RED TEAM ATTACK SIMULATION
Perform a targeted offensive simulation leveraging the latest in offensive tooling and tradecraft to assess resilience to a real-world cyber attack.
WHAT IS A RED TEAM ATTACK SIMULATION?
Red Team Attack Simulation (referred to as 'Red Team') exercises are designed to evaluate an organisation's susceptibility to cyber attack. A Red Team exercise spans the entirety of an end-to-end attack from the perspective of an external cyber attacker. It holistically assesses all areas of the organisation, across people, process and technology, to determine how these factors can be abused and exploited by a malicious actor to achieve a set of relevant attack objectives.
A Red Team exercise replicates the tactics, techniques and procedures (TTPs) used by advanced threat actors, performing a covert simulation exercise designed to assess the target organisation's susceptibility to an authentic and realistic targeted attack. A Red Team exercise is:
Designed to prove or disprove whether an attacker can perform specific actions associated with risk events the business aims to guard against
Designed to use the techniques, tactics and procedures used by advanced threat actors which are likely to target the client organisation
- Adversarial and covert
Typically a black-box, covert assessment conducted from the perspective of an external attacker without privileged information about the target
- Authentic and realistic
Designed to expose the organisation to the pressures of a real-world cyber-attack to offer an opportunity to practice and assess how they would fare in a genuine attack scenario
JUMPSEC aims to access systems and data that real-world attackers are likely to target, with realistic attacker goals relative to the organisation’s threat profile. JUMPSEC utilise TTPs relevant to the organisation’s threat profile and business context, simulating the attack scenarios which would be most damaging to the organisation if performed by a real-world attacker.
Organisations are likely to be targeted by different threat actors with a host of motivations depending on the nature of the business. Therefore, JUMPSEC can simulate end-to-end attacks with a range of goals including:
- Access and exfiltrate sensitive customer data, with a view to exploit the information for financial gain (e.g. through theft of credit card information) extort the organisation under threat of GDPR sanctions, or undermine the integrity of the organisation to its customers.
- Perform a malicious action for criminal gain, such as fraudulently making a payment.
- Steal sensitive intellectual property or proprietary information that may threaten the organisation’s market competitiveness.
- Tamper with business-critical systems to impair the organisation’s ability to operate through disruption or destruction.
WHY SHOULD YOU UNDERTAKE A RED TEAM ATTACK SIMULATION?
Undertaking a Red Team exercise enables an organisation to understand its cyber risk exposure by attempting to simulate chains of attacker actions which, if executed in a real-world setting, would have a critical impact upon the business.
Red Team exercises allow you to evaluate your susceptibility to cyber attack. They provide organisations with the answer to the following questions:
- If we were cyber-attacked, what could an attacker achieve, and what might the business impact be?
- Are our current security controls effective in preventing and detecting malicious activity on our network?
- Is our cyber risk assessment accurate and are the controls we have put in place effective in mitigating risk to the business?
Organisations with a solid security baseline who have implemented robust security controls and are confident in the efficacy of their detection capability (in terms of both tooling and personnel capability) are able to maximise the opportunity provided by Red Teaming, using it as an opportunity to stress-test and exercise their security team.
Red Teaming typically takes the path of least resistance; the shortest route from the point of breach to the end-goal. Red Team exercises are designed to answer the question of “can the attacker cause harm”, as opposed to “how can I stop an attacker from causing harm”. This means that, beyond the actions and techniques utilised to achieve the specific objective, the organisation’s broader defensive controls and capabilities are unlikely to be tested, resulting in limited learning and improvement opportunities.
For this reason, Red Team exercises are especially well-suited to organisations who have invested in developing their cyber security controls and capabilities. Organisations who lack an established security baseline should consider alternative approaches which are less focused on realism, and more attuned to identifying and driving capability improvements, before engaging in a hyper-realistic simulation such as a Red Team.
WHAT OUTCOMES WILL A JUMPSEC RED TEAM ATTACK SIMULATION PROVIDE?
- Validate the returns on your security investment to-date
By assessing the effectiveness of your cyber controls and capabilities in combating an authentic and realistic cyber attack.
- Understanding of your risk exposure and impact
Assess your susceptibility and the likelihood and business impact of a successful attack, to inform understanding of your risk exposure and control effectiveness.
- Demonstrate the value of security investment
By communicating cyber risk in clear business terms, highlighting the actual business impact of a cyber attacker achieving technical goals.
