assess the target organisation’s susceptibility to an authentic and realistic targeted attack. A Red Team exercise is:

  • Objective-focused. Designed to prove or disprove whether an attacker can perform specific actions associated with risk events the business aims to guard against
  • Threat-led. Designed to use the techniques, tactics and procedures used by advanced threat actors which are likely to target the client organisation
  • Adversarial and covert. Typically a black-box, covert assessment conducted from the perspective of an external attacker without privileged information about the target
  • Authentic and realistic. Designed to expose the organisation to the pressures of a real-world cyber-attack to offer an opportunity to practice and assess how they would fare in a genuine attack scenario.
 JUMPSEC aims to access systems and data that real-world attackers are likely to target, with realistic attacker goals relative to the organisation’s threat profile. JUMPSEC utilise TTPs relevant to the organisation’s threat profile and business context, simulating the attack scenarios which would be most damaging to the organisation if performed by a real-world attacker.

Organisations are likely to be targeted by different threat actors with a host of motivations depending on the nature of the business. Therefore, JUMPSEC can simulate end-to-end attacks with a range of goals including:

  • Access and exfiltrate sensitive customer data, with a view to exploit the information for financial gain (e.g. through theft of credit card information) extort the organisation under threat of GDPR sanctions, or undermine the integrity of the organisation to its customers.
  • Perform a malicious action for criminal gain, such as fraudulently making a payment.
  • Steal sensitive intellectual property or proprietary information that may threaten the organisation’s market competitiveness.
  • Tamper with business-critical systems to impair the organisation’s ability to operate through disruption or destruction.

Learn more about Attack Simulation >
Undertaking a Red Team exercise enables an organisation to understand its cyber risk exposure by attempting to simulate chains of attacker actions which, if executed in a real-world setting, would have a critical impact upon the business.

Red Team exercises allow you to evaluate your susceptibility to cyber-attack. They provide organisations with the answer to the following questions:

  • If we were cyber-attacked, what could an attacker achieve, and what might the business impact be?
  • Are our current security controls effective in preventing and detecting malicious activity on our network?
  • Is our cyber risk assessment accurate and are the controls we have put in place effective in mitigating risk to the business?
 Organisations with a solid security baseline who have implemented robust security controls and are confident in the efficacy of their detection capability (in terms of both tooling and personnel capability) are able to maximise the opportunity provided by Red Teaming, using it as an opportunity to stress-test and exercise their security team.

Red Teaming typically takes the path of least resistance; the shortest route from the point of breach to the end-goal. Red Team exercises are designed to answer the question of “can the attacker cause harm”, as opposed to “how can I stop an attacker from causing harm”. This means that without Red Teaming an organisation’s broader defensive controls and capabilities are unlikely to be tested, resulting in limited learning and improvement opportunities.

For this reason, Red Team exercises are especially well-suited to organisations who have already invested in developing their cyber security controls and capabilities. Organisations who lack an established security baseline should consider alternative approaches which are less focused on realism, and more attuned to identifying and driving capability improvements, before engaging in a hyper-realistic simulation such as a Red Team.
A JUMPSEC Red Team Attack Simulation will allow you to:

  • Stress-test your cyber resilience and effectiveness against advanced offensive capabilities used by real-world attackers
  • Validate the returns on your security investment to-date by assessing the effectiveness of your cyber controls and capabilities to combat an authentic and realistic cyber-attack.
  • Realise your risk exposure by assessing and understanding the likelihood of a successful attack.
  • Demonstrate the value of security investment by communicating cyber risk in clear business terms. A JUMPSEC Red Team will highlight the actual business impact of a cyber attacker achieving technical goals.
  • Enhance the cyber-readiness of your organisation by exercising your people, tuning your tooling, and optimising your processes in preparation for a genuine attack.
  • Identify areas for future capability development to inform your development roadmap and guide future cyber security investment.
 After the test is concluded, a written report will be produced, detailing the scenarios simulated, the attacker goals which JUMPSEC was able to achieve, and the effectiveness of security controls encountered at each stage of the assessment. JUMPSEC will also provide sufficient information to enable TTPs to be replicated by the Blue Team as part of any internal wash-up activities.

JUMPSEC can facilitate a replay workshop with the Blue Team to walk through the attack activities performed during the test and investigate the root cause of any detection failures uncovered. If required, JUMPSEC can also deliver a presentation to senior stakeholders communicating the findings and associated risks in clear business terms.

