Red Team Testing Services
Insomnia Security’s Red Team testing services include a range of customised approaches to provide a realistic assessment of an organisation's ability to protect against and respond to modern adversaries targeting their most valuable assets.
These exercises regularly identify paths for compromising critical business assets that have not been considered when systems are viewed as silos during tightly-scoped assurance activities, and give security teams the opportunity to practice detection and response within their own environment.
At the completion of all exercises, a narrative attack report explaining the paths taken and any detection or response observed is delivered, along with prevention and detection recommendations relating to the specific techniques used. Generally, an in person debrief is also delivered to allow individuals to ask questions of the Red Team regarding their decision-making process, or the techniques they used.
Red Team Exercise
More persistent attackers are happy to perform ongoing, slow-paced reconnaissance, waiting for an opportunity to present itself whilst also being unlikely to be deterred by detection and eviction attempts. This approach to Red Team Exercises involves expending an agreed number of days of effort over a number of months to replicate an attacker with an ongoing interest in an organisation's systems and data.
This is the preferred engagement model as it allows the freedom to perform opportunistic attacks based on current events, reduce the pace of activities where beneficial, and allows time for more extensive development and modification of tooling where needed.
Time Limited Exercise
Insomnia Security undertakes an attack against the target organisation using the techniques of a real-world attacker, typically with little or no information provided. A business level target is agreed upon, such as exfiltration of specific intellectual property, access to specific employees of interest, or obtaining access to affect core business functions. The attack is then prosecuted within any agreed constraints.
Under this standard Red Team Testing model, the time utilised is a number of consecutive days replicating a targeted attack on an organisation over a limited duration of time.
While it is important to exercise initial entry vectors, there are cases where starting from a post compromise position is valuable. Likely scenarios include the compromise of a third-party who has legitimate access to the organisation's network, an attacker who has compromised a staff member's laptop or internal system, or cases where an organisation wishes to focus on testing post compromise detection and response capabilities.
During these engagements, the Insomnia Security Red Team is provided with the same access as an attacker would be expected to have in the scenario to be assumed. This could be Citrix access provided to contractors; low privileged access to a corporate workstation to replicate a compromised corporate user; or general corporate LAN access to simulate an unauthorised device on the network. From this starting position, the Red Team then simulates the later phases of an attack.
The success of an email-based attack usually relies on the targeted user performing an action, and that action being completed. This often includes enticing an individual into clicking on a link and then entering credentials, or opening an attachment. Whether or not the target will perform the action is dependent on many variable factors such as the time of day, the target's current work, and any work related or personal life stress pressures.
Insomnia Security’s approach is to focus on hardening endpoints and authentication schemes to reduce the likelihood of compromise, even if the target was to click on a link, open a malicious attachment, or submit credentials. These engagements include reviewing client-side controls and remote access vectors for controls that increase the required complexity for an attack to be successful. This is then combined with exercising of detection and response plans to determine whether the organisation has the ability to respond to phishing attacks.