Tales From the Road: Red Team Assessment Services to the Rescue

Organizations with security maturity can greatly benefit from annual red team assessments to keep up with the ever-evolving cyber threat landscape.

Major organizations that hold detailed and private information are prime targets for malicious attackers, regardless of industry. Bad actors will find ways to break through physical and cyber barriers to obtain and sell personal information, and no organization or business is off-limits, especially as cybersecurity attacks grow in severity and sophistication. While you may believe your organization has airtight security or wouldn’t be a target, we’ve seen it happen time and again, and that’s when red team assessment services may be needed.

A longtime client who has utilized our penetration testing and MSSP services to bolster their security over the years needed a deeper look at their security. They were preparing for a situation where they would be handling more data than usual, and because they already have a high level of security maturity, we recommended our red team assessment services. Red team assessments mimic severe real-world security risks, allowing us to identify security weaknesses that pose significant threats to organizations like our client that hold a great deal of protected health information (PHI) and personally identifiable information (PII).

In this Tales From the Road blog, we’ll discuss the adaptive process our consultants take when conducting a red team assessment and the various strengths and weaknesses they uncovered during their thorough examination of this client’s advanced security systems.

Establishing the Parameters of Red Team Assessment Services

Here’s the thing: red team assessments are considered one of the most intense physical and cybersecurity assessments available. Because of their thorough nature, it’s paramount to establish parameters for the level of access our team will have. Of course, when the need for a red team assessment arises, it typically means the organization is at risk of attack by advanced threat actors. In this client’s case, our consultants were given nearly full access to the physical and networked environments, with only a couple of restrictions in place.

To prepare for the red team assessment, our consultants spent several weeks performing passive reconnaissance on the organization, which is the first step in emulating the most advanced attackers out there. As is the case with many things in life, preparation is key, even (and maybe especially) when you’re attempting to break into a major organization’s physical buildings and networks. This phase consisted of searching publicly available sources and the dark web, which is (unfortunately) a veritable gold mine for information. With the details they found, our consultants were well-equipped to conduct a physical penetration test, email and voice phishing, and password spraying attacks.

The Physical Breach

One of the only restrictions in place involved the physical penetration test, but our consultants were still able to gain a significant amount of access to the organization’s facility. Once inside and in the right areas, our consultants connected to the internal network and deployed a drop box that connected back to the DirectDefense infrastructure. While this action would have provided the opportunity to conduct remote attacks against the client, their advanced security saved the day in this instance and our drop box was disconnected within 30 minutes after the security team was alerted to its presence.

Naturally, we were pleased to uncover this strength of our client’s security structure, but red team assessment services call for a lot more than drop box deployment. Red team assessments are designed to go at a client from all angles, so our consultants prepared for the next step: wireless network attacks.

Digging for Data Gold

For our consultants’ next trick, they implemented an Evil Twin access point (AP) to entice users to connect to this rogue network and divulge company credentials. By performing a GTC downgrade attack that utilized the Evil Twin AP, they obtained one user’s credentials that they then used to gain access to the client’s Internet-facing resources. One thing that made this step easier: multi-factor authentication (MFA) deficiencies, which turned out to be one of the most prevalent issues for this organization.

To credit this client, they did have MFA in place for VPN access, which is incredibly important in today’s remote working environment, and was one of their many security strengths. Unfortunately, they did not have MFA in place for many internal networks and Internet-facing devices. This gap left the door open for our consultants to gain access to an application by using the stolen credentials, which revealed a great deal of PHI and PII.

Additionally, our consultants were able to access the client’s Azure environment without detection, a common mistake we see all too often. This was a prime example of why the red team assessment services were needed in this case: while many parts of this client’s security structure were incredibly strong, their newer applications weren’t nearly as protected as their legacy ones.

Uncovering the Top Weakness

Speaking of security gaps we see all too often, one of this organization’s biggest security weaknesses turned out to be their help desk personnel’s lack of security training. Social engineering penetration testing has proven to be an incredibly successful tactic during many of our client engagements over the years, and we found that by turning on the confused “I got a new phone and need a new sign-in” charm, we were able to bypass security measures and gain access to administrator controls.

How do we (and attackers) pull off social engineering attacks so often? Simple: caller ID spoofing. It’s an incredibly common tactic used by attackers that can trick even reasonably well-trained help desk professionals. Fortunately, there’s a simple fix for this issue: call back a known number for the person claiming to call, request a video call, or use an app-based MFA test that the user must respond to while on the call. While it’s not a 100% foolproof method, it is an extra precaution that can easily stop an attacker from taking serious advantage of help desk employees and infiltrating private networks and information.

When You Have the “Best” Security, There Are Still Better Attackers

At DirectDefense, we think like an attacker to uncover every security vulnerability. And then, we patch those holes. Red team assessment services are reserved for situations where clients have genuinely strong security infrastructures but equally strong security concerns. Prominent organizations are often some of the most prominent targets, and advanced attackers aren’t deterred by the security measures many think will keep them at bay. For this client, vulnerabilities were uncovered that, if breached by real attackers and not their MSSP, could have been financially and reputationally devastating.

The key to our consultants’ approach to successfully uncovering these vulnerabilities is their adaptability. While reconnaissance and information gathering work extremely well for both attackers and our consultants, it’s nearly impossible to predict exactly what barriers you may need to break through while trying to infiltrate an advanced organization with security maturity. Fortunately, our consultants are ready for anything they might encounter, and they were able to uncover holes in our client’s security posture and make strategic recommendations for patching ahead of the time when attacks are most likely.

Contact Us Today!

If your organization is looking for MSSP services, or if you want a routine security assessment, we’re ready to help. Visit directdefense.com or call 1 888 720 4633.


2023 Security Operations Threat Report