Penetration Testing - RedOps

Technical Analysis Through Penetration Testing

What are the vulnerabilities in your IT systems and how can they be exploited in the event of an attack? Are there any misconfigurations in individual systems or services that could be exploited by an attacker? Are there any misconfigurations in the Active Directory (AD) that could lead to a takeover of the AD? Are there unpatched or (non-segmented) systems running outdated operating systems? Are there externally accessible vulnerable systems that can be used for initial access? We provide answers to these questions and more as part of a penetration test (pentest for short), in which we simulate the attack techniques of a real hacker attack to check specific areas of your perimeter and/or internal IT infrastructure for vulnerabilities.

Pentesting is first and foremost a technical security check of your systems, which forms the basis of an effective hardening process. It is not a matter of acting quietly and unnoticed, as your internal IT defenders - the Blue Team or your system administrators - are usually involved in the pentest. In penetration testing, my focus is clearly on finding as many vulnerabilities as possible in the time available, or as many vulnerabilities as an average technically skilled, malicious hacker would find in the same amount of time.

At RedOps, we believe that penetration testing is a very important aspect of a holistic security approach. However, we also believe that in addition to penetration testing and the identification of technical vulnerabilities in the IT infrastructure, it is also necessary to put organisations to the test on a regular basis through Red Team Engagement or Assumed Breach.

Who Needs Penetration Testing?

Penetration testing is an important tool for increasing the level of IT security in an organisation. They often provide a good introduction to the process of increasing IT security. By focusing on technical analysis, penetration tests usually form the basis for the implementation of targeted hardening measures.

The requirements for a penetration test vary from client to client. In an initial discussion, we try to determine the current state of your IT security. Based on this, we will work with you to identify your needs and objectives, and prepare a tailored proposal.

External Penetration Tests

Internal Penetration Tests

In an external penetration test, we focus on your organisation's publicly accessible systems (perimeter). We look for potential vulnerabilities that would allow us to take over a system or use it to gain initial access to your internal network (initial access). For example, are there externally accessible systems with known vulnerabilities or outdated software?

The added value of an external penetration test is to determine the current state of the IT security level of your externally accessible systems. The pentest report provides the basis for hardening your perimeter.

In an internal penetration test, we do not look at externally accessible systems, but focus on the current state of your internal systems or internal IT infrastructure. Depending on the customer's requirements, we can focus on testing individual systems (e.g. clients/golden image), a defined area (scope) or a targeted review of hardening measures that have already been implemented.

A common application for internal pentests is to determine the current state of Microsoft Active Directory, where we identify vulnerabilities or misconfigurations that could lead to your Active Directory being compromised or hijacked. The pentest report forms the basis for hardening your internal IT infrastructure.

Subcategories of the Procedures

Each pentest must be adapted to the objectives and context of the organisation. This leads to different approaches. One important difference is the amount of information given to the tester.

Black Box Testing

In black box testing, the penetration tester assumes the role of an average hacker with no inside knowledge of the target system or area.

The main differences are that the tester does not have to act in secret, the IT team is made privy to the test, and the focus is on technical analysis of the perimeter and, depending on the tester's success, the client's internal IT infrastructure once the perimeter has been successfully penetrated.
Grey Box Testing

In a grey box penetration test, only a few pieces of information are passed to the tester. This is usually the credentials. Grey box testing is useful for understanding the level of access a privileged user could gain and the potential damage they could cause. Grey box testing balances depth and efficiency and can be used to simulate either an internal threat or an attack from outside the network.
White Box Testing

The tester receives as much information as possible from the client in advance, such as the scope of the systems to be tested. Compared to other methods, the booked time can be fully used for testing the internal IT infrastructure. The biggest challenge with the Whitebox Pentest is to efficiently process the amount of data in the booked time, interpret it correctly, identify vulnerabilities in individual systems/services and misconfigurations in the Microsoft Active Directory and exploit them in a controlled manner.

