If security is about building a higher fence,expanding your security testing beyond the physical perimeter, network infrastructure, or policy review will help ensure the fence remains high enough so attackers won't climb over. Advanced Adversary Simulation is a next-level engagement designed to examine how organizations’ security tool suites are properly installed, monitored, and maintained. This engagement advances the typical network pen test. It examines an entire internal security team’s capabilities in real-time as testers identify and exploit vulnerabilities in various attack vectors.
Through a series of simulated cyber-attacks, testers observe what steps are taken by teams to pinpoint, isolate and defuse attacks. These Advanced Adversary Simulation tests are methodical and calculated and are designed to take more time than a typical engagement to keep these attacks realistic. Testers continually evaluate routes and choose the most likely path of a would-be attacker. To remain undetected, they move slowly and deliberately to complete their objectives and gradually expand their foothold.
At the end of the engagement, the Advanced Adversary Simulation team will have spent weeks occupying the mind of an attacker and amassing a slew of data. Results collected during these simulations are then compiled into actionable reports which reveal your organization’s susceptibility to such elevated cyber-attacks and their potential impact. RedTeam’s comprehensive reports show clearly what was found, how it was found and provide detailed, proven recommendations for remediation. Reports are typically supported with evidence in the form of photos and film, or in the case of networks, screen captures. Advanced Adversary Simulation engagements provide highly valuable information about your defense capabilities and your employees’ security practices. This crucial information is carefully collected to help improve your overall security posture.
After objectives are set, testers will deploy several “initial access activities” designed to gain a foothold into your network and establish persistent access. Using spear-phishing attacks, an MS Office document, or other code, testers deliver a malicious payload that provides access to the network. Then they wait, maintain persistence, and thoughtfully explore probable attack routes.
Because the testers have the luxury of time, they might choose to add physical tactics to the engagement. A successful USB drop might provide a route with more privileges. Depending on the objective, testers may overtly interact with staff to persuade them into giving credentials. Testers may also act covertly, attempt to blend in and gain access into certain restricted areas of the organization and remain unnoticed. Testers might choose to visit an abandoned office and drop off a network plug-in. Both overt and covert tactical approaches are easily intertwined to provide a more comprehensive evaluation. Testers closely monitor all attacks, and their ability to gain additional network access is carefully documented. Once the testers can escalate their presence and continue to move laterally around the network, they begin to exfiltrate data.
Some organizations that conduct Advanced Adversary Simulation engagements for the first time might invite their security teams to participate in the engagement actively. Testers will conduct attacks and work closely with teams to see if they could spot the attack and identify the defensive measures they executed. This type of engagement is called purple-teaming and offers the opportunity for hands-on training during real-world attack scenarios. Organizations immediately see deficiencies and understand where to assign resources to remediate critical issues quickly.
Other organizations choose to conduct an Advanced Adversary Simulation engagement after a purple team engagement, so their security teams have had the opportunity to remediate and update policies. During this Advanced Adversary Simulation engagement, the security team would not be involved, and testers ensured both that previous vulnerabilities had been remediated and identified and exploited new attack vectors.
Advanced Adversary Simulation engagements are designed for organizations that have developed security programs and are looking for an approach to comprehensively and quantifiably test the controls they have in place. If you are considering this type of engagement, one or more of the following should be true for your organization:
We have an information security program in place.
We perform penetration testing every year.
We must meet regulatory compliance requirements.
We conduct routine social engineering exercises (phishing or vishing).
We want to expand our security testing capabilities.
To learn how to use Advanced Adversary Simulation to improve your organization’s overall security posture, give us a call at (612) 234-7848 or schedule a free consultation with one of our information security professionals.