Interested in Learning More

Get in touch

RESOURCES

Security Assurance

ARTICLE

EVALUATING THE RISK POSED BY RANSOMWARE THREATS 

Read more
Security Assurance

ARTICLE

THE IMPORTANCE OF TRUST IN THE FIGHT AGAINST RANSOMWARE

Read more
Security Assurance

LABS

OBFUSCATING C2 DURING A RED TEAM ENGAGEMENT 

Read more
Security Assurance

LABS

HOW YOU CAN LEVERAGE POWERSHELL JOBS 

Read more
Jumpsec Youtube Icon

VIDEO

What are the benefits of Advanced Simulated Attack?

Watch video

What our clients have to say

“Whether we’re developing our security strategies, assuring our development lifecycle processes or continually improving our SOC activities, having industry leader JUMPSEC by our side as our security partner gives us the confidence to move forward in an increasingly challenging environment.”
“They don’t just give you something out of a box; they’re quite willing to work with you to provide you with a solution that meets your needs.”
“JUMPSEC consistently provides high quality and reliable support, demonstrating expert knowledge in their field and composure in challenging situations, which gives us full confidence that they are the right security partner for the job!”

Accreditations

  • Crest logo
  • ISO27001
  • Cyber-Essentials-Plus
  • ISO9001

FAQ’s about Red Teaming

Often, the potential business impact of vulnerabilities identified during penetration testing will be conditional or hypothetical, requiring additional chained activities for the exploit to lead to a genuine business impact. Unlike penetration testing, red team exercises are far wider in scope, simulating an end-to-end attack across the network as opposed to assessing the security of individual or smaller groups of assets.

Additionally, red team exercises do not focus on technical vulnerabilities alone, as they look to abuse legitimate functionality and business processes in order to perform malicious actions with an associated business impact. During a red team exercise, the attacker is not constrained to a narrow scope, and has the freedom to interact with a broad range of assets in order to progress an attack towards a high-impact technical goal.

While the goal of a penetration test is to uncover vulnerabilities and configuration issues for remediation, the goal of a Red Team exercise is to assess and demonstrate whether the business can be harmed through a cyber-attack.

Red Team exercises are conducted using a phased delivery approach:

  • Reconnaissance – Performing reconnaissance activities to obtain information on the target organisation and aide in the preparation of targeted campaign scenarios. Open Source Intelligence (OSINT) information gathering techniques are used to profile the organisation while avoiding attribution and remaining undetected. This phase could include target user profiling, external attack surface mapping, and identifying exposed vulnerable interfaces.
  • Staging – Based on the information gathered, staging platforms are developed, supporting infrastructure and campaign scenarios. These platforms are then used to execute agreed upon scenarios.
  • Exploitation – Using tactics, techniques and procedures (TTPs) of advanced threat actors access is gained to the target the organisation through systematic and controlled exploitation (e.g. spear phishing, targeted USB drops, physical access). This activity is performed in-line with the project engagement scoping to manage risk.
  • Control and Movement – After a successful compromise, the access obtained is used to move from foothold systems to further vulnerable or high value systems. Reuse of the access obtained can be used to identity, enumerate and access target systems. New and emerging techniques are used to avoid detection and to test an organisation’s ability to respond to emerging threats.
  • Actions On Target – After achieving the necessary level of access, the engagement’s goals are pursued by acquiring access on previously agreed target systems, information or data. This phase is performed based on the agreed scope and risk appetite and approved by the target organisation.
  • Persistence and Egress – Maintaining access in the environment throughout the extended timeline of a simulated attack. Persisting when necessary and exfiltrating data if appropriate for the engagement goals.

Attackers are sophisticated and use many techniques to infiltrate target environments and compromise target systems. The threat landscape is continuously changing as new exploits emerge, new tooling is created, and tradecraft evolves. The tactics, techniques and procedures (TTPs) used by JUMPSEC are continually developed to emulate sophisticated threat actors and stay up to date with the latest threats.

JUMPSEC leverages its proprietary threat intelligence platform alongside vital first-hand experience delivering offensive and defensive security services. JUMPSEC routinely defends clients from advanced cyber-attacks as part of its managed security services, monitoring client environments for malicious activity and continuously hunting for signs of compromise; deploying incident responders to contain and neutralise threats where required. This exposure to how attackers operate is fed into offensive security services, enabling JUMPSEC to simulate TTPs consistent with those observed in the wild.

JUMPSEC utilise the latest tools and technology when delivering Red Team exercises. We often write bespoke scripts and tooling to craft malware designed to specifically target the organisation’s systems and processes, emulating the behaviours of a persistent, skilled and motivated attacker in reacting to the target environment and adapting to overcome any controls in place.