- Enhance the cyber-readiness of your organisation
By exercising your people, tuning your tooling, and optimising your processes in preparation for a genuine attack.
- Identify areas for future capability development
Where broader improvements are required, to inform your development roadmap and guide future cyber security investment.
- Stress-test your cyber resilience effectiveness
By measuring the effectiveness of your cyber defences against advanced offensive capabilities used by real-world attackers
Ready to find out more?
Often, the potential business impact of vulnerabilities identified in the course of penetration testing will be conditional or hypothetical, requiring additional chained activities for the exploit to lead to a genuine business impact. Unlike Penetration Testing, Red Team exercises are far wider in scope, simulating an end-to-end attack across the network as opposed to assessing the security of individual or smaller groups of assets.
Further, Red Team exercises do not focus on technical vulnerabilities alone, but look to abuse legitimate functionality and business processes in order to perform malicious actions with an associated business impact. During a Red Team, the attacker is not constrained to a narrow scope, and has the freedom to interact with a broad range of assets in order to progress an attack towards a high-impact technical goal.
While the goal of a penetration test is to uncover vulnerabilities and configuration issues for remediation, the goal of a Red Team exercise is to assess and demonstrate whether the business can be harmed through a cyber attack.
Red Team exercises are conducted using a phased delivery approach:
- Reconnaissance – Perform reconnaissance activities to obtain information on the target organisation and aide in the preparation of targeted campaign scenarios. Use of Open Source Intelligence (OSINT) information gathering techniques to profile the organisation while avoiding attribution and remaining undetected. This phase could include target user profiling, external attack surface mapping, and identifying exposed vulnerable interfaces.
- Staging – Based on the information gathered, develop staging platforms, supporting infrastructure and campaign scenarios. The platforms will be used to execute agreed upon scenarios.
- Exploitation – Using tactics, techniques and procedures (TTPs) of advanced threat actors gain access to the target organisation through systematic and controlled exploitation (e.g. spear phishing, targeted USB drops, physical access). This activity is performed in-line with the project engagement scoping to manage risk.
- Control and Movement – After a successful compromise, the access obtained is used to move from foothold systems to further vulnerable or high value systems. Reuse of the access obtained can be used to identity, enumerate and access target systems. New and emerging techniques are used to avoid detection and tests an organisations ability to respond to emerging threats.
- Actions On Target – After achieving the necessary level of access, pursue the goals of the engagement by acquiring access on the previously agreed target systems, information or data. This phase is performed based on the agreed scope and risk appetite and approved by the target organisation.
- Persistence and Egress – Maintain access in the environment throughout the extended timeline of a simulated attack. Persist when necessary and exfiltrate data if appropriate for the engagement goals.
Attackers are sophisticated and use many techniques to infiltrate target environments and compromise target systems. The threat landscape is continuously changing as new exploits emerge, new tooling is created, and tradecraft evolves. The TTPs used by JUMPSEC are continually developed to emulate sophisticated threat actors and stay up-to-date with the latest threats.
JUMPSEC leverages its proprietary threat intelligence platform alongside lessons learned from delivering offensive and defensive security services. JUMPSEC routinely defends clients from advanced cyber attacks as part of its managed security services, monitoring client environments for malicious activity and continuously hunting for signs of compromise; deploying incident responders to contain and neutralise threats where required. This exposure to how attackers operate is fed into offensive security services, enabling JUMPSEC to simulate TTPs consistent with those observed in the wild.
JUMPSEC utilise the latest tools and technology when delivering Red Team exercises. We often write bespoke scripts and tooling to craft malware designed to specifically target the organisation's systems and processes, emulating the behaviours of a persistent, skilled and motivated attacker in reacting to the target environment and adapting to overcome any controls in place.
JUMPSEC craft bespoke attack scenarios informed by the target organisation’s threat profile and business context. Example attack scenarios can include:
- Conducting an external spear phishing campaign to gain access to critical systems or sensitive data.
- Compromising physical hardware to gain direct access to internal systems and physical devices.
- Simulate insider threat by adopting the position of a disgruntled employee trying to abuse legitimate access to sabotage internal systems or deface external ones.
- Assess the risk posed by ransomware attacks by assessing the effectiveness of security controls in preventing and detecting known ransomware types.
