Red teaming

Does your organisation have the capabilities to detect and stop real-life threat actors from compromising your network? Conducting a Red Team assessment from mnemonic will let you find out.

Modern threat actors are constantly developing new methods of attacking and compromising organisations. Red Team exercises are specifically performed with this in mind, with the end goal of simulating a real-life attack to assess the detection and response capabilities of an organisation as a whole. This approach does not only include targeting vulnerabilities and misconfigurations found in technical solutions, but also the people and processes that govern them.

To achieve this, the exercise is made as realistic as possible by having few scope limitations and a wide timeframe so that the Red Team operators will have the potential to go undetected by the defenders or Blue Team. Further, there will only be a handful of people in the organisation, known as the White Team, that have knowledge of the exercise. The White Team will be in close dialogue with the Red Team, so that the learnings of the exercise are maximised, in addition to making sure that organisations daily operations are not impacted.

Every mnemonic Red Team exercise is different and tailored after the client’s organisation and underlying critical infrastructure.

The methodology of a mnemonic Red Team engagement is outlined by the following six phases:

  • Initial reconnaissance
  • Initial compromise
  • Establishing persistence*
  • Internal Reconnaissance*
  • Lateral movement and privilege escalation*
  • Compromise pre-defined targets and exfiltration of information

*occurs continuously in parallel

In the event that the Red Team’s operations are not detected, and are able to exfiltrate the pre-defined target information without being noticed by the Blue team, the operators can purposely increase the “noise” and set off alarms in order to invoke the organisations incident response routines.
At the end of the engagement, the client is given a detailed report describing observations made during each stage of the exercise, while also outlining the complete attack chain and how to break it.

Throughout the engagement, mnemonic maintains detailed logs of the actions performed, with the goal of making the whole exercise repeatable in case of a re-test or workshop with the client’s Blue Team. Such a workshop may also be expanded into a "Purple Team" exercise, where the Red Team works in close collaboration with Blue Team in order to do a real time demonstration of the attacks, with the goal of learning how to detect, prevent, and respond to attacks, and develop the client’s monitoring capabilities.

How a Red Team engagement differs from a regular penetration test

  • Wider scope, evaluating the organisation’s security posture and resilience
  • Aims for realism and demonstration of impact, rather than quality assurance and verification
  • Tests the organisations ability to detect and respond to attacks
  • May allow the organisation to practice incident response procedures and capabilities
  • Relies more heavily on custom tools developed at mnemonic

A Red Team assessment is a supplement to, rather than a substitute for regular penetration testing. Organisations who request Red Team assignments usually have penetration tests performed regularly both on internal and external infrastructure, as well as more in-depth security test on specific software systems that they run.

An alternative to a Red Team engagement are Threat intelligence-based ethical red-teaming (TIBER) assessments, which increases the realism further by building more heavily on threat intelligence and adversarial simulation.

Need more information?

Contact me for more information

Manager Risk Services

Andreas Furuseth