Previous

Red Teaming

To strengthen your defenders

Regular penetration testing with a clearly defined scope and a solid methodology is important and helps to increase the level of IT security in an organisation. Unlike a traditional penetration test, which focuses mainly on the technical aspects of IT security, a Red Team Assessment or Red Teaming provides a more comprehensive, sophisticated approach and added value. Red Teaming simulates a real cyber-attack and tests how an organisation as a whole reacts to a cyber-attack. In other words, Red Teaming makes it possible to assess not only the technical side of IT security, but also the response and behaviour of the organisation as a whole.

By simulating real cyber attacks with Red Teaming, we can answer questions such as Is the cyber-attack noticed by the organisation, how well does internal employee communication work, what visibility do their EDR and SIEM provide, does their Security Operation Centre (SOC) receive the attack, how quickly do their defenders locate the cyber-attack entry point, does the Blue Team succeed in removing the attacker from the internal network, etc.?

The methodology of red teaming is fundamentally different from that of a penetration test, e.g. a clear objective is defined at the beginning, e.g. to gain initial access, to compromise the CEO's client or a specific file server, etc. Communication with the company takes place only between our Red Team and the company's White Team or White Cell. Usually the Blue Team does not know that an attack simulation is planned, because this is the only way for the company to check how its own Blue Team reacts unprepared to a real cyber attack. In other words, you get an absolutely undistorted picture of how your organisation would react in an emergency. It is important to understand that the term Blue Team does not just refer to your company's technical defence team, but includes everyone in your organisation.

With Red Teaming we also want to show that even established EDR solutions such as CrowdStrike, SentinelOne, Elastic etc. have weaknesses and blind spots. We want to show that even established EDR solutions such as CrowdStrike, SentinelOne, Elastic etc. have vulnerabilities and blind spots that can be exploited by malicious hackers. At the same time, however, our primary goal is always to strengthen their blue team and show them, for example, how we can bypass their internally deployed antivirus (AV), endpoint protection (EPP) and endpoint detection and response (EDR).

A common misconception (both on the part of the service provider and the customer) about red teaming is that it is just about acting as a red team without being recognised. This makes sense until the agreed objectives have been met. However, if all the agreed objectives have been achieved, e.g. a particular server has been compromised, and the organisation has not yet reacted in any way, i.e. the attack has not yet been detected, the AV/EPP/EDR has not yet reacted, etc., the Red Team must give the Blue Team the opportunity to react to the cyber attack that has not yet been detected. This means that, if necessary, the red team should also perform a very conspicuous action at this point, such as executing code via fork and run to trigger the EDR, for example.

In other words, there is no shame in being discovered as a Red Team by the Blue Team, but ideally the Red Team should have control over when and by what action it is discovered after all objectives have been achieved. Only then will the organisation have the opportunity to gain real value from the Red Team assessment.

Red teaming bild 1 v1

Red Teaming is particularly suitable as a realistic test to simulate a real cyber attack for companies that are already well prepared and have an appropriate level of IT security. Our customers get a first impression of how their own (IT) staff will react and what level of responsiveness and visibility (at the endpoint and in the network) their internal IT defenders currently have.

Red teaming bild 2 v1

However, at RedOps, we also believe that red teaming, in an adapted form, can provide added value to inexperienced organisations by giving them an absolutely unbiased picture of their actual state in the event of a malicious cyber-attack. Fear is never a good advisor, but this kind of awareness can often be a door opener for the IT security department at the levels where budget decisions for more IT security are made.

Who Needs a Red Teaming?

Red Teaming is primarily aimed at organisations that already have an advanced level of IT security maturity. This includes regular penetration testing, endpoint and Active Directory hardening, the use of an EDR solution and regular awareness training for staff. Budget is also a key consideration, as a Red Team deployment can take several weeks or even months and is therefore more expensive.

However, at RedOps we believe that Red Teaming, in a modified form, can be of interest to organisations with less experience in IT security. Why is that? The simulation of a real cyber-attack with Red Teaming can help to get a realistic picture of the current security level in the company, which is not possible with a conventional penetration test. Of course, it has to be considered on a case-by-case basis whether this type of test makes sense or whether a penetration test would be more appropriate.

Red Teaming

Red Teaming simulates real-world cyber-attacks by being strategic, dynamic and as meticulous as possible. Based on current Advanced Persistent Threats (ATPs) and the Mitre Attack Framework, we put your organisation to the test.


Possible attack scenarios are developed based on threat intelligence. The primary goal of the red team is to achieve the defined objective. To make the scenario as realistic as possible, only the most essential people (white team) should be involved.

