Penetration testing on individual systems or applications is useful to look for vulnerabilities or weakness in those specific components. However, a single penetration test does not give you any information on the entire company’s security posture. Auditing and certifications are mostly aimed at governance and compliance, but beyond the theory, they do not guarantee resilience to an actual attack.
You want to know how an adversary could breach your network and what damage they could inflict. You want to determine if an attacker or threat group targeting your company would be able to steal sensitive information and remain unnoticed inside your infrastructure?
You want to measure your entire chain of defences against a realistic, modern-day cyber threat.
How we can help
The cyber kill chain is a model to map all the stages of a realistic cyber attack: from early reconnaissance to the goal of data exfiltration. During an adversary emulation, we make use of the same tactics, techniques, and procedures (TTPs) that are employed by APTs in the real world.
Depending on the maturity of your detection capabilities and the objective you want to accomplish, we can apply these TTPs using one of two approaches:
- Red teaming
Our red team engagements are focused on assessing how resilient (including prevention, detection & response to threats) your organisation are against a simulated threat. This means that our red team usually tries to stay stealthy and under the radar (undetected by the blue team) for as long as possible. Feedback is provided at periodic intervals (status updates) and a debrief session or workshop follows at the end of the engagement. A red team engagement where the red team obtains the majority of flags (i.e. successfully executes the threat scenarios without being discovered) can bring a useful shock effect to prioritize security efforts.
- Purple teaming
Our purple team engagements are focused on improving the resilience (including prevention, detection & response to threats) of your organisation against a simulated threat. This means that the red team works closely together with the blue team throughout the engagement, testing out different techniques and attack scenarios.We always map the desired detection capabilities onto different phases of the cyber kill chain, after which we define detailed detection use cases, mapped on for example the MITRE ATT&CK framework. Feedback is provided immediately, in order to improve your security posture (both preventive and detection controls).
As we explained above, an adversary emulation is not an isolated test, but covers your entire company. There is an inherent risk due to the criticality of live production systems, people, and processes involved in the testing. There is always a possibility of impacting critical target systems, for example due to unexpected denial of service or system crashes. Sensitive data could get lost, modified, or disclosed if your testing partner is not careful.
As such, it is important to consider some risk management controls and pick the right partner. You want a trusted party that has:
- A high level of skills and expertise
- Experience with different types of security assessments
- Close collaboration with white team
- A focus on ethics
- Secure handling of sensitive data
At NVISO, we have a proven track record in adversary emulation, which is built on our years of experience in red team (penetration testing, security assessments, etc) and blue team (security monitoring, threat hunting, incident response, etc) work. All of our employees have relevant certifications and our red and blue teams can present multiple references of successful assessment. As an icing on the cake, one of our experts authored “SEC599 – Defeating Advanced Adversaries – Purple Team Tactics & Kill Chain Defenses”, a purple teaming course in the SANS curriculum.
During an adversary emulation, we have daily status debriefs with the White Team to report on critical issues found or validate exploitation. This allows you to take action whenever necessary.
Finally, All our employees have a NATO clearance and follow our code of conduct and NDA. Customer data is always stored in a secured