The Mandiant Red Team relies on a
systematic, repeatable and reproducible methodology. They begin by
establishing the following core information and rules of engagement:
the red team begin its effort with information about your
environment (white box) or with no information at all (black
- What intelligence does Mandiant already have about
high-risk assets and vulnerabilities in your industry?
objectives do you want the red team to accomplish in simulating a
In a Red Team Assessment, after
identifying three to five objectives, the red team attempts to breach
your environment, maintain persistence, escalate privileges, obtain
access to key systems, generate fake data that emulates sensitive
production data and simulate data theft. These assessments focus on
non-disruptive, non-damaging tactics to achieve their objectives. Real
attackers try their best not to disrupt their target because people
ask questions when services go down.
The Red Teaming for Security Operations
methodology is identical to Red Team Assessments, except that it
embeds an IR expert with your internal security team or SOC. This
Mandiant IR expert is dedicated to working with your security team to
enhance their prevention, detection and response capabilities. They
also help refine existing processes and procedures to reduce the mean
time it takes to detect and respond to incidents.
After the assessment is complete, the red
team and the Mandiant IR expert work with your security team to
evaluate your security posture in the context of the attack lifecycle.
Together we review the effectiveness of
your organization’s procedures, applaud the areas where your security
team identified red team activity, identify the gaps in detection and
determine the areas where your security program can be enhanced. We
believe the Red Teaming for Security Operations service is the best
way to assess the effectiveness of your security controls and ability
to prevent, detect and respond to malicious activity where it matters most.