Our Red Team methodology
A Red Team exercise aims to simulate a motivated outside attacker, with one or more specific objectives: theft of strategic data, extortion, looting, espionage, denial of service, damage to the brand image, etc. Unlike a traditional penetration test, generally restricted to a specific application and in a specific context, the scope of a Red Team exercise is usually much wider.
Goals
- Collecting public information on both employees and the technologies used.
- Identify the least secure exposed services, the scenarios allowing to trap the users, the most vulnerable buildings.
- Enter the internal network through multiple attacks.
- Move silently within the network, without being detected by SOC or a dedicated team (Blue Team)
- Test the partitioning and robustness of the information system of the target organization
- Compromise the trophies chosen by the sponsor
During the duration of the mission (from a few weeks to a few months depending on the targeted organization and the objectives set) regular progress points are made with the sponsor in order to report on the progress.
Scouting
The Red Team exercise begins with a phase of collecting public information:
- The names of subsidiaries and brands
- The countries where the offices are located
- Public address ranges exposed on the Internet
- The names of the collaborators and their functions
- Emails and phone numbers
- Names of suppliers and customers
- The names of the projects related to the trophies
- Information necessary for phishing attacks
From all the information collected, the RedTeam team will create attack scenarios that have the highest probability of success
Attack on perimeter defenses
The RedTeam team will then try to establish a first access to the internal network via different methods:
- Exploitation of a software vulnerability on services exposed on the Internet
- Bruteforce authentications
- Compromise of workstations by Social Engineering
- Phishing by email, USB key, wi-fi
- Deposit of a network spy by physical intrusion into a building
Propagation in the internal network
Once our access to the internal network is established, we set up persistent pivot mechanisms to spread within the network. We then localize the systems supporting the trophies and the associated access mechanisms. The RedTeam then progresses discreetly through different techniques:
- Scavenging of identifiers
- Privilege escalation
- Lateral movements
- Hacking of AD forest
- Takeover of linux servers
- Spreading from administration bastions
Acquiring trophies
The trophies are defined before the intervention and can be of different nature, here are some examples:
- Takeover and real-time vision of a workstation
- Takeover of an AD domain
- Takeover of a business server
- Send an email from the CEO to the sponsor
- Access to a strategic and confidential management file
- Transfer of a symbolic euro
Results
At the end of the mission we write a report detailing our action, the means implemented to achieve the objectives and the set of measures necessary to protect ourselves. Depending on the organizational architecture of the target organization, this report can be broken down into several documents for each of the entities or BUs concerned by the exercise. Before removing our persistent accesses, our teams ensure that they have erased all traces of hacking to restore the Information System as it was before the exercise.