Penetration Testing - RedOps

Technical Analysis Through Penetration Testing

What are the vulnerabilities in your IT systems and how can they be exploited in an attack? Are there any misconfigurations in individual systems or services that could be exploited by an attacker? Are there any misconfigurations in the Active Directory (AD) that could lead to a takeover of the AD? Are there unpatched or (non-segmented) systems running outdated operating systems? Are there externally accessible vulnerable systems that can be used for initial access? I can provide you with answers to these questions and more in the context of a penetration test (pentest for short), in which I simulate the attack techniques of a real hacker attack in order to check targeted areas of your perimeter and/or your internal IT infrastructure for vulnerabilities.

Pentests are first and foremost a technical security check of your systems, which forms the basis of an effective hardening process. It is not a matter of acting quietly and unnoticed, usually your internal IT defenders - the Blue Team or your system administrators - are privy to the pentest. In penetration testing, my focus is clearly on finding as many vulnerabilities as possible in the time available, or as many vulnerabilities as an average technically skilled malicious hacker would find in the same time.

With RedOps I represent the concept that penetration testing is a very important aspect of a holistic security concept, but at the same time it is only one piece of the offensive IT security puzzle. It is not enough to identify technical vulnerabilities in the IT infrastructure, it is also necessary to regularly sensitise and train the defenders of the IT infrastructure (e.g. through a Red Team approach or Red Teaming).

Who Needs Penetration Testing?

Penetration testing is an important tool for increasing the level of IT security in organisations. They often provide a good entry point into the process of increasing IT security. By focusing on technical analysis, penetration tests usually form the basis for implementing targeted hardening measures.

The requirements for a penetration test vary from client to client. In an initial meeting I will try to establish the ACTUAL state of your current IT security. Based on this, we will work together to identify your needs and objectives, and I will provide you with a tailored proposal.

External Penetration Tests

Internal Penetration Tests

In an external penetration test, I focus on your company's publicly accessible systems (perimeter). I look for possible vulnerabilities that would allow me to take over a system or use it to gain initial access to your internal network. For example, are there externally accessible systems with known vulnerabilities or outdated software?

The added value of an external penetration test lies in the assessment of the ACTUAL state of the IT security level of your externally accessible systems. The pentest report provides the basis for hardening your perimeter.

In an internal penetration test, I do not look at externally accessible systems, but focus on the current state of your internal systems or internal IT infrastructure. Depending on the customer's requirements, I can focus on testing individual systems (e.g. clients/golden image), a defined area (scope) or on testing hardening measures that have already been implemented.

A common application for internal pentests is the assessment of the current state of Microsoft Active Directory, where I can identify vulnerabilities or misconfigurations that could lead to a compromise or takeover of your Active Directory. The pentest report forms the basis for hardening your internal IT infrastructure.

Subcategories of the Procedures

Each pentest must be adapted to the objectives and context of the organisation. This leads to different approaches. One important difference is the amount of information given to the tester.

Black Box Testing

Black Box Testing

In black box testing, the penetration tester assumes the role of an average hacker with no inside knowledge of the target system or area.

The main differences are that the tester does not have to act in secret, the IT team is made privy to the test, and the focus is on technical analysis of the perimeter and, depending on the tester's success, the client's internal IT infrastructure once the perimeter has been successfully penetrated.
Grey Box Testing

Grey Box Testing

In a grey box penetration test, only a few pieces of information are passed to the tester. This is usually the credentials. Grey box testing is useful for understanding the level of access a privileged user could gain and the potential damage they could cause. Grey box testing balances depth and efficiency and can be used to simulate either an internal threat or an attack from outside the network.
White Box Testing

White Box Testing

The tester receives as much information as possible from the client in advance, such as the scope of the systems to be tested. Compared to other methods, the booked time can be fully used for testing the internal IT infrastructure. The biggest challenge with the Whitebox Pentest is to efficiently process the amount of data in the booked time, interpret it correctly, identify vulnerabilities in individual systems/services and misconfigurations in the Microsoft Active Directory and exploit them in a controlled manner.

How We Approach Penetration Testing

Preparation | Scoping

The first step is to work with you to understand what your objectives are, what value you want to add, and what systems or areas need to be tested. Based on this, we define the objective, the penetration testing methodology, the scope and the time required for the test. For example, if you are interested in finding as many vulnerabilities or misconfigurations in your Active Directory as possible, I would recommend an internal whitebox penetration test.
Methodology | Implementation

After the official kickoff, I start to execute the penetration test. For example, in an internal whitebox penetration test, I first gather information about possible vulnerabilities and misconfigurations (internal discovery) in systems/services, Active Directory, etc. of the pre-defined scope. I try to find as many vulnerabilities and misconfigurations as possible within the agreed time and exploit them in a controlled manner. During the pentest I will always act responsibly and will be in regular contact with you to coordinate sensitive steps or to inform you about critical findings.
Report | Further development

At the end of the day, they receive a technical report with the results of the penetration test. This technically detailed report is usually the basis for initiating the process of hardening the infrastructure and subsequent re-testing. You will also receive a management summary to present to your senior management. In a joint final presentation, we discuss the results of the penetration test and take a closer look at your current strengths and weaknesses.

