A Cyber Red Teaming/Advanced Adversary Simulation is the next step in a security program. A goal-based simulated attack will leverage any agreed-upon methods needed to achieve the defined goal over an extended period. During the Advanced Adversary Simulation, the team will work as an attacker to evade detection while pursuing the identified goal. A real adversary will take their time to exploit a target, so will the Cyber Red Team. If the Cyber Red Team is detected or stopped, they will re-group and identify a new plan of action until they are successful or an agreed-upon end of engagement is reached.
After objectives are set, testers will deploy several “initial access activities” designed to gain a foothold into your network and establish persistent access. Using spear-phishing attacks, an MS Office document, or other code, testers deliver a malicious payload that provides access to the network. Then they wait, maintain persistence, and thoughtfully explore probable attack routes.
Because the testers have the luxury of time, they might choose to add physical tactics to the engagement. A successful USB drop might provide a route with more privileges. Depending on the objective, testers may overtly interact with staff to persuade them into giving credentials. Testers may also act covertly, attempt to blend in and gain access into certain restricted areas of the organization and remain unnoticed. Testers might choose to visit an abandoned office and drop off a network plug-in. Both overt and covert tactical approaches are easily intertwined to provide a more comprehensive evaluation. Testers closely monitor all attacks, and their ability to gain additional network access is carefully documented. Once the testers can escalate their presence and continue to move laterally around the network, they begin to exfiltrate data.
Some organizations that conduct Advanced Adversary Simulation engagements for the first time might invite their security teams to participate in the engagement actively. Testers will conduct attacks and work closely with teams to see if they could spot the attack and identify the defensive measures they executed. This type of engagement is called purple-teaming and offers the opportunity for hands-on training during real-world attack scenarios. Organizations immediately see deficiencies and understand where to assign resources to remediate critical issues quickly.
Other organizations choose to conduct an Advanced Adversary Simulation engagement after a purple team engagement, so their security teams have had the opportunity to remediate and update policies. During this Advanced Adversary Simulation engagement, the security team would not be involved, and testers ensured both that previous vulnerabilities had been remediated and identified and exploited new attack vectors.