JUMPSEC create bespoke attack scenarios, informed by your organisation’s threat profile and business context. Example attack scenarios can include:

  • Conducting an external spear phishing campaign to gain access to critical systems or sensitive data.
  • Compromising physical hardware to gain direct access to internal systems and physical devices.
  • Simulating insider threats by adopting the position of a disgruntled employee trying to abuse legitimate access to sabotage internal systems or deface external ones.
  • Assessing the risk posed by ransomware attacks by evaluating the effectiveness of security controls in preventing and detecting known ransomware types.

JUMPSEC can simulate a range of breach activities to gain an initial foothold on the target network. This includes:

  • Compromise of external-facing web applications or infrastructure components to pivot to adjacent internal systems
  • Spear-phishing of a specific sub-set of users with requisite levels of user account privilege to progress the attack
  • Infiltrating a physical facility to bypass digital controls by gaining direct access to physical devices and/or remotely interfacing with the internal network 
  • Orchestrating attacks from the point of a compromised machine or ‘sacrificial system’ to represent the risk of insider threat
  • Utilising a watering hole attack to acquire user credentials or infect their devices with malware by directing users to a malicious site controlled by JUMPSEC.

Attacks which would incur unacceptable disruption or destruction to business operations and systems respectively will not be simulated. Attacks such as DDOS can instead be table-topped to safely ascertain the risk without the attendant risks of a live exercise.

No. With enough time and resources a skilled attacker is likely to gain access to the network through one or more of the methods described elsewhere. However, within the constraints of a simulated exercise, it may not be possible to achieve one or more of the staged goals during the exercise – for example, achieving a foothold on the network.

At this point, JUMPSEC recommends that the attack is de-chained to allow the remainder of the attack stages to play out, while recognising that the organisation’s controls were suitably robust to prevent the activity’s successful simulation under test conditions. This does not mean that an attacker in the wild without the constraints of a simulation exercise would also be unable to complete the action.

De-chaining a stage of the attack means that the sequence is artificially progressed. For example, granting the tester access to a sacrificial system to represent an end-user that was successfully phished, resulting in malware running on their machine.

De-chaining therefore allows the organisation to gain maximum value from the exercise by enabling all defensive layers to be assessed, and more comprehensive and insightful improvement recommendations to be made.

Tests can be performed in either a black, grey or white box manner:

  • Black box approaches represent a typical Red Team; these are designed to be authentic and covert, and rely on the attacker using only information gathered during reconnaissance to progress the attack. While the most realistic, this approach is likely to have the widest scope and require the greatest delivery effort, as more in-depth reconnaissance will have to be performed (both external and internal) to plan and execute an attack.
  • Grey box approaches may involve the attacker being granted privileged information to guide the attack toward specific assets or goals, and reduce the amount of time dedicated to reconnaissance.
  • White box approaches which involve the simulation of malicious activities in full view of the organisation’s Blue Team. This type of exercise can also be described as a Purple Team approach, whereby the goal of the exercise is to simulate a broad range of attacker TTPs to test and improve detection capability, as opposed to validating whether an attacker is able to achieve a specific goal.

For organisations looking to reduce costs, exercises can be conducted from an assumed breach perspective, with the exercise beginning from a sacrificial system. This approach assumes that a skilled attacker will be able to gain a foothold to the network and enables more scrutiny to be applied to assessing internal preventive and detective controls. This is likely to result in a more streamlined and cost-efficient test, for example omitting the need for the creation of phishing campaigns and malware, and reconnaissance of the environment.

  • Red Team – Offensive security consultants delivering the attack simulation.
  • Blue Team – The security team defending the network.
  • White Team – A selection of trusted personnel responsible for performing project governance and risk management.

A Red Team exercise is designed to identify whether an attacker can compromise critical business processes (and the digital assets which support them) using attacker TTPs relevant to the organisation’s threat profile. It is designed to prove or disprove that an attacker can achieve goals which would result in critical business impact.

A Purple Team exercise is designed to generate capability improvements in the security team’s ability to detect malicious activity. It assesses the organisation’s logging and detection activities to identify areas of deficiency across people, process and technology.

A Gold Team exercise is designed to rehearse an organisation’s business continuity and disaster recovery plans for a high-risk cyber attack scenario. It simulates business-wide communications and decision making in a tabletop setting to assess the preparedness of the organisation to respond to, and mitigate the impact of a cyber breach.

JUMPSEC’s Red Team is CREST STAR (Simulated Targeted Attack and Response) accredited, giving you the assurance that our Red Teaming Service maintains the highest standards.