Real World Testing

Red team tactics are invaluable when it comes to helping organizations understand the breadth of their attack surface.  While smaller organizations may be able to focus on just certain areas, larger clients and organizations become increasingly targeted as they grow in size and industry.  Utilizing red team tactics through comprehensive testing can help these types of organizations demonstrate how real-world attackers could penetrate networks and access sensitive data. 

Red_Team

Red Team to the Rescue!

When combined with appropriate defense measures, red team tactics can serve as a powerful preventative tool for both large and small organizations alike.

Comprehensive Red Team Tactics

Comprehensive testing offers an invaluable service to organizations by exposing vulnerabilities that attackers would use to gain access and exfiltrate data.  This type of testing goes the extra mile, with teams simulating a variety of scenarios, from recon and phishing attempts to trojans, physical access, and more.  The goal is to simulate how a determined attacker could gain and maintain access over time.  Though some red team engagements can take place over several months, Secure Ideas strives towards shorter attack timeframes of one month or less for attacks and one week for reporting in order to allow our customers maximum efficiency and impact.
Close up of human hands using virtual panel
Red_Team

Reconnaissance

Secure Ideas’ Red Team evaluates potential risks associated with targets the company is looking to protect.  One of the most essential steps in this process is reconnaissance which involves Open Source Intelligence Gathering (OSINT).  This provides an opportunity to identify any information that is publicly available, such as information about employees or locations.  By analyzing all available public data, the team can create a comprehensive attack plan based on possible threats and vulnerabilities that could affect the target organization.  An OSINT investigation provides an excellent plan for exploitation efforts in the following stages.
Scoping
Website designer working with the new computer interface as design concept
Red_Team

Scope Verification

Secure Ideas takes scope verification seriously.  After gathering details about an organization, our team of experts evaluates their attack plan determining appropriate steps to ensure accuracy and validity.  We then communicate what was identified during the Open Source Intelligence (OSINT) phase and work closely with clients to confirm that all information and plan is valid according to their requirements.
Scoping
Businesswoman holding tablet pc entering password. Security concept
Red_Team

Exploitation

Our testing process is comprehensive, targeting all potential channels of attack.  Exploitation may be executed through social engineering such as phishing, vishing and in-person physical interactions with individuals.  Additionally, malware related exploitation may include trojan horses or custom-built malware which are tailored to the specific engagement in mind.  Credential gathering, stuffing and physical penetration testing are also included within our process for evaluating security vulnerabilities further.  Last but not least, any other predefined and mutually agreed services needed for the scope of testing would be taken into account accordingly.
Scoping
business documents on office table with smart phone and digital tablet and stylus and two colleagues discussing data in the background
Red_Team

Reporting

Reporting is an integral part of the quality assurance process.  All information gathered during testing operations and other investigation phases are carefully sourced and formatted into a comprehensive, professional report.  This first draft is then presented to the client including screenshots and detailed notes on all areas of the test.  After review of the initial report, the client may suggest further revisions or ask for further clarification, which can be incorporated into a final document once approved.  The result of this reporting process is a thorough and accurate account that can be relied upon for analysis and future reference when needed.
Scoping

Testing Credits

Shifting left is critical to the continued security in organizations.  Most development is made better by moving security earlier in the process.  But the traditional penetration testing of web applications and APIs doesn't fit well in the earlier stages of the software development lifecycle (SDLC).

 

Secure Ideas has created a process of testing credits to help solve these issues (especially when paired with SASTA).  An organization can purchase credits to use over the next 24 months.  Combined with a self-scoping system, these credits allow an organization to work with Secure Ideas within their development processes.

si-lock-red (3)
si-lock-red (3)
si-lock-red (3)
si-lock-red (3)

Scoping

Scope depends on the size of the organization.  Larger organizations have larger attack surfaces, so these kinds of engagements can be more expensive.  Using a random sampling of specific areas of the organization can help to keep costs down, but may not provide a comprehensive study of the organization’s attack surface. 

 

Our pricing for this service is calculated from the estimated effort that was scoped and our daily rate.  Some testing may require off-hours testing (for example, a physical break-in attempt).   10% of the overall price is added to the cost of the engagement for this purpose. 

 

*Any tools which have not been provided by the client may be added to the cost of the engagement as well.

 

The Process

Have more questions about Comprehensive Testing?