Adversary emulation aims to test a network’s resilience against advanced attackers or advanced persistent threats (APTs). These are targeted, coordinated threat groups with the intent, opportunity, and capability to harm their targets in a continuous fashion. With adversary emulation, we employ the same tactics, techniques, and procedures (TTPs) along the cyber kill chain, leading deeper into the target network on to the objectives or flags.
Penetration tests on individual systems or applications are helpful in looking for weak points in these specific components. However, a single penetration test does not give you any information about the security situation of the entire company. Audits and certifications are primarily aimed at governance and compliance, but beyond theory, they do not guarantee resilience to an actual attack.
Would you like to know how an opponent can violate your network and what damage it can cause? Want to determine whether an attacker or threat group targeting your business can steal sensitive information and go undetected in your infrastructure? Would you like to measure your entire defense chain against a realistic, modern cyber threat?
How we can help
The cyber kill chain is a model for mapping all phases of a realistic cyber attack: from the early detection to the goal of data exfiltration. During an attack, we use the same tactics, techniques, and procedures (TTPs) used by APTs in the real world. Depending on the maturity of your recognition skills and the goal you want to achieve, we can apply these TTPs using one of two approaches:
- Red Teaming
Our Red Teaming focuses on assessing how resilient (including prevention, detection and response to threats) your company is to a simulated threat. This means that our Red Team usually tries to stay stealthy and under the radar (undetected by the Blue Team) for as long as possible. The feedback is given at regular intervals (status updates). At the end of the engagement there is a debrief or a workshop. A Red Team engagement in which the Red Team receives the majority of the flags (i.e. executes the threat scenarios successfully without being detected) can create a useful shock effect for prioritizing security efforts.
- Purple Teaming
Our Purple Teaming is focused on improving the resilience (including prevention, detection and response to threats) of your company against a simulated threat. This means that the Red Team works closely with the Blue Team throughout the entire engagement and tests various techniques and attack scenarios. We always assign the desired detection functions to different phases of the cyber kill chain. Then we define detailed use cases for the detection, for example mapped to the MITER ATT & CK framework. Feedback is given immediately to improve your security situation (both preventive and detection controls).
As explained above, an Adversay Emulation is not an isolated test, but covers your entire company. There is an inherent risk due to the criticality of live production systems, people, and processes involved in testing. There is always the possibility of influencing critical target systems, for example due to unexpected denial-of-service or system crashes. Sensitive data can be lost, altered or disclosed if your test partner is not careful. Hence, it is important to consider some risk management controls and choose the right partner. With NVISO you will find a trustworthy partner:
- A high level of skills and expertise
- Experience with different types of safety assessments
- Close cooperation with the White Team
- A focus on ethics
- Safe handling of sensitive data
We have a strong track record in Adversary Emulation, building on our years of experience working with Red Teams (penetration testing, security assessments, etc.) and Blue Teams (security monitoring, threat detection, incident response, etc.). All of our employees have relevant certifications and our Red and Blue teams can provide multiple references for a successful assessment. Furthermore, one of our experts wrote "SEC599 - Defeating Advanced Adversaries - Implementing Kill Chain Defenses", a purple teaming course from the SANS range of courses.
During an Adversay emulation, we hold daily status meetings with the White Team to report on critical problems or to validate usage. That way, you can take action when needed.