Red Team Engagements are an effective demonstration of tangible risk posed by an APT (Advanced Persistent Threat). The assessors are instructed to compromise predetermined assets, or “flags,” using means that a malicious actor might utilize in a legitimate attack. These comprehensive, complex security assessments are best suited for companies looking to improve a maturing security organization.

1 – Scope
Penetration testing is normally concerned with which assets to include in scope. However, red team engagements aim to compromise critical business assets and the scoping process defines areas to exclude from the assessment. This is broken down into a few steps:

• Compile a list of red team goals or “flags” to capture during the assessment
• Put together a definitive “Rules of Engagement,” outlining the specific activities that are allowed — such as on-site social engineering and other techniques
• Note exclusions from the attack surface, like certain IP addressess, applications, and personnel
• Confirm the official testing period and timezones, if relevant
• Acquire a letter of authorization — sometimes referred to as a Get-out-of-Jail-Free-Card — for all on-site activities

2 – Information Gathering and Reconnaissance
The initial work done in any black-box assessment is information gathering. It combines a myriad of Open Source Intelligence (OSINT) resources for gathering data on the target organization, and it is critical to the operation. Aggregating both public and private methods of intelligence gathering allows Rhino Security Labs to develop an early structure for a plan or attack. The following are some examples of information we target during reconnaissance:

• External network IP range, hosting providers, and open ports or services
• Web and/or mobile applications, along with associated API endpoints
• Personnel identities, email addresses, phone numbers, and subsequent data (like social media profiles)
• Previously breached credentials and other information sources
• IoT and various embedded systems in use by the organization

3 – Mapping and Planning of Attack
After completing all initial information gathering, the process transitions to mapping our strategy and attack methodology. The approach varies widely, dependent on our intel from the previous stage and the developed footprint. These steps may include:

• Enumerating subdomains hidden environments, and prepping applications
• Analyzing cloud services for possible misconfigurations
• Checking authentication forms for weak or default credentials
• Correlating network and web applications to publicly- and internally-known vulnerabilities
• Mapping any identified vulnerabilities for potential manual attack-vectors
• Crafting social-engineering pretext scenarios

4 – Executing Attack and Penetration
The variety of information gathered in the beginning phases lay the foundation for a whole host of attack options across all relevant vectors. These attack options may include the following:

• Attacking services with previously mapped vulnerabilities from the previous phase
• Compromising testing systems or sandboxes (often have fewer security protections)
• Accessing any servers using breached credentials or brute force
• Targeting personnel using various social engineering techniques
• Combining attack vectors such as exploiting client-side vulnerabilities via phishing emails

5 – Reporting and Documentation
Reporting is critical to understanding the value you receive from a Red Team engagement. Our reports are the best in the industry. Each is customized to the specific scope of the engagement and outlines any perceived vulnerabilities Rhino Security Labs discovered. The reports are designed to be easily digestible but complete in the findings, giving both the exploitation likelihood and potential impact for each vulnerability. In addition, each vulnerability includes a remediation strategy for mitigating the risk associated with the vulnerability.