The specific methodology used during this testing may be customized during the engagement based on results and findings, but will generally follow the following steps:

1. Identification – The goal of this step is to identify, assess, and catalog both human and technical targets that would be most susceptible to compromise by an external adversary.
   1. LMNTRIX may leverage both open source intelligence collection techniques (OSINT) and active scanning tools to locate Internet-accessible systems and applications. Each potential target may be evaluated for further testing based on multiple factors, including exposed ports and services, technical architecture, functionality, potential vulnerabilities, ease of compromise, and value to an attacker.
   2. LMNTRIX may also leverage OSINT to identify potential Customer employees for targeting using social engineering techniques. This process entails collection and analysis of data derived from publicly accessible sources such as search engines, social media, Customer websites, and other online resources that provide the information necessary to create and execute targeted social engineering attacks against specific individuals.

The outcome of Identification phase is a master list of potential targets that will be evaluated and prioritized for exploitation.

2. Exploitation – During Exploitation phase, LMNTRIX will leverage the analysis conducted during the Identification phase to select high-potential targets, customize technical and social engineering attacks designed specifically for those targets, and execute the attacks in order to gain access to internal Customer networks. The Exploitation phase may include any of the following:
   1. Technical Exploitation – Upon identification of vulnerabilities in Internet-facing systems and applications, LMNTRIX may attempt to exploit those vulnerabilities to compromise sensitive data or gain a foothold within the perimeter. Additionally, LMNTRIX may execute attacks against systems with the goal of gaining further insight into the environment to identify additional targets or gain additional targeting information. Types of attacks typically used during this activity include SQL Injection, upload and execution of web shells, and brute force attacks against login interfaces.
   2. Social Engineering – LMNTRIX may also target Customer employees using both phone and email-based techniques. Individuals may be selected from the target list based on job function, presumed access to important internal systems, and perceived susceptibility. LMNTRIX will tailor the phone and email based attacks to each user in attempt to perform various potentially harmful actions, including revealing login credentials, visiting unknown websites, or executing malware on the target’s corporate IT asset.

The ultimate goal of Exploitation phase is to breach the perimeter and access internal systems. Technical exploitation is often accomplished by compromising Internet-facing systems and leveraging that access to attack adjacent systems within the environment. Social engineering exploitation is often achieved by obtaining valid credentials that can be leveraged to access the environment via remote access solutions (e.g., VPNs) or via execution of malware on the user’s machine that allows LMNTRIX to operate within the internal environment under the context of the user.

3. Post-Exploitation – Upon gaining access to the internal environment, LMNTRIX will attempt to move laterally throughout the intranet and ultimately accomplish the defined objectives. The Post-Exploitation phase may involve the following:
   1. Privileged Escalation – Upon gaining access to a system, LMNTRIX may leverage various attacks to escalate the privileges of the current user to the highest levels. This escalated privilege allows LMNTRIX to perform a variety of malicious activities, including establishing persistence, installing additional malware (e.g., key loggers), and capturing credentials.
   2. Internal Exploitation – By leveraging the same techniques used during Identification phase, LMNTRIX may search for internal data repositories, portals, collaboration forums, and other internal sources that provide access to sensitive data and assist in locating high-value targets within the intranet. Additionally, LMNTRIX may identify internal systems that can be compromised via technical exploits in order to gain further access to the environment or capture additional credentials.
   3. Credential Harvesting – Once access to internal systems has been obtained, LMNTRIX may begin collecting account credentials for valid internal users. Specific focus will be given to identifying and extracting privileged domain credentials, as these provide extensive access to the environment. Typical credential harvesting attacks include dumping hashes, Kerberos tickets, and clear text credentials from local system memory or accessible virtual machine files and identifying accessible scripts and configuration files with hard-coded credentials.

In most attacks, post-exploitation is an iterative process that involves multiple cycles of identifying internal targets, compromising those targets, and extracting additional information and credentials for further lateral movement within the intranet. As noted above, the ultimate goal of this phase is to accomplish the predefined attack objectives. In order to accomplish the objectives, LMNTRIX often obtains full administrative access to critical systems (e.g., financial application servers, key databases, executive email and file shares), the internal authentication and authorization systems (e.g., Active Directory, LDAP, two-factor authentication), or the core network infrastructure (e.g., RADIUS, TACACS).

A secondary objective of this assessment is to measure the detection and response capabilities of the information security team. Therefore, LMNTRIX will use testing and attack techniques that are designed to bypass or evade security controls. LMNTRIX will leverage custom malware that may not be detected by commercial anti-virus products, and avoid using any scanning or exploitation techniques that are likely to be observed by system users or detected by network sensors and endpoint controls. In the event that Customer information security team detects the test in progress, the LMNTRIX and Customer project managers will select an appropriate course of action for the continuation of testing.

Red Team activities will be discussed and agreed upon by both LMNTRIX and the Customer during the project kickoff meeting. This agreement may include the specific scope of the engagement (e.g., whitelisted targets, blacklisted targets), coordination and approval necessary prior to exploitation of targets, schedules and timeframes, data handling and communications plan, and escalation policy.

Red Team Cyber Security Assessments at a Glance

WE HELP YOU:

• Test your security team’s effectiveness in dealing with a cyber attack
• Train your team to better respond to future cyber attacks
• Determine the level of effort required to compromise your sensitive data or IT infrastructure
• Identify and mitigate complex security vulnerabilities before an attacker exploits them
• Receive fact-based risk analysis and recommendations for improvement

WHAT YOU GET:

• A high-level executive summary of the Red Team Assessment, catering towards executives and senior-level management
• A detailed report describing actions taken during the assessment and a report of all found vulnerabilities
• Fact-based risk analysis detailing the relevance of each vulnerability with respect to your environment, and techniques to validate said vulnerabilities
• Strategic recommendations for long-term improvement