How We Approach Penetration Testing

Preparation | Scoping

The first step is to work with you to define your objectives, the value you want to add and the systems or areas to be tested. Based on this, we define the objective, the penetration testing methodology, the scope and the time required for the test. For example, if you are interested in finding as many vulnerabilities or misconfigurations in your Active Directory as possible, I will recommend an internal white-box penetration test.
Methodology | Implementation

After the official kick-off, we begin to execute the penetration test. For example, in an internal whitebox penetration test, we first gather information about possible vulnerabilities and misconfigurations (internal discovery) in systems/services, Active Directory, etc. of the pre-defined scope. We try to find as many vulnerabilities and misconfigurations as possible within the agreed time and exploit them in a controlled manner. Throughout the pentest, we act responsibly and are in regular dialogue with you to coordinate sensitive steps or inform you of critical findings.
Report | Further development

At the end of the day, they receive a technical report containing the results of the penetration test. This technically detailed report is usually the basis for starting the process of hardening the infrastructure and subsequent retesting. You will also receive a management summary to present to your senior management. In a joint final presentation, we discuss the results of the penetration test and take a closer look at your current strengths and weaknesses.

Penetration Testing

In a penetration test, the focus is clearly on finding as many vulnerabilities as possible within the defined scope and exploiting them in a controlled manner. We also base our penetration tests on the Mitre ATT&CK framework, but the focus is not on being as inconspicuous and undetected as possible.

On the one hand, there is a clearly defined scope, and on the other hand, the framework is defined by rules of engagement. The IT team is involved in the pentest.

There is no need to operate as quietly and unnoticed as possible. A structured, more static approach with dynamic elements.

The framework conditions are defined by means of "Rules of Engagement".

The period is very flexible; the client can book more or less man-days as required. It is advisable to adapt the period to the defined scope.

Penetration testing stands or falls on the methodology used. Penetration testing contains many static elements, which are regularly supplemented by dynamic elements. It is not about OPSEC, i.e. the IT department is informed and there is no need for the tester to act in silence.

A penetration test provides you with important information about the technical level of your IT security. A pentest offers companies a good introduction to the topic of cyber security. The pentest report can be used as the basis for initiating effective hardening of your IT infrastructure.

Red Teaming

Red Teaming simulates real-world cyber-attacks by being strategic, dynamic and as meticulous as possible. Based on current Advanced Persistent Threats (ATPs) and the Mitre Attack Framework, we put your organisation to the test.

Possible attack scenarios are developed based on threat intelligence. The primary goal of the red team is to achieve the defined objective. To make the scenario as realistic as possible, only the most essential people (white team) should be involved.

We simulate a real cyber attack and act strategically and as inconspicuously as possible. Detection by technical components such as EDR and SIEM and human components such as the Blue Team (SOC) should be avoided as much as possible.

In principle, there are no rules, but it still makes sense to use "rules of engagement" to define what we as benign attackers may and may not do.

Red teaming takes several weeks to months. The highly strategic part requires a lot of time and preparation, about 50% for the initial access.

There are many dynamic elements to red teaming, but there is also a structured approach. To simulate real cyber attacks, every step is carefully considered and carried out as quietly as possible (OPSEC). Your technical IT security and your defenders are put to the test.

At the end of the day, the attack simulation gives organisations an unbiased picture of how they would react to a real cyber attack and how well prepared they are. You will gain important insights into the technical level of your IT security, as well as the response times and visibility of your internal defences.

A Red Team Assessment and a classic penetration test have some similarities, but there are significant differences between the two procedures.

Overview

Planning / Procedure

Procedure

Rules

Period

Methodology

Added value

Why Penetration Tests at RedOps?

At RedOps, we also place great emphasis on offensive security education. In practice, it is not uncommon for companies to get the wrong advice and end up with something completely different from what they need or expect due to a lack of communication. When pentesting, it is crucial to consider the context, the objectives and the desired value to the business. A good penetration test stands and falls with the (right) methodology.

In an initial consultation, we will take the time to discuss your current situation and clarify which type of pentest will give you the most value.

Anyone who uses Offensive Security Services and deliberately exposes themselves to an ethical hacker attack should do so with a partner they can trust. We keep all information strictly confidential and have 100% integrity in everything we do.
IT security is not a product, it is a continuous learning process. That's why we invest a lot of time in education and research. We have had the opportunity to present our findings on endpoint security at several IT security conferences.
With Red Team Services, we have turned our passion into our core competency. We do not sell products or licences, but live from our expertise in IT security. For us, quality comes before quantity.

Making sense of IT:Security