FalconForce adversary simulations, or red teaming exercises, follow a systematic approach. From preparations and execution, to debriefs and learnings, it’s all aimed at supporting your organization in learning how to protect, detect and respond to attackers. In our approach, a purple teaming exercise is always included to maximize the learning effects for your organization.
Solid joint preparation for the red teaming exercise is key to the success of the entire exercise. This phase includes:
- Detail the activities in scope of the exercise, the goals of the exercise, define go/no-go parameters and discuss what potential “leg ups” are.
- Define your learning goals.
- Establish communication lines and contact details to ensure an easy and direct path of escalation in case this is necessary during testing.
- Assess and gather information necessary from you in order to kick-start the exercise.
- Host a kick-off session before the start of the exercise with your team to validate the above-mentioned steps, and make sure we hit the ground running.
Execution of the exercise
This phase includes the execution of the exercise where the FalconForce red team performs the adversarial simulation using the same TTPs a real adversary would use. Depending on the scope, objectives and learning goals this phase could include:
- Social engineering (such as phishing).
- External exploitation (attempting to gain access to the end-goals from the outside perimeter via digital systems).
- Internal exploitation (attempting to gain access to the end-goals from inside the organization).
Objectives could include gaining access to sensitive privacy-sensitive information, such as client databases or employee records, or abusing payment systems move a million euro out of the organization.
Debrief and reporting
Directly after the exercise, we will facilitate a debrief session with your security team to discuss the attack path and key observations. With a draft version of the report, we will plan a session and facilitate a constructive discussion with you on security issues identified and improving the resilience of the environment tested. In this discussion we will highlight our main observations, analyze the learning goals and discuss your input and response. Based on your feedback, we will create a final version of the report.
Our report is aimed at both management and technical staff, and contains:
- A management summary with the highlights of our technical observations, and brief remediation plan.
- The detailed observations resulting from our tests, including description, risk rating, and recommendation.
During the red teaming exercise, we make controlled and agreed-upon modifications to relevant IT assets in scope of the exercise. These modifications could include added user accounts, changes to configuration or installation of software. The red team keeps track of what is done and will remove / restore any changes after the exercise – in close consultation with you.
Purple teaming exercise
To increase your learning experience, a purple teaming session is always facilitated as part of the red teaming exercise. Purple teaming (attack-defense simulations) combines offensive and defensive professionals during collaborative sessions to improve the cyber defense capabilities of your organization.
During a purple teaming session, we combine tabletop and hands-on exercises to replay attack methods as used in the red teaming exercise. By showing the timeline of the attack and explaining the actual attack techniques used, we create understanding on your side on how attackers work. More importantly, your defensive team can use their tools to gauge whether (parts of) the attack can be detected.
More details on our purple teaming approach can be found here.
“An adversary simulation is a great learning experience to test your threat detection & response capabilities, and further boost improvement!”
Our other services
TIBER is a framework for threat intelligence-based ethical red teaming. It is meant as a guide on how authorities, entities, threat intelligence, and red teaming providers should work together to test and improve the cyber resilience of your organization by carrying out a controlled cyberattack. FalconForce is an experienced red teaming provider and can facilitate a full TIBER exercise.