Red Team Q&A
Q: Who is the team involved and the duration of the testing covered within a red team?
A: Usually we take for that activity 2-3 months, this also includes a comprehensive reconnaissance effort. Our professional team has been practicing Red-Team exercises since 2015, operating globally at Europe, US, APAC and South America.
Q: How do we know that you can perform a good-quality red-team engagement?
A: 3 things:
We can provide you with references, our clients like our work.
Our team and capabilities, see komodo's research relevant to red team.
Read on Forbes Our founder Boaz Shunami on how Red-Team can provide ROI to your security spending (based on over 150 full red-team experiences)
Q: How does coordination take place between the Red-Team and our organizations’ SOC and security operations (also referred to as Blue team)?
A: You will need to assign a mediator between the Red-Team and Blue Team, we call it Purple Team. The purple team is responsible for aligning the efforts of the Red-Team with the findings of the Blue-Team for example, if Blue-Team identifies a breach, the Purple-Team is responsible to tell it whether it is the Red-Team or an external Attacker.
An interview with Boaz Shunami explaining this (Minute 3:18 if you look for purple team section):
Q: Can we see an example red-team / cyber war games report? we would like to see your technical capabilities and penetration levels.
A: We will be sharing an example report and can show in a Zoom session some cool videos of Red-Team that we recorded and also explain more about our methodology, techniques, capabilities, the expectations to set and the process in general.
Q: Can we get a Budget assessment for your services (to compare with our capabilities)?
A: This is a team-work, comprising 4-5 people each with a specific technical set of capabilities. The activity is divided into several steps, reconnaissance, attack, elevate privileges, lateral movement and exploitation of trophies. Additionally there is a back office management of the process and aligning the teams with the organization. Rough estimate for red-team is Euro 30K-50K Per Zone.
Q: We are looking for an active attacking / pen-testing activity to regularly penetrate our systems and look for potential breaches and the weakest points in there, by Performing continuous penetration testing using different tactics and techniques, is this something that you can provide?
A: Sure, this is our External Red-team offering
Q: When we focus on white/grey box testing – we would give access to our systems and would create necessary user accounts (regular users and admins) for the starting point, The target would be to elevate privileges from one administrative tier to another, compromise critical assets and escape to the “C&C” at the Internet
A: Sure, this is our Internal Red-Team, see next question for example scenarios and here.
Q: We will need to cover the flowing scope, including, but not limited to (to be reviewed together with the RED team):
Ability to cross the boundaries (tiers, zones, AD domains, etc.)
Privilege escalation to domain administrator
Escape to Internet
Lateral movement to the external and supply chain environments
Compromise critical business services and data storages
Compromise critical technical services (Deployment, Monitoring, etc.)
A: Internal Red-Team: All these scenarios are covered
Q: The only constraint is that our production services should not be affected, so in most of the cases the attack should be stopped with the evidences that the lateral movement could break the service or leak the data.
A: Our team is used to working in production environments, this is understood.
Q: Do you have sets of rules and restrictions that you follow?
A: Sure see our rules of engagement here
Q: Can we provide you with a prioritized list of targets?
A: Prioritized list of targets is very good, we call them trophies and define them in different tiers from low level marketing sites, to complete takeover of critical systems in higher tiers.