Share:
RedTeam Missions
Synetis carries out so-called "RedTeam" missions. This type of attack aims to simulate the point of view of an external, motivated attacker whose goal is to break into your organization's network in order to carry out sabotage operations, steal strategic data,install ransomware or even persistence software, etc. The Synetis methodology is based on three ways to access the organization's IS: the computer way (logical intrusion), the cognitive way (social engineering) and the physical way (physical intrusion). These three paths can be used in parallel according to an appropriate methodology.
- What sensitive target data can be obtained from the Internet?
- Are employees sufficiently aware of social engineering practices (phishing, spear-phishing)?
- What are the consequences of a lost / stolen company laptop?
- What are the possible compromises from within the company (malicious employee, etc.)?
The approach is different from the "classic" approach: the auditor will take on the role of an attacker and, unlike a classic approach where he will attempt as many tests as possible in order to test the audited perimeter as much as possible, he will be as stealthy as possible in order to reach the defined trophies, so as not to be detected by the target's detection capabilities.
The RedTeam approach aims to simulate realistic (non-destructive) attacks to thoroughly test the security of a given perimeter. This approach allows for greater efficiency and advanced attack scenarios (logical intrusion, social engineering, phishing, etc.).
The RedTeam focuses on predefined trophies jointly defined by the auditors and the client (access to the back office of an e-commerce site, to a client database, exfiltration of a CRM database, obtaining Domain Admin access, compromising the AD, detecting the use of a ghost account, access to a VIP's email, access to an ERP, etc.). These trophies, contextualized,illustrate real risks that can impact the customer. Obtaining these trophies validates the feasibility and the exposure of the client to the said risks.
As a result, a Redteam approach is not intended to be the most exhaustive in terms of security testing against assets (unlike a "classic pentest"), but is geared towards a global, tactical and efficient compromise in order to get as close as possible to real attacks through trophies.
One of the objectives is also to define for an organization the impact of a real attack and the cost of the associated measure.
Mainly remote, this approach aims to identify the external perimeter of the information system and to exploit potential vulnerabilities in order to gain access to the organization's internal network. There are three distinct phases:
- Open source intelligence phase, which focuses on gathering and analyzing information about the target organization in order to deduce a scope that will be validated and/or specified throughout the mission: physical sites, employees, partners, service providers, information leaks (internal reports, passwords, etc.), information system (public address plan);
- Discovery phase of the external surface of the information system, aiming at mapping the infrastructures accessible from the Internet: exposed services, technologies used, security equipment;
- Offensive testing phase on external services, aiming to break into the organization's DMZ by compromising front-end servers, then bouncing onto the internal network.
This approach aims to exfiltrate authentication information or to break into the organization's internal network by exploiting phishing techniques, for example. There are three distinct phases:
- Profiling phase, to identify a list of people to target for the phishing campaign and gather as much information as possible in order to develop relevant scenarios;
- Definition of scenarios for the phishing campaign (e.g. sending an e-mail inviting the victim to visit a URL to enter his identifiers or to download a malicious file containing a backdoor);
- Execution of the campaign, e.g. sending emails, collecting indicators (statistics on the reception/reading of the email/opening of the malicious link) and obtaining access (backdoor or identifiers).
This approach aims to gain access to the organization's internal network via a proximity approach that can go as far as physically breaking into the organization's premises (headquarters or subsidiary, for example):
- Active reconnaissance phase: perimeter discovery of premises/employees, identification of surrounding wireless networks and offensive tests against it, searching of garbage cans, dropping of malicious USB keys, etc. ;
- Physical intrusion and deposit of an implant on the internal network to obtain a remote access (Wifi or 4G antenna);
- Offensive tests on the internal network.
At the end of this exercise, which may last several weeks, the list of vulnerabilities will be drawn up by Synetis auditors, along with an action plan. Synetis undertakes to restore the information system to the same state as before the start of the exercise.
Synetis' Redteam methodology is described below (where phase 2 is carried out continuously throughout the service):