Adversary Simulation (Red Team Assessment)

Service Context

A red team exercise is the logical next step for organisations with a mature security program that demands greater assurance. A red team exercise will holistically assess an organisation’s ability to detect and respond to a wide range of attacks, giving confidence that they are secure in the real world.

Key Benefits

Comprehensive Assessment: A red team exercise goes beyond conventional security testing, holistically evaluating the organisation’s ability to detect and respond to real-world attacks. This comprehensive assessment evaluates people, processes and technology to identify issues that cannot be detected by penetration testing alone.
Actionable Insights and Improved Defences: A Red team exercise enhances real-world security by providing actionable insights to improve defences. Cyber Alchemy’s detailed and digestible reports reduce the time and effort requires to fix issues, providing a strategy to build an organisation’s resiliency.
Maximise Security Investments: Organisations invest heavily in security systems and the personnel that use them to ensure that they remain secure. A red team assessment measures security investments and provides actionable steps to optimise and improve them, enhancing and fortifying your security program’s effectiveness to achieve a higher return on investment.

Why Cyber Alchemy?

Unrivalled Expertise: Our cyber specialists come from a broad range of professional backgrounds and have extensive adversary emulation and penetration testing experience. Having team members coming from incident response and software development backgrounds allows the team to think around problems or develop new tools to solve the issue, being able to mimic even the most motivated adversary

Customised Approach: We understand that every organisation is unique. Our Red Team Assessment service is tailored to your specific needs, industry regulations, and risk profile. We develop a value-oriented approach, incorporating custom attack scenarios that mimic the threats most relevant to your business, ensuring targeted and effective testing.

Comprehensive Security Testing: Our Red Team Assessments cover a wide range of security aspects, including network infrastructure, web applications, wireless networks, social engineering, and physical security. We leave no stone unturned in assessing your overall security posture.

Collaboration and Knowledge Transfer: We believe in fostering collaboration throughout the assessment process. Our Red Team works closely with your internal security team, sharing knowledge, best practices, and recommendations after the enagement. This empowers your team to understand the attack vectors better and strengthen your defences.

Actionable Recommendations: Our Red Team Assessment doesn’t stop at identifying vulnerabilities. We provide you with actionable recommendations and practical remediation strategies to help you prioritise and address the identified weaknesses. Our focus is on helping you improve your security posture over the months that follow the assessment.

Why do I need a Red Team Assessment?

Most organisations are only as strong as their weakest link. Red team exercises allow organisations to test the effectiveness of their network security and identify weaknesses and vulnerabilities in their existing policies, processes, technologies and personnel. Cyber Alchemy frequently works with organisations that have invested thousands in security tooling to keep them protected but often lack the required parallel investments in people and processes to maximise the value of these investments.

The outputs from a red team exercise give organisations actionable data to evolve their security strategy based on the organisation’s unique weaknesses and vulnerabilities. They help identify and fix all identified security weaknesses and processes. Post-exercise reporting is important to document the how, what, and where and to improve processes and business defences for the future. Through this process, it is also possible to improve response time should a real-world attack occur.

Our Approach

Cyber Alchemy builds every red team engagement bespoke. Every engagement has different objectives and needs to assess different capabilities. Cyber Alchemy maps all of its Red Team exercises to the MITRE ATT&CK framework, which is a knowledge base of adversary tactics and techniques based on real-world observations. This approach has several benefits:

More effective engagement planning, execution, and reporting.
Provides an easy-to-track register of capabilities, exposures and the testing conducted.
Bridges gaps across different parts of an organisation, and it can be re-used by non-technical teams with easy-to-understand visual representations and reporting.
Ensures engagements are centred around real-world scenarios.

Project Plan

We will work with you to determine your objectives for the exercise and the rules of engagement, including any operational rules.
Before testing, Cyber Alchemy will develop a project plan defining the rules of engagement and a high-level plan with attached timescales. Should the organisation require a deeper understanding of the specifics of our plan, we can share this as part of a more collaborative approach. Typically, however, the fine details of planned attacks are not shared with the target organisation as this closer mimics an adversary.

