Red Teaming/Attack Simulation
Red Teaming is defined as scenario-led penetration testing which combines physical, social engineering and technical attack methods.
Red Teaming engagements allow organisations to gain a holistic view of their security posture and how resilient they are defending against advanced and determined attackers.
Our consultants have significant experience in performing highly tailored Red Teaming engagements for clients across many industry sectors.
Red Teaming is scenario-based penetration testing which aids organisations in gaining a clear understanding of the threats they face. Uniquely, Red Teaming allows business stakeholders to measure how effective their controls and processes are at detecting, containing and preventing highly sophisticated cyber attacks.
Assessments provide assurance of an organisation’s security posture across a range of domains, including user awareness, physical security, incident response and logical security.
Cyber Threat Intelligence (CTI) is the system of ascertaining the risks and threats that organisations face. CTI provides context which helps organisations to better understand how they are likely to be attacked, by whom and the attackers’ modus operandi. These may include internal or external entities, such as organised crime groups, hacktivist groups or nation states.
Red Teaming is known by a range of different terms, most of which are interchangeable. The key item in common is that the testing simulates a targeted attack and it is scenario-based.
Red Teaming is known by a variety of terms, including:
- Cyber Red Teaming
- Objective-based Penetration Testing
- Simulated Attack Testing
- Cyber Attack Simulation Testing
- Targeted Attack Simulation
- APT Simulation
Simulated Target Attack and Response (STAR) is a testing framework developed by CREST, the not-for-profit accreditation body which represents the technical information security industry. STAR combines Red Teaming and Cyber Threat Intelligence, known as Intelligence-Led Penetration Testing, which allows engagements to be more realistic, more tailored and ultimately more relevant to an organisation.
Armadillo has undergone a rigorous assessment process in order to be accredited as a CREST STAR provider, meaning it can deliver the highest standard of Intelligence-Led Penetration Testing engagements.
Furthermore, Armadillo has both CREST Certified Attack Managers and Specialists on its team of experts.
Our CREST STAR certification can be verified on the following URL:
GBEST is a new scheme based on the CBEST model and is being rolled out across UK Government Departments. The scheme aims to be very similar to CBEST but with some minor differences; for example, a GBEST assessment is expected to take slightly longer than an average CBEST.
The overall scheme is co-ordinated by the Cabinet Office but each exercise is procured, led and ultimately owned by the Government Department carrying out the exercise. The NCSC provide validation of the Threat Intelligence and general technical assurance to each exercise.
The Cabinet Office has decided that CREST STAR accreditation will be an appropriate level to compete for GBEST work.
Furthermore, as well as the requirement for CREST STAR it also requires that only companies with staff holding the CREST CCAS (Certified Simulated Attack Specialist) and CREST CSAM (Certified Attack Managers) can be part of the GBEST scheme. Armadillo Sec are not only CREST STAR certified, but our team hold the CCAS and CSAM certifications required.
Our GBEST certification can be verified on the following URL:
Red Teaming helps organisations to understand the effectiveness of their cyber security defences by simulating a targeted attack against one or more critical assets. Conducting a Red Teaming engagement allows business stakeholders to gain a much greater understanding of their resilience to attack from advanced threat actors and how effectively their incident response teams can respond.
The key benefits of performing Red Teaming engagements are:
1. Attack simulation. Identify whether your organisation is susceptible to sophisticated attacks by advanced threat actors.
2. Holistic view of security. The scope of the engagements includes people, process and technology across the enterprise.
3. Assess cyber resilience. Determine how effectively internal teams detect, contain and neutralise threats.
As Red Teaming engagements simulate an external attack, they can also help obtain buy in from the business for significant investments, such as an internal incident response capability or an in-house security operations centres (SOC).
Armadillo Sec are a CREST STAR (Simulated Target Attack and Response) certified testing company and part of the Government GBEST scheme.
Our attack simulation testing team are certified by CREST to the highest CCAS (Certified Simulated Attack Specialist) and CSAM (Certified Simulated Attack Manager) levels.
Our testers are also CHECK Team Leaders (CTL’s) or CHECK Team Members (CTM’s) and are approved to conduct government CHECK testing.
Our team have many years experience conducting a broad range of government and commercial tests and always aim to go the extra mile for our customers.
Frequently Asked Questions
Red Teaming is intended to complement existing penetration testing programmes by ‘chaining together’ and leveraging vulnerabilities identified across the enterprise.
