The FireEye Mandiant Red Team relies on a
systematic, repeatable and reproducible methodology. We begin by
establishing the following core information and rules of engagement,
agreed upon in collaboration with the organization’s leadership team:
- Does the red team begin its effort
with information about your environment (white box) or with no
information at all (black box)?
- What intelligence does
Mandiant already have about high-risk assets and vulnerabilities in
- What objectives do you want the red team to
accomplish in simulating a real-world attack?
Once the objectives are set, the red team
starts by conducting initial reconnaissance. Mandiant leverages a
combination of proprietary intelligence repositories as well as
open-source intelligence (OSINT) tools and techniques to perform
reconnaissance of the target environment.
Mandiant attempts to gain initial access
to the target environment by exploiting vulnerabilities or conducting
a social engineering attack, and leverages techniques used by
real-world attackers to gain privileged access to these systems.
Once access is gained, the red team
attempts to escalate privileges to establish and maintain persistence
within the environment by deploying a command and control
infrastructure, just like an attacker would.
After persistence and command and control
systems are established within the environment, the red team attempts
to accomplish its objectives through any non-disruptive means necessary.
Each engagement follows the phases of the attack lifecycle.
The use of real-world attacker TTPs tests your organization’s
readiness and responsiveness to cyber attacks.