Taking an intelligence-led approach, the red team will gather information from public sources related to your organisation. By emulating real-world adversaries, we analyse your digital footprint, identify potential attack vectors, and probe for any vulnerabilities that could compromise your security.

Once actionable intelligence has been gathered, we embark on an orchestrated series of simulated attacks to deliver the objectives defined in the scoping stage. Our seasoned red team professionals employ custom tools and cutting-edge methodologies to simulate real-world threats against your defences. We exploit identified vulnerabilities, escalate privileges, and rigorously test the resilience of your security controls. Through controlled and ethical hacking practices, we expose any weaknesses that malicious actors could exploit.

Throughout the engagement, we record which systems and tools are used or accounts created to achieve access. Where authorised changes to systems have been made, these will be reverted to the same state as if the engagement never happened, guaranteeing a seamless transition back to normality

Our Red Team Exercise report will provide a detailed and digestible view of the critical, high-, medium- and low-priority risks and appropriate prioritised recommendations for your organisation. A matrix based on MITRE ATT&CK is also provided, giving a clear visual interpretation of what attacks were performed and where gaps were found. These outputs can be expanded into a defined security strategy as part of a further engagement with Cyber Alchemy, helping the organisation maximise the value of further security investments.

For organisations requiring in-depth and continuing remediation, every engagement has the opportunity to use our Full Stop Remediation™ service. Bespoke training delivered by our expert trainers covers the issues discovered in your systems and gives your system administration team the skills to ensure the same issues don’t creep back into your infrastructure. Full details of our reporting and Full Stop Remediation™ can be found below.

The report contains the scope, technical approach, executive summaries, dynamic risk visualisations, prioritised vulnerabilities based on likelihood vs impact, and bespoke mitigation advice for each finding. Each report has three distinct and dedicated board, management, and technical personnel sections. Report clarity ensures understanding and enables informed decisions. The report is aligned with MITRE ATT&CK, providing a standardised and comprehensive structure to describe the adversary techniques, tactics, and procedures employed during simulated attacks, enabling clear communication of the findings and facilitating effective remediation actions by the blue team. Every Cyber Alchemy report will include the following:

Background: An overview of the assessment’s general purpose, scope, methodology, and timing.
Management Summary: A detailed but digestible summary of the results, such as key critical findings requiring immediate attention, system or recurring issues, and other general findings. This could also include strategic recommendations, offering long-term remediation actions to ensure ongoing risk reduction.
Technical Details: Comprehensive vulnerability results, including a description of the vulnerability observed, the impact, evidence of where the vulnerability was observed, step-by-step demonstrations of exploits performed which give teams the ability to internally verify the issues, and detailed remediation recommendations which give developers the steps to address every reported issue.
Methodology: A detailed recap of what was tested, the methodologies used, and the related historical information required for audiences such as auditors to understand the specifics of the test approach.
Attack Surface Analysis: Additional content and guidance, such as recommended post-assessment activities that provide added value to the audience of the report.

After every engagement, we offer a focused meeting to discuss the testing and outcomes. This allows system administrators and risk owners to ask specific questions to our expert consultants, ensuring all parties understand the context of the vulnerabilities, root cause and the real-world likelihood and impact of successful exploitation in the context of the organisation. The potential mitigation steps will be discussed, allowing for the implementation of robust measures and the possible effort to be understood.

We don’t believe that report delivery marks the end of the engagement; in fact, it’s just the beginning for us. We’re in every client relationship for the long haul, providing ongoing support to ensure that issues are robustly addressed in line with your organisation’s requirements.

After every engagement, we offer a focused meeting to discuss the testing and outcomes. This allows system administrators and risk owners the opportunity to ask specific questions to our expert consultants, ensuring all parties understand the context of the vulnerabilities, alongside the likelihood and impact of successful exploitation.

We recognise that remediation of all issues doesn’t just happen overnight, and our technical team will be happy to answer any questions while remediation is happening over the following months. We find this approach allows for better integration of security into development and helps reduce the number of issues we see when retesting.

For clients who require further support, we offer our Full Stop Remediation™ post assessment training, which incorporates real-world examples from the assessment into the training course. This tailored approach delivers lessons to system administrators in a familiar context and environment, allowing the lessons learned to be immediately applied to existing projects and ensures long-term risk reduction. More information about Full Stop Remediation™ can be found below.

