Assumed Breach

Preparation for Internal Attacks

In IT security, we all agree that there is no such thing as 100% protection against cyber attacks. In the Assumed Breach scenario, we assume that a malicious attacker has already gained access to your internal network. Compromised trusted internal connections (Trusted Relationship or Valid Accounts) are one possible scenario. Another example is the classic internal scenario.

Assumed breach bild 1 v1

In the assumed breach scenario, we answer key questions about your IT security: How far can an (internal) attacker get into your network in the post-breach phase? Is it possible for an unauthorised user to access sensitive customer data and extract it via various channels? Are there any vulnerabilities or misconfigurations in Microsoft Active Directory (AD) that could lead to a compromise of your Active Directory? Are your internal defenders aware of unauthorised activity on the network and how quickly do they respond? What is your network and endpoint visibility like?

Assumed breach bild 2 v1

Are there vulnerabilities or misconfigurations in Microsoft Active Directory (AD) that will eventually lead to your Active Directory being compromised? Are your internal defenders aware of unauthorised activity on the network and how quickly are they responding? What is your network and endpoint visibility?

How I Proceed in the Assumed Breach Scenario
  • 01
  • 02
  • 03
  • Planning | Scoping

    The first step is to work with our clients to define a possible scenario for the assumed breach - this could be an internal scenario, for example. We then define possible targets - this could be the compromise of the CEO or his endpoint, the compromise of specific user accounts (e.g. system administrators) or the takeover of the Microsoft Active Directory. Ideally, as few employees as possible should be involved (white team), as this will give you a truly realistic and undistorted picture of the actual state of your current IT security and IT defence level.

    Scope v2
  • Methodology | Implementation

    Depending on the defined scenario, we may start as an unprivileged user on one of your Windows clients in your domain. We start with an internal discovery and get a first overview of your internal infrastructure, possible vulnerabilities, misconfigurations in Active Directory, etc. Building on this, we will attempt to achieve the defined objective in the post-breach phase. As with a red team operation, we take a strategic, considered and discreet approach to APTs.

    Umsetzung v2
  • Report | Further Development

    The final report provides your organisation with critical insight into the possible attack vectors and vulnerabilities that led to compromise or goal achievement. In addition, your organisation will gain valuable information on whether the attack was noticed by IT, if so, what actions were recorded and where, what the visibility was on the network, at the endpoint, etc.

    Weiterentwicklung v1
Why Assumed Breach at RedOps?

The Assumed Breach scenario follows the same process as the Red Team engagement, except that the initial access phase is omitted. With our expertise in defence evasion, we put your organisation and your defenders to the test.

RedOps takes a holistic and realistic approach. At the end of the day, you get an unbiased picture of the current state of your defenders and your technical IT security.

Responsibility Research Quality
  • Responsibility and Integrity

    Anyone who uses Offensive Security Services and deliberately exposes themselves to an ethical hacker attack should do so with a partner they can trust. We keep all information strictly confidential and have 100% integrity in everything we do.

  • Research Orientation

    IT security is not a product, it is a continuous learning process. That's why we invest a lot of time in education and research. We have had the opportunity to present our findings on endpoint security at several IT security conferences.

  • Quality Instead of Quantity

    With Red Team Services, we have turned our passion into our core competency. We do not sell products or licences, but live from our expertise in IT security. For us, quality comes before quantity.