Rhino Security Labs

Red Team Engagements

Red Team Engagements are highly targeted assessments that aim to compromise critical data assets in your network, leveraging the vast scope an external attacker would have. Unlike a traditional penetration test, in which our security engineers attempt to find and exploit any possible vulnerabilities in a defined scope — such as a web application — these engagements simulate a genuine cyber-attack on your organization.

A leader in these sophisticated campaigns, Rhino Security Labs has developed a world-class team of offensive security engineers and researchers.

Red Team Engagements are an effective demonstration of tangible risk posed by an APT (Advanced Persistent Threat). The assessors are instructed to compromise predetermined assets, or “flags,” using means that a malicious actor might utilize in a legitimate attack. These comprehensive, complex security assessments are best suited for companies looking to improve a maturing security organization.

By harnessing this unique combination of attack capabilities, we can determine the attack process to compromising your critical business assets. We can discover where vulnerabilities exist in your network, applications, IoT devices, and personnel. We can also determine the effectiveness of your security monitoring and alerting capabilities, as well as weaknesses in your incident response policy and procedures.

The demonstrated impact from the testing paints a much larger picture that will aid your organization in the prioritization and planning of your future security initiatives.

1 – Scope
Penetration testing is normally concerned with which assets to include in scope. However, red team engagements aim to compromise critical business assets and the scoping process defines areas to exclude from the assessment. This is broken down into a few steps:

  • Compile a list of red team goals or “flags” to capture during the assessment
  • Put together a definitive “Rules of Engagement,” outlining the specific activities that are allowed — such as on-site social engineering and other techniques
  • Note exclusions from the attack surface, like certain IP addressess, applications, and personnel
  • Confirm the official testing period and timezones, if relevant
  • Acquire a letter of authorization — sometimes referred to as a Get-out-of-Jail-Free-Card — for all on-site activities

Download Service Brief

Red Team engagements include custom scenarios that simulate real-world tactics an external attacker might use.  Download our service brief to understand how a goal-focused approach can reveal deeper security weaknesses.

2 – Information Gathering and Reconnaissance
The initial work done in any black-box assessment is information gathering. It combines a myriad of Open Source Intelligence (OSINT) resources for gathering data on the target organization, and it is critical to the operation. Aggregating both public and private methods of intelligence gathering allows Rhino Security Labs to develop an early structure for a plan or attack. The following are some examples of information we target during reconnaissance:

  • External network IP range, hosting providers, and open ports or services
  • Web and/or mobile applications, along with associated API endpoints
  • Personnel identities, email addresses, phone numbers, and subsequent data (like social media profiles)
  • Previously breached credentials and other information sources
  • IoT and various embedded systems in use by the organization

3 – Mapping and Planning of Attack
After completing all initial information gathering, the process transitions to mapping our strategy and attack methodology. The approach varies widely, dependent on our intel from the previous stage and the developed footprint. These steps may include:

  • Enumerating subdomains hidden environments, and prepping applications
  • Analyzing cloud services for possible misconfigurations
  • Checking authentication forms for weak or default credentials
  • Correlating network and web applications to publicly- and internally-known vulnerabilities
  • Mapping any identified vulnerabilities for potential manual attack-vectors
  • Crafting social-engineering pretext scenarios

4 – Executing Attack and Penetration
The variety of information gathered in the beginning phases lay the foundation for a whole host of attack options across all relevant vectors. These attack options may include the following:

  • Attacking services with previously mapped vulnerabilities from the previous phase
  • Compromising testing systems or sandboxes (often have fewer security protections)
  • Accessing any servers using breached credentials or brute force
  • Targeting personnel using various social engineering techniques
  • Combining attack vectors such as exploiting client-side vulnerabilities via phishing emails

5 – Reporting and Documentation
Reporting is critical to understanding the value you receive from a Red Team engagement. Our reports are the best in the industry. Each is customized to the specific scope of the engagement and outlines any perceived vulnerabilities Rhino Security Labs discovered. The reports are designed to be easily digestible but complete in the findings, giving both the exploitation likelihood and potential impact for each vulnerability. In addition, each vulnerability includes a remediation strategy for mitigating the risk associated with the vulnerability.