The Mandiant Red Team relies on a
systematic, repeatable and reproducible methodology. In collaboration
with the organization’s leadership team, we begin by establishing the
following core information and rules of engagement:
- Does the red team begin its effort
with information about your environment (white box) or with no
information at all (black box)?
- What intelligence does
Mandiant already have about high-risk assets and vulnerabilities in
- What objectives do you want the red team to
accomplish in simulating a real-world attack?
Once the objectives are set, the red team
starts by conducting initial reconnaissance. Mandiant leverages a
combination of proprietary intelligence repositories, open-source
intelligence (OSINT) tools and techniques to perform reconnaissance of
the target environment.
Mandiant works to gain initial access to
the target environment by exploiting vulnerabilities or conducting a
social engineering attack, and leverages techniques used by real-world
attackers to gain privileged access to these systems.
Once access is gained, the red team
attempts to escalate privileges to establish and maintain persistence
within the environment by deploying a command and control
infrastructure, just like an attacker would.
After persistence and command and control
systems are established within the environment, the red team attempts
to accomplish its objectives through any non-disruptive means necessary.
Each engagement follows the phases of the attack lifecycle.
The use of real-world attacker TTPs tests your organization’s
readiness and responsiveness to cyber attacks.