Penetration Test

In a penetration test, the focus is clearly on finding as many vulnerabilities as possible within a scope defined with the client and exploiting them in a controlled manner. In a penetration test I also follow the Mitre ATT&CK framework closely, but the focus is not on being as inconspicuous and undetected as possible.

On the one hand, there is a clearly defined scope, and on the other hand, the framework is defined by rules of engagement. The IT team is involved in the pentest.

There is no need to act as quietly and unnoticed as possible. Structured rather static approach with dynamic elements.

The framework conditions are defined by means of "Rules of Engagement".

The period is very flexible, the client can book more or less man-days as required. It is recommended to adapt the period to the defined scope.

Penetration testing stands and falls with the methodology used. Penetration testing contains many static elements that are regularly supplemented by dynamic elements. It is not about OPSEC, i.e. the IT department is informed and there is no need for the tester to act in silence.

The penetration test provides you with important information about the technical level of your IT security. A pentest offers companies a good introduction to the topic of cyber security. The pentest report can be used as a basis for initiating effective hardening of your IT infrastructure.

Red Team Approach

Using the Red Team Approach tool, I simulate real cyber-attacks for small and medium-sized enterprises (SMEs), acting strategically, dynamically and as quietly as possible. Based on current Advanced Persistent Threats (ATPs) and the Mitre Attack Framework, I put your organisation to the test.

Basically, there are no rules and no scope. The primary objective is for the Red Team to achieve the defined goal. For a scenario that is as realistic as possible, only the most necessary people (White Team) should be involved.

I simulate a real cyber attack and act strategically and as inconspicuously as possible. Detections by technical components such as EDR and SIEM as well as by human components such as the Blue Team (SOC) should be avoided as far as possible.

In principle, there are no rules, but it still makes sense to use "rules of engagement" to define what I can and cannot do as an attacker.

The Red Team Approach can take several weeks, or a Red Team Engagement up to several months. The high strategic share requires a lot of time, about 50% for the initial access.

Red Teaming or the Red Team Approach lives from many dynamic elements, yet there is also a structured procedure here. For the simulation of real, advanced cyber attacks, every step is well considered and carried out as silently as possible (OPSEC). Your technical IT security and your defenders are put to the test.

At the end of the day, the attack simulation gives companies an undistorted picture of how they react to a real cyber attack or how well they are prepared. On the one hand, you gain important insights into the technical level of your IT security and, on the other, into the reaction times and visibility of your internal defenders.

The Red Team approach and the classic penetration test have some similarities, but there are significant differences between the two.

Overview

Planning / Procedure

Procedure

Rules

Period

Methodology

Added value

Why Penetration Tests at RedOps

With my company RedOps, I also try to do a bit of education in the area of offensive security. In practice, it is not uncommon for companies to be misadvised and, due to a lack of communication, end up with something completely different from what they needed or expected. It is vital to consider the business context, objectives and desired value of a penetration test. A good penetration test stands and falls with the (right) methodology.

In a first meeting I would be happy to take the time to discuss your current situation and to agree on the type of pentest that will provide the most value for you.

Responsibility and Integrity

Anyone who uses offensive security services and deliberately exposes themselves to an ethical hacking attack should do so with a partner they can absolutely trust. I keep all information strictly confidential and am 100% integer in what I do.
Research Orientation

IT security is not a product, but a constant learning process. That's why I invest a lot of time in further education and research. I have already been able to present my results in the area of endpoint security at several international IT security conferences.
Quality Instead of Quantity

With Offensive Security, I have made my passion my core competence. I don't sell products or licences, but live purely from my expertise in the field of IT security. For me, quality clearly comes before quantity.

Making sense of IT:Security

Red Team Approach

The Red Team Approach is a tool that enables small and medium-sized enterprises (SMEs) to simulate real cyber attacks.

Assumed Breach

The Assumed Breach scenario allows you to simulate an attack with a focus on the post-breach phase in the corporate network.

Egress / C2-Test

The Egress / C2 test examines which protocols, ports and channels a malicious attacker can use to establish command and control (C2) connections from inside to outside.