JUMPSEC can simulate a range of breach activities to gain an initial foothold on the target network. This includes:
- Compromise of an external-facing web application or infrastructure components to pivot to adjacent internal systems
- Spear-phishing of a specific sub-set of users with requisite levels of user account privilege to progress the attack
- Infiltrating a physical facility to bypass digital controls by gaining direct access to physical devices and/or remotely interfacing with the internal network
- Utilising a watering hole attack to acquire user credentials or infect their devices with malware by directing users to a malicious site controlled by JUMPSEC
Attacks which would incur unacceptable disruption or destruction to business operations and systems respectively will not be simulated. Attacks such as DDOS can instead be table-topped to safely ascertain the risk without the attendant risks of a live exercise.
Attacks can also originate from the point of a compromised machine or ‘sacrificial system’ to represent the risk of insider threat.
No. With enough time and resources a skilled attacker is likely to gain access to the network through one or more of the methods described elsewhere. However, within the constraints of a simulated exercise, it may not be possible to achieve one or more of the staged goals during the exercise - for example, achieving a foothold on the network.
At this point, JUMPSEC recommends that the attack is de-chained to allow the remainder of the attack stages to play out, while recognising that the organisation's controls were suitably robust that the activity could not be successfully simulated under test conditions. This does not mean that an attacker in the wild without the constraints of a simulation exercise would also be unable to complete the action.
De-chaining a stage of the attack means that the sequence is artificially progressed. For example, granting the tester access to a sacrificial system to represent an end-user that was successfully phished, resulting in malware running on their machine.
De-chaining allows the organisation to gain maximum value from the exercise by enabling all defensive layers to be assessed, and more comprehensive and insightful improvement recommendations to be made.
Tests can be performed in either a black, grey or white box manner:
- Black box approaches represent a typical Red Team; these are designed to be authentic and covert, and rely on the attacker using only information gathered during reconnaissance to progress the attack. While the most realistic, this approach is likely to have the widest scope and require the greatest delivery effort, as more in-depth reconnaissance will have to be performed (both external and internal) to plan and execute an attack.
- Grey box approaches may involve the attacker being granted privileged information to guide the attack toward specific assets or goals, and reduce the amount of time dedicated to reconnaissance.
- White box approaches which involve the simulation of malicious activities in full view of the organisation’s Blue Team. This type of exercise can also be described as a Purple Team approach, whereby the goal of the exercise is to simulate a broad range of attacker TTPs to test and improve detection capability, as opposed to validating whether an attacker is able to achieve a specific goal.
For organisations looking to reduce costs, exercises can be conducted from an assumed breach perspective, with the exercise beginning from a sacrificial system. This approach assumes that a skilled attacker will be able to gain a foothold to the network and enables more scrutiny to be applied to assessing internal preventive and detective controls. This is likely to result in a more streamlined and cost-efficient test, for example omitting the need for the creation of phishing campaigns and malware, and reconnaissance of the environment.
- Red Team – Offensive security consultants delivering the attack simulation.
- Blue Team – The security team defending the network.
- White Team – A selection of trusted personnel responsible for performing project governance and risk management.
- A Red Team exercise is designed identify whether an attacker can compromise critical business processes (and the digital assets which support them) using attacker TTPs relevant to the organisation’s threat profile. It is designed to prove or disprove that an attacker can achieve goals which would result in critical business impact.
- A Purple Team exercise is designed to generate capability improvements in the security team’s ability to detect malicious activity. It assesses the organisation’s logging and detection activities to identify areas of deficiency across people, process and technology.
- A Gold Team exercise is designed to rehearse an organisation’s business continuity and disaster recovery plans for a high-risk cyber attack scenario. It simulates business-wide communications and decision making in a tabletop setting to assess the preparedness of the organisation to respond to, and mitigate the impact of, a cyber breach.
JUMPSEC's Red Team is CREST STAR (Simulated Targeted Attack and Response) accredited, giving you the assurance that our Red Teaming Service maintains the highest standards.
After the test is concluded, a written report will be produced, detailing the scenarios simulated, the attacker goals which JUMPSEC was able to achieve, and the effectiveness of security controls encountered at each stage of the assessment. JUMPSEC will provide sufficient information to enable the TTPs to be replicated by the Blue Team as part of any internal wash-up activities.
If required, JUMPSEC can facilitate a replay workshop with the Blue Team to walk through the attack activities performed during the test and investigate the root cause of any detection failures uncovered.
JUMPSEC can also deliver a presentation to senior stakeholders communicating the findings and associated risks in clear business terms.