Red Team Operations
Test how well your people, processes and technology protect your most critical assets
Organizations can greatly improve their security by rethinking it from the perspective of an attacker trying to gain access to their most critical assets (data, people and systems). Mandiant Red Team Operations consists of two unique services designed to assess the strength of your security program: Red Team Assessments and Red Teaming for Security Operations.
With Mandiant Red Team Operations, our security experts use our experience from the front lines of cyber attacks to simulate the tools, tactics and procedures (TTPs) of real-world attackers that target your environment.
Red Team Assessments focus on your ability to safeguard your most critical assets. Red Teaming for Security Operations adds an additional component: working with your internal security team or security operations center (SOC) to detect red team activity in progress and provide a post-mortem analysis of your detection and response capabilities.
Red Team Operations can help you:
- Get experience dealing with a real-world breach attempt (Red Teaming for Security Operations)
- Determine the level of effort required to compromise your sensitive data
- Reduce the time it takes for you to respond to events and incidents
- Assess your security posture against a realistic, ‘no-holds-barred’ attack
- Enhance your security team’s ability to prevent, detect and respond to real-world incidents
- Identify and mitigate complex security vulnerabilities before an attacker exploits them
- Get fact-based risk analyses and recommendations for improvement
What You Get
- A high-level summary for executive and senior level management with technical details that include enough information to recreate our findings
- Fact-based risk analysis so you know a critical finding is relevant to your specific environment
- Tactical recommendations for immediate improvement
- Strategic recommendations for longer-term improvement
Real Attacks. Real Responses. Real Results.
Red Team Assessments focus on giving your security team practical experience combatting real cyber attacks. While avoiding business damaging tactics, these assessments use conventional and advanced attacker TTPs to target agreed-upon objectives. You define the attack objectives — usually worst-case business scenarios — and the Mandiant red team goes to work. In a Red Team Assessment, the team goes through the full attack lifecycle, from initial reconnaissance to mission completion.
Red Teaming for Security Operations builds on the Red Team Assessment by including a consultant who oversees all incident response (IR) and defense-related activities and acts as a liaison with the red team. The objective is to test and validate your ability to detect malicious activity and evaluate your response to the detected events (including what processes, tools and staffing are used).
If security monitoring is outsourced to a third-party service provider, the Mandiant consultant works with the provider to understand what alerts are being generated. In their role as incident responder, they collaborate with the personnel responsible for acting on the alerts provided by the third-party service provider.
The Mandiant Red Team relies on a systematic, repeatable and reproducible methodology. They begin by establishing the following core information and rules of engagement:
- Does the red team begin its effort with information about your environment (white box) or with no information at all (black box)?
- What intelligence does Mandiant already have about high-risk assets and vulnerabilities in your industry?
- What objectives do you want the red team to accomplish in simulating a real-world attack?
In a Red Team Assessment, after identifying three to five objectives, the red team attempts to breach your environment, maintain persistence, escalate privileges, obtain access to key systems, generate fake data that emulates sensitive production data and simulate data theft. These assessments focus on non-disruptive, non-damaging tactics to achieve their objectives. Real attackers try their best not to disrupt their target because people ask questions when services go down.
The Red Teaming for Security Operations methodology is identical to Red Team Assessments, except that it embeds an IR expert with your internal security team or SOC. This Mandiant IR expert is dedicated to working with your security team to enhance their prevention, detection and response capabilities. They also help refine existing processes and procedures to reduce the mean time it takes to detect and respond to incidents.
After the assessment is complete, the red team and the Mandiant IR expert work with your security team to evaluate your security posture in the context of the attack lifecycle (Fig. 1).
Together we review the effectiveness of your organization’s procedures, applaud the areas where your security team identified red team activity, identify the gaps in detection and determine the areas where your security program can be enhanced. We believe the Red Teaming for Security Operations service is the best way to assess the effectiveness of your security controls and ability to prevent, detect and respond to malicious activity where it matters most.