Dr. Antje Winkler
Partner | Offensive Security
Red Teaming
Red Teaming
Holistic Attack Simulations
Cyber attacks pose a serious threat to companies, regardless of industry sector and company size. The consequences of a successful attack vary, ranging from the leakage of sensitive corporate and customer data to the disruption of critical business processes, and even to a complete stop of the IT and OT infrastructure.
In order to be well prepared for such emergencies and to sustainably enhance your company’s resilience, we offer cyber attack simulations against your company as part of our red teaming campaigns. During this campaign, established security mechanisms are tested to identify potential areas for improvement. In addition to finding security vulnerabilities in individual systems, we focus particularly on testing the technical and organizational cyber defense measures of your company.
In order to be well prepared for such emergencies and to sustainably enhance your company’s resilience, we offer cyber attack simulations against your company as part of our red teaming campaigns. During this campaign, established security mechanisms are tested to identify potential areas for improvement. In addition to finding security vulnerabilities in individual systems, we focus particularly on testing the technical and organizational cyber defense measures of your company.
Our Offer to You
Every company’s IT environment and security measures are unique. Therefore, attackers need to adapt accordingly, tailoring their cyber attacks to fit each specific organization. The following diagram provides an overview of various kinds of attacks – both from outside and within the company.
We offer various scenarios that reflect these attacker tactics. Each scenario sets the starting point for the campaign and outlines the methods the simulated attacker will use to infiltrate your corporate network:
Assumed Breach
This scenario assumes that an attacker has already gained access to internal IT systems or that an internal perpetrator is misusing their existing access. To simulate this scenario, you provide us with an internal point of access. Based on this, our red team will assess how such an attacker could expand their existing access rights and compromise further systems.
Examples:
- We simulate that an employee's computer in the HR department was compromised through a phishing mail.
- The computer of an employee in the finance department was compromised with a malicious USB stick, subsequently granting the attacker remote access.
Technical Breach
With this approach, we take on the role of an attacker conducting cyber attacks over the internet. Using various information gathering techniques, we identify vulnerabilities in the external perimeter and attempt to exploit them to infiltrate the corporate network.
Examples:
- An outdated test system with known vulnerabilities is exposed on the internet. The attacker attempts to compromise this system.
- Due to a misconfiguration, internal credentials are publicly available on the internet. The attacker leverages these credentials to gain access.
Physical Breach
We act like an attacker who tries to bypass the physical perimeter protection through targeted deception and install a prepared device on the company’s premises. The goal is to overcome on-site security measures and covertly gain access to the company network (e.g., by planting a mini-PC).
Examples:
- Your company has multiple branches connected to the central company network. The attacker attempts to infiltrate the local infrastructure of a branch office and use it to gain access to the corporate network.
- One of your company’s locations has various areas, some of which are public – ranging from the lobby and cafeteria to the offices and production facilities. An attacker tries to exploit access routes for guests, employees and suppliers and gains access to the production facilities.
Red Teaming Approach
The objective of the red teaming campaign is to simulate the impact a cyber attack would have on the customer’s company under real-world conditions. To minimize potential effects on business processes and IT systems, close coordination between all parties involved is of high importance.
Involved Parties
The following parties from both the client and the contractor are involved in the execution of the campaign:
- Blue Team – The blue team acts as the defender, protecting the infrastructure against attacks. This typically involves the target company’s IT department. To ensure the simulation is as realistic as possible, the blue team is generally not informed of the campaign.
- Red Team – The experts of BDO Cyber Security GmbH operate according to the rules of engagement and represent the attackers as the red team.
- White Team – The white team oversees the campaign and maintains regular communication with the red team. It consists of one or two individuals who are knowledgeable about the company's infrastructure. The primary responsibility of the white team is to ensure that any potential disruptions are resolved promptly and with minimal delay.
Red Teaming Campaign Process
The detailed vulnerabilities and pathways through which an attacker can infiltrate the company or advance further within the network are highly dependent on the specific organization. The overall process of the red teaming campaign can be divided into the following stages:
The individual stages are described in detail below:
Reconnaissance
During the reconnaissance phase, information about the target company is gathered. This information is obtained from publicly available sources through Open-Source Intelligence (OSINT) techniques.
The aim is to obtain an overview of the situation and identify possible attack paths, which are essential for subsequent phases of the red teaming campaign.
Persistence in the Corporate Network and Expanding Access (Post-Exploitation)
The post-exploitation phase is the core phase of the campaign and includes several recurring steps:
- Implementing measures to ensure continued access to the compromised system (Persistence)
- Collecting data about the system (Situational Awareness)
- Analyzing the network environment, additional systems, users, or applications from the compromised system (Internal Reconnaissance)
- Elevating permissions by exploiting misconfigurations or vulnerabilities (Privilege Escalation)
- Expanding access to other systems, users, or applications within the network (Lateral Movement)
Demonstrating the Achievement of the Campaign’s Objectives (Objectives)
The achievement of the campaign’s objectives is demonstrated to the White Team through jointly defined actions, such as:
- Creating a user with elevated privileges
- Gaining access to key servers
- Exfiltrating sensitive company information
Methodology and Frameworks
There are many established methodologies and frameworks that guide a red teaming campaign, ensuring that the results are consistent and compliant with regulations such as the Digital Operational Resilience Act (DORA) or NIS-2.
- The MITRE ATT&CK Framework (Adversarial Tactics, Techniques & Common Knowledge) outlines tactics, techniques and procedures based on real-world observations of cyber attacks documented by security experts.
- Threat-Led Penetration Testing is an evolution of the Threat Intelligence-based Ethical Red Teaming (TIBER) framework, which is used for Red Teaming campaigns in the financial and banking sectors and is applied in conjunction with the DORA regulation.
- The Lockheed Martin Cyber Kill Chain details an attacker’s approach through a series of progressive stages, describing the consequences of actions taken during a cyber attack.
Social Engineering
Social engineering focuses on exploiting human factors, aiming to entice employees in their respective roles to disclose sensitive information or to carry out certain actions. Starting from a successful compromise, the objective is to infiltrate the company’s infrastructure.
In addition to email phishing, alternative communication channels such as messaging services or social media are possible.
Example: