Red Teaming

During red teaming, a team of specialists simulates all phases of an attack on an organization. The goal of the test is to emulate a real attack as faithfully as possible in a controlled manner. This tests the organization's overall defense capabilities, including its ability to detect and respond to an ongoing attack.

Benefits

Red teaming reveals not only technical vulnerabilities but also shortcomings in processes and incident response. This approach allows organizations to better understand how they can defend against real threats and provides valuable information for improving their security strategies and procedures.

Just as backups cannot be considered functional without restoration tests, a painstakingly developed cyber defense system should not be verified for the first time during a real incident. While the techniques used are real, unlike actual attackers, the red team communicates openly and respects agreed-upon limitations, as its goal is to provide you with the most useful insights for improving your security. A key part of the tests is collaboration with defenders (the blue team) as part of purple team activities, where successful and unsuccessful attacker actions are shared and detection mechanisms are fine-tuned.

Red teaming is always tailored to a specific organization. When creating scenarios, we consider the organization's current maturity level, its ability to accept the risk of impact on production systems, and any other limiting requirements. However, it is always a comprehensive test suitable for mature organizations. It works best for environments where traditional penetration tests, including insider threat tests, have already been conducted.

Testing Process

The testing is based on the MITRE ATT&CK framework, supplemented by individualized knowledge about the client and the red team's expertise. Scenarios are defined before the test, particularly the entry point and objectives (flags). The performed techniques are chosen based on these scenarios.

The following tests, among others, are performed under these conditions:

• If the test begins outside the perimeter, actions are taken to gain initial access: reconnaissance, resource development (exploit development, infrastructure building), attacks on internet-facing systems, social engineering, physical security tests, etc.

• On all systems, where the attacker managed to get limited rights, an attempt is made to escalate privileges.

• The credential access tactic is used to obtain secrets from compromised systems, allowing for lateral movement within the network. Valuable data can be exfiltrated from the systems.

• Ways of maintaining persistence and command and control capabilities are tested.

All findings, along with proposed recommendations, are presented in the final report.

Other Types of Tests

A Penetration Test – Insider Threat also simulates an attacker within the internal network, but it focuses on systematically identifying and exploiting weaknesses, rather than simulating a full attack. Initial access is assumed in that test, and it does not include tactics like maintaining persistence, evading detection mechanisms, or remote control of compromised systems. These factors significantly reduce the time required for the test.

In addition to the tests described above, we also provide our clients with many other types of penetration tests. For a full list, see Penetration Testing – Overview.

Final Report

The results of the penetration test are documented in a final report, which contains details of the testing process, a description and classification of all the vulnerabilities found, and recommendations for mitigating the risks. We deliver the report securely in MS Word and PDF formats. The results can also be presented in a management presentation or a technical workshop.

This type of test is also sometimes called Adversary Simulation.