Red Team Assessment
We find the vulnerabilities
that help hackers achieve their goal.
How vulnerable is your company? Could your security organization detect a hacker attack at an early stage and successfully defend against it? With our Red Team Assessment, we provide you with information about the damage your company would face in the event of a successful cyber attack.
In preparation for the Red Team Assessment, we work with you to define an overarching attack scenario, for example, the compromise of selected, critical IT systems or the theft of digitally stored business secrets.
Why Red Team Assessments?
- Evaluate the real impact on your infrastructure in the event of a cyber attack.
- Red Team Assessments on a regular basis will become mandatory for many companies in the financial sector from 2025 in the context of the DORA regulation.
- Test and train your security organization's ability to detect real cyber attacks at an early stage and initiate appropriate countermeasures.
- Check the effectiveness of your technical security measures to protect against cyber attacks.
Evaluate the real impact on your infrastructure in the event of a hacker attack.
Red Team Assessments on a regular basis will become mandatory for many companies in the financial sector from 2025 in the context of the DORA regulation.
Test and train your security organization's ability to detect real hacker attacks at an early stage and initiate appropriate countermeasures.
Check the effectiveness of your technical security measures to protect against hacker attacks.
Framework parameters of the Red Team Assessment
Defining the framework parameters of the Red Team Assessment is of central importance for the subsequent gain of knowledge and success of the attack simulation. In general, we are guided by the renowned MITRE ATT&CK® Framework. In particular, the following aspects are taken into account:
Ihr Titel
Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.
Identification of your high value targets
High value targets are the crown jewels of your company. For example, they may be trade secrets such as research results or sensitive information about a new product. However, it is just as possible to define specific IT systems or applications as the target of the attack. This could be, for example, database servers with highly confidential customer data or the entire Active Directory (AD) infrastructure, the compromise of which could mean the complete takeover of the company network.
Furthermore, it is possible to simulate certain scenarios, for example to find out how long an attacker can move through the network before being detected. Or what damage he could cause with a ransomware attack.
Definition of the threat perspective
We define this as the starting point of the attack. An attack from the internet by an external hacker is often just as conceivable as one by an insider with knowledge of the environment and access to the company's internal network. Likewise, a successful phishing attack can be defined as the starting point. In this case, for example, the attacker has control over a workstation in regular operation with - depending on the role/function of the actual user - quite different authorizations within the corporate network.
Technical security measures
For an attack simulation that is as realistic as possible, we recommend that (technical) security mechanisms, such as web application firewalls (WAF) or intrusion detection/prevention systems (IDS, IPS), are not switched off.
Involvement of your IT (security) organization
If desired, we can carry out the Red Team Assessment "undercover", i.e. with the knowledge of only a few authorized persons. In order to give our experts the opportunity to act carefully and covertly, we generally recommend a period of several weeks for the assessment. It is up to the attacker to decide when to carry out the assessment during this period, but this can be coordinated with the contacts on your side who have been initiated into the process. We will take these and other parameters into account when defining the attacker model.
Dos and don'ts
In general, exclusions from certain test activities can be agreed in advance of the assessment. This can relate to certain technical tests or specific systems or system environments. Furthermore, certain attack methods such as denial of service or social engineering methods can be excluded. It is particularly important here that the mission of the assessment, i.e., the attainability of the target, is not impaired.
Our methodology at a glance
Kick-off workshop
In preparation for the assessment, we hold a kick-off workshop with your responsible contact persons. During this workshop, the threat perspective, the attacker model, and other framework parameters are defined in consultation with you based on the recommendations of our experts.
Execution
The assessment is conducted according to the framework specified in the kick-off. To simulate an external attack realistically, the Red Team typically receives little or no information in preparation for the assessment. Furthermore, we recommend a test period of four weeks on average for the execution of the test activities, depending on the defined objective.
Reporting
We report on the results of the Red Team Assessment in writing in the form of a results report. This includes a management summary and a detailed description of exploited vulnerabilities and security gaps as well as the detailed procedure and recommended measures for achieving the agreed goal.
Debriefing & presentation of results
In addition, a holistic view of your company's risk is taken with regard to the Red Team Assessment, in which we address the implemented security measures and make recommendations for improving them as well as your IT (security) organization. At your request, we present the results of the assessment in a joint workshop with the defenders from your side, where suggestions for improvements of a technical and organizational nature can also be discussed. If required, we can demonstrate the conducted attacks again.
More Insights
DORA Deep Dive: Threat-Led Penetration Testing
(TLPT)
