Red Teaming is the use of any available means to replicate a targeted attack on a client, including deployment of bespoke Trojan and physical testing – without the knowledge of most personnel at the client organisation. This type of simulated attack enables a company to gauge the effectiveness of their defences against such complex, sophisticated attacks, which are becoming ever more frequent.
Context is one of only a very small number of security consultancy providers able to run this sort of exercise, which is usually based on several operational phases. These vary, as they are tailored to suit a client’s individual circumstances, but may consist of one or more of the following:
Identification of individuals to target within the client organisation, through the use of publicly available data, such as that found on social networking sites. The target organisation will also usually provide a standard build laptop, so simulating the theft or compromise of a similar device.
Making Context’s Trojan bespoke to the Client Environment
Context have developed a bespoke Trojan that behaves in a similar fashion to malicious malware, written from the ground up by Context and under our full control. This malware infects users’ machines providing Context with full remote control from our offices. The Trojan is customised for each engagement ensuring it will not be detected by the organisation's anti-virus and security products.
Delivery of the Trojan
Delivery methods include email attachments that exploit zero day vulnerabilities and fake websites to which the client’s staff are lured, either through targeting of specific individuals (spear phishing), through more general phishing, or via malicious links within social networking or mobile messages. Social engineering techniques and USB devices loaded with malware sent to or planted near employees may also play a role.
We also often carry out a physical penetration test, aiming to gain unauthorised physical access to a client site to deploy an unauthorised device on the organisation’s network.
We would also carry out penetration testing, including a wireless site survey and external infrastructure penetration testing, to circumvent network access controls.
The attack phase may be divided into separate ‘waves’, each lasting a few days and each succeeded by another that exploits information derived from earlier attacks. Waves may also be launched concurrently. The whole attack phase may last for four to eight weeks.
Using the control gained during the waves of attacks Context will attack internal systems. Generally a client will provide certain key systems and critical information which Context will then aim to gain access to. This information is egressed out of the system as evidence of the access obtained.
Context will also ‘clean’ our client’s systems at the completion of the exercise, uninstalling the Trojan from any infected laptops online, to prove we can access target information then pull out of the organisation’s networks leaving no trace of our activities.
A comprehensive high level report details all activities undertaken, an assessment of the susceptibility levels identified and advice on mitigating vulnerabilities identified.
Red Team exercises do not constitute a full security audit. But they can provide valuable insights into clients’ security strategies. They also highlight the value of a service such as Context’s Targeted Attack Detection Service (TADS) as a defence against targeted attacks. Context’s experience in conducting Red Team exercises and helping clients to evaluate and act upon the results is second to none.