We simulate a real cyber attack and act strategically and as inconspicuously as possible. Detection by technical components such as EDR and SIEM and human components such as the Blue Team (SOC) should be avoided as much as possible.

In principle, there are no rules, but it still makes sense to use "rules of engagement" to define what we as benign attackers may and may not do.

Red teaming takes several weeks to months. The highly strategic part requires a lot of time and preparation, about 50% for the initial access.

There are many dynamic elements to red teaming, but there is also a structured approach. To simulate real cyber attacks, every step is carefully considered and carried out as quietly as possible (OPSEC). Your technical IT security and your defenders are put to the test.

At the end of the day, the attack simulation gives organisations an unbiased picture of how they would react to a real cyber attack and how well prepared they are. You will gain important insights into the technical level of your IT security, as well as the response times and visibility of your internal defences.

Penetration Testing

In a penetration test, the focus is clearly on finding as many vulnerabilities as possible within the defined scope and exploiting them in a controlled manner. We also base our penetration tests on the Mitre ATT&CK framework, but the focus is not on being as inconspicuous and undetected as possible.


On the one hand, there is a clearly defined scope, and on the other hand, the framework is defined by rules of engagement. The IT team is involved in the pentest.

There is no need to operate as quietly and unnoticed as possible. A structured, more static approach with dynamic elements.

The framework conditions are defined by means of "Rules of Engagement".

The period is very flexible; the client can book more or less man-days as required. It is advisable to adapt the period to the defined scope.

Penetration testing stands or falls on the methodology used. Penetration testing contains many static elements, which are regularly supplemented by dynamic elements. It is not about OPSEC, i.e. the IT department is informed and there is no need for the tester to act in silence.

A penetration test provides you with important information about the technical level of your IT security. A pentest offers companies a good introduction to the topic of cyber security. The pentest report can be used as the basis for initiating effective hardening of your IT infrastructure.

The Red Team Approach and the classic penetration test have some similarities, but there are significant differences between the two methods.

Overview
Planning / Procedure
Procedure
Rules
Period
Methodology
Added value
How we approach Red Teaming
  • 01
  • 02
  • 03
  • Preparation | Scoping

    Each Red Team engagement begins with a precise definition of the scope and a clear objective. This could be to compromise the Microsoft Active Directory, access the CEO's computer, or access specific sensitive customer data. Planning and execution should minimise employee involvement to make the attack appear authentic and provide a realistic, unbiased picture of your IT security posture and your team's response.

    Scope v2
  • Methodology | Implementation

    At the start of each Red Team engagement, comprehensive threat intelligence is obtained, for example from threat intelligence providers. This is supplemented by obtaining tactical information about the customer. Based on this, two to three realistic attack scenarios are developed and thoroughly prepared, with preparations for spearphishing, command-and-control infrastructure, malware, etc., to gain initial access. If the initial access fails on the first attempt, 1-2 more attempts are made. If the initial access fails completely, we move on to an assumed breach scenario.

    During red teaming we are in constant contact with our client contact (white team) to keep them informed of progress.

    Umsetzung v2
  • Report | Further development

    Based on the results of the final report and a presentation, we will show you in detail how we proceeded, which scenarios we developed, how we (possibly) gained initial access, which attack surfaces we identified in relation to your organisation, how they can be improved, etc. We are not here to point fingers.

    We are not interested in pointing fingers. The aim is to raise your IT team's awareness of information security and to develop their skills so that they are better prepared for and able to respond to real cyber attacks in the future.

    Weiterentwicklung v1
Why Red Teaming with RedOps?

Building on our expertise in OSINT, Windows OS, Active Directory, EDR penetration, etc., we offer you the opportunity to subject your organisation to an in-depth Red Teaming audit. We focus not only on the technical side of your IT infrastructure, but also on how your entire organisation would react to a real cyber attack. We analyse how such an attack would affect your internal processes and how your defenders would react in an emergency. As experts in offensive security, our goal is to help you understand and prepare for real-world cyber-attacks and to continuously improve your overall IT security posture.

Responsibility Research Quality

  • Responsibility and Integrity

    Anyone who uses Offensive Security Services and deliberately exposes themselves to an ethical hacker attack should do so with a partner they can trust. We keep all information strictly confidential and have 100% integrity in everything we do.

  • Research Orientation

    IT security is not a product, it is a continuous learning process. That's why we invest a lot of time in education and research. We have had the opportunity to present our findings on endpoint security at several IT security conferences.

  • Quality Instead of Quantity

    With Red Team Services, we have turned our passion into our core competency. We do not sell products or licences, but live from our expertise in IT security. For us, quality comes before quantity.

Making sense of IT:Security