Red Team Audit

Red Team Audit

A Red Team audit is meant to simulate a real attack in order to test the global security level of the information system and the awareness of the employees. The objective is to demonstrate the potential consequences of an attack, and to test the reactivity of the defense teams.

It differs from a penetration test because it doesn't limit itself to listing vulnerabilities on a delimited perimeter.

  • It targets an entire ecosystem: information system and employees.
  • It is less limited in its execution perimeter, just like a real-life attack.

The Red Team audit can be seen as a combination of attack scenarios and objectives to accomplish. They are jointly defined by AlgoSecure and the customer, according to the activity sector and the identified risks. A few examples are:

  • Remote intrusion: identifying and exploiting every available public resource, such as websites, message interfaces...
  • User Phishing: phishing mails, dropping malicious USB drives near the employees paths...
  • Non destructive physical intrusion in the customer's office in order to connect a device to the client's network.

audit-red-team

Only a few of the customer's employees are informed of this audit, and it's generally done over a relatively long period, typically a few months, so the customer cannot predict when the different scenarios will be accomplished, and therefore challenge the security in real-life conditions.

Some methods used by the AlgoSecure Red Team

We point out the importance of making the perimeter as large as possible: in real-life situation, an attacker doesn't have any limit, and the Red Team audits are there in order to replicate a real-life attack, without the negative consequences it would have. That said, we always respect the defined perimeter according to your conditions, and use all or part of the methods lsited before, based on the time constraints defined by you.

The recon phase is a lot bigger than in a regular audit. The reason being that we don't just map out the computer resources and information system, but also identify the workers we could compromise later during the audit.

For this, we conduct multiple operations with the goal of:

  • identify the company workers based on an organization chart on the company website
  • identify the company workers based on informations posted on social networks
  • identify the company workers with large permissions and access to the information system, such as administrators, or IT support
  • identify the company workers with lesser computer/security skills such as secretaries or entreprise responsible
  • identify computer technologies used based on job offers posted on the internet
  • and of course, identifying publicly exposed services: webmail, VPN access, extranet, firewall or server administration...

This is one of the main differences between a regular audit and a Red Team audit: we don't solely try to exploit software vulnerabilities, but also make use of the lack of awareness of the employees. Thanks to the informations gathered during the recon stage, we'll try to penetrate your information system using the employees.

A few examples of the methods used:

  • Sending phishing emails crafted in order to target one or more employees
  • Calling employees claiming to be a technical support agent
  • Dropping malicious USB drives close to the office
  • Dropping flyers at the reception offering advantages for local shops or restaurants

This stage can have multiple objectives. On one hand, we can test the welcome process for outsiders and see whether it's possible to access restricted areas by using the employees' lack of awareness. On the other hand, we'll try to set up a device on the internal network in order to get a remote access to the network, and initiate the next stage without needing to physically stay in the office.

There are multiples means to this end:

  • intrusion using concealed doors such as service doors, garages...
  • intrusion using improperly closed windows
  • intrusion by mingling with a group of legitimate employees
  • intrusion through the main entrance using pretenses such as a delivery, an urgent need...

If we managed to connect a device on your network to get remote access, this stage amounts to a internal network security audit (LAN).

You've enabled "Do Not Track" in your browser, we respect that choice and don't track your visit on our website.