Full spectrum testing, using a targeted, opportunistic approach.
Red Teaming engagements are focused on practically testing your organizations’ defensive and detective capabilities against determined adversaries. Are your teams ready to execute their runbooks? Can your SIEM/SOAR platform or EDR implementation detect malicious actors? Does your telemetry need tuning? These are the questions that Red Team assessments can help answer.
Our Focus
Organizations that have a mature information security program and want to really test their capabilities engage in realistic, clandestine, non-attributable Red Teaming.
Full Scope
Red Team Engagements are commonly misconstrued as traditional penetration testing. Some of the facets of Red Team Engagements are similar to penetration testing: an adversarial perspective is employed in an attempt to gain unauthorized access to systems and data. However, Red Teaming involves a more focused, goal oriented effort. This type of testing is meant for organizations with a very mature security posture, that have undergone numerous assessments. These organizations desire to test incident response teams and processes, and see how their security controls can withstand a focused persistent threat.
Red Teaming is also meant to be fully evasive, and clandestine. Rotas emphasizes a non-attributable approach to testing. This type of assessment does not provide a holistic view of an organization’s overall security posture; it is meant to show what a focused adversary could accomplish with near-real world assessment conditions. Threat actor tactics, techniques and procedures are implemented in an attempt to execute a covert assessment, and simulate a determined adversary. In the event that the Red Team activity is identified, the assessment can transition to a collaborative event, wherein active attacks are coordinated with security personnel in real-time. This can provide valuable intelligence, and allow security teams to better tune their detective controls, in real-time.
The full-spectrum nature of Red Team Engagements typically includes a wide scope for the assessment. Technical, logical, personnel, and physical attack surfaces are commonly in-scope, affording the Red Team Assessor a myriad of avenues of attack.
Assumed Compromise
The engagement begins with the assumption that the attacker (Rotas) has already successfully breached a certain level of the organization’s defenses. This type of engagement typically bypasses the initial phases of an attack, such as reconnaissance and initial exploitation, and starts from a point where the attacker has already gained some level of access or control within the organization’s network.
This type of testing focuses on how well an organization can detect and respond to an attacker once they have already been breached by an adversary. This includes identifying and responding to lateral movements within the network, escalation of privileges, data exfiltration, and other advanced stages of a cyber attack.
This testing allows an organization to assess its incident response capabilities in a more controlled and realistic environment. This includes testing how quickly and effectively the security team can identify and neutralize a threat, as well as recover from a breach.
Clandestine External Engagement
The Red Team simulates the tactics, techniques, and procedures of covert external attackers. The primary objectives of this type of engagement are to assess an organization’s external defenses, detect vulnerabilities that could be exploited by real-world adversaries, and evaluate the effectiveness of the organization’s detection and response mechanisms. These engagements are longer than traditional external penetration testing activities, because to achieve stealth, the Red Team must execute activities slowly and carefully. Also, significant effort is put into intelligence and reconnaissance activities so that the detective capabilities the organization has in-place can attempt to be avoided or bypassed.
These engagements are blended and usually involve social engineering activity that is highly targeted, with the goal to garner credentials or achieve a remote command and control “beach head” in an organization’s network.
An important aspect of this engagement type is ensuring that the activities of the Red Team cannot be easily traced back to them. This involves using tactics and tools that obfuscate the origin of the attack and mimic the modus operandi of potential real-world attackers.
Threat Emulation
Rotas selects known threat actors, such as advanced persistent threat (APT) groups or high-profile cybercriminal organizations, and emulates their behavior. Threat intelligence feeds and other cyber threat intelligence sources are leveraged to determine the groups that represent the most likely threat to the specific organizations undergoing the emulation campaign. This involves thorough research and understanding of the selected adversary’s history, objectives, and methods.
Rotas replicates the specific TTPs used by these adversaries. This includes the types of malware or command and control channels they use, their methods of gaining initial access, their lateral movement strategies within a network, and how they exfiltrate data or achieve their objectives.
This approach allows an organization to assess their defenses against the types of attacks they are most likely to face, based on their industry, geographical location, or other factors that might attract specific adversaries.
WHY ROTAS?
We use an adversary’s perspective to simulate cyber attacks on systems to uncover vulnerabilities.
- Expertly apply adversarial perspective
- Our hacker consultants have an average of 10+ years experience
- Specialists in crafted, artisanal network packets
- Cross-industry expertise; we’ve seen things and hacked those things
- Focused on showcasing attacker techniques and methods to mitigate