A Red Teaming engagement differs from a Penetration Test in the following key areas:
1. Scenario/Objective-based testing
Red Teaming engagements describe one or more scenarios which are intended to replicate threats an organisation is concerned about. By following the Tactics, Techniques and Procedures (TTPs) of real threat actors, Red Teaming engagements ensure testing is both realistic and representative.
Scenarios will often be focussed on critical business assets or sensitive systems, such as CRM systems holding personal data, funds transfer systems (i.e. BACS), Mergers and Acquisitions (M&A) information or intellectual property.
Cyber Threat Intelligence can provide more insight into threats, assess the likelihood of threats being realised and help draw up scenarios for testing.
2. Tailored Scope
Whereas a traditional Penetration Test will typically have a restricted scope of a small number of systems, Red Teaming engagements will seek to identify weaknesses in systems across an enterprise.
Vulnerabilities are chained in order to provide access to higher value assets. This not only offers a more holistic view of security but also helps to more effectively quantify risk. For example, a scenario might require the compromise of endpoints via spear phishing, privilege escalation and lateral movement across the network before gaining access to sensitive funds transfer systems.
Unlike a Penetration Test where internal security teams are made aware of each test, very few internal stakeholders will typically be made aware of a Red Teaming engagement. This allows the client to test the effectiveness of incident response teams and technical controls in a realistic way.
Red Teaming engagements help organisations better understand the full business impact from a sophisticated targeted attack as the scope is not just focussed on isolated systems.
3. Attacker Simulation
Red Teaming engagements do not aim to identify every vulnerability in each system. Instead, the methodology includes the ‘path of least resistance’ meaning an attacker will often target only the essential systems required in order to progress towards the objective systems (known as actions on target).
Another key difference is persistence, defined as an attacker establishing and maintaining access to target networks, either through client-side malware or a physical implant.
We are a CREST STAR accredited organisation having undergone a rigorous accreditation process to demonstrate robust testing methodologies, effective risk management approach to testing and stringent information handling processes.
Our consultants are experts in their field and have many years’ experience in performing scenario-based Penetration Testing and Red Teaming engagements. We only use CREST certified testers for Red Teaming testing and in addition these engagements are led by a Certified Attack Specialist and overseen by a Certified Attack Manager.
|CREST Certifications||Certified Testers|
|Practitioner Security Analysts|
|Registered Penetration Testers|
|Certified Web Application Testers|
|Certified Infrastructure Testers|
|Certified Simulated Attack Specialist|
|Certified Simulated Attack Manager|
Our CREST member status can be viewed, along with the certified tester types we have on the below link:
Our testers are also CHECK Team Leaders (CTL's) or CHECK Team Members (CTM's) and are approved to conduct government CHECK testing.
|CHECK Status||Certified Testers|
|CHECK Team Member (CTM)|
|CHECK Team Leader (CTL) - Infrastructure|
|CHECK Team Leader (CTL) - Applications|
Our CHECK status can be viewed on the below link:
Organisations often have different drivers for performing a Red Teaming engagement. These can include regulatory requirements, the need to establish a comprehensive view of security across the enterprise or to demonstrate the security posture to business stakeholders or external organisations.
The threat landscape is also relevant as an organisation or industry sector might become aware through Threat Intelligence that they are being actively targeted by a known threat actor. This could be due to competitors being attacked by an adversary or affiliation with a supplier or customer. Alternatively, the use of outsourced services, such as those from a Managed Security Service Provider (MSSP), can often increase the risk of attack.
Depending on the findings, there is often value in repeating Red Teaming engagements after the remediation steps have been actioned, change of key supplier or after significant investment, such as the establishment of an in-house Security Operations Centre (SOC).
Each Red Teaming engagement is unique and as such, requires a bespoke scope. A key part of the scoping process is to gain an understanding of the drivers and objectives behind the Red Teaming engagement. These help to define the number of scenarios, which in turn determine the number of days the engagement will require.
Before providing a quotation, we will ensure we fully understand your business drivers and what your organisation is looking to gain from the engagement. Only then we can we provide technical scope including costs and options.
Upon completion of testing, a detailed report is compiled which contains the following high level sections:
- Executive summary and key recommendations
- Scope, scenario(s) and objectives
- Approach and limitations
- Assessment high level findings
- Attack response and observed response
- Detailed technical findings and recommendations
The report appendices contain full details of the attack scenario, timeline and response detected.
Technical vulnerabilities identified are mapped against the MITRE ATT&CK Framework to help clients understand and compare adversaries behaviour.
Also included in all engagements is a results presentation to business stakeholders and we encourage clients to also hold a post-engagement workshop with internal SOC or incident response teams so that