Full Stop Remediation™ – Secure Infrastructure Operations Training

From the results of a penetration test, or series of assessments, our consultants can provide bespoke training to system administrators on how to remediate the issues found in the assessment and SecOps best practices. This powerful remediation offering allows total remediation for now and the future, giving infrastructure teams the skills to identify vulnerabilities before they make it to production. Other benefits of this remediation package include the following:

Cost savings: Investing in remediation training helps your organisation save money in the long run. By preventing security incidents and potential breaches, you avoid the financial impact of data loss, system downtime, regulatory penalties, and reputation damage.
Long-term Risk Mitigation:Our remediation service equips your team with the skills and knowledge to address vulnerabilities in the present and future. By building a strong foundation of security practices, you create a sustainable framework for ongoing risk mitigation.
Better collaboration: When system administrators understand how to build and maintain secure systems, they can work more effectively with security teams and other stakeholders, resulting in a more secure and cohesive infrastructure estate.
Foster a “Security First” culture: With better awareness of security issues and the knowledge to address them, a culture of security can be developed. With a strong security culture comes greater security, shared accountability and efficiency, forming the basis of any successful security program.
Empowered Internal Teams:Our training empowers system administrators to handle remediation tasks independently. They gain the knowledge and skills needed to efficiently address vulnerabilities, reducing reliance on external security consultants for routine remediation efforts.

Contact us today for more information on how Full Stop Remediation™ can accelerate your SecOps program and put security at the heart of your infrastructure administration team.

Specifically, for your organisation, that question will be answered at the end of a scoping call with our technical team. The duration depends on various factors, such as the specified objectives and the organisation’s size. Generally speaking, depending on the project size and requirements, it can range from a few weeks to a couple of months.

Penetration testing focuses on exploiting vulnerabilities within specific systems, enabling you to assess the resilience of your technology. However, red teaming adopts a more proactive approach by simulating real-world threat actors who stealthily infiltrate your systems, striving to compromise an organisation’s core systems. Through conducting red team exercises, you gain a holistic evaluation of your defences, encompassing technical controls, processes, and personnel.

The cost of an assessment can vary based on factors such as the size and complexity of the engagement. After the scoping call, our consultants will be able to provide a detailed quote which outlines what we will do and what the outputs of that work will be

We don’t just wine, dine and dash. We’re in every client relationship for the long term. Just like most providers, after the penetration testing is complete, you will receive a detailed report outlining the vulnerabilities identified, their severity levels, and recommendations for remediation. Where we differ is in the post-test support. We recommend to all clients that debrief meetings are scheduled after the assessment is completed, allowing for discussions around real-world risk, prioritisation and the best way to approach specific remediation actions. We recognise that remediation of all issues doesn’t just happen overnight, and our technical team will be happy to answer any questions while remediation is happening over the months that follow. We find this approach allows for better integration of security into development and helps reduce the number of issues we find when retesting applications.

Of course, what good is a security assessment if the issues aren’t addressed?! Our team will be here to support remediation efforts for months after the end of the assessment. Our recommended post-engagement debrief calls, and detailed reports provide all the information that is often required to remediate all issues, but if we can be of any more use, then we will be on hand to help.

We understand that timescales can sometimes be tight, and things need to get done. In these cases, we will attempt to accommodate all requests from our clients, or if we don’t have capacity, we will know a trusted partner who can. Typically, we ask for a lead time of at least four weeks due to the set up required for the engagement.

The frequency of red team assessments depends on each client, often considering the organisation’s risk appetite, budget and security program maturity. As a general rule, conducting a red team assessment at least once a year or whenever significant changes are made to the organisation’s security program is recommended.

Our objective is not to cause any disruption during the assessment, but that doesn’t mean that problems can’t (and don’t) occur. There might be instances where certain vulnerabilities could cause temporary issues, but as stealth is paramount, these situations are rare. There are lots of techniques that can be used to minimise the likelihood of issues occurring. For example, certain aspects may be conducted outside core business hours, although this will be discussed with every client beforehand. Whatever is required, our team can determine a testing strategy to meet your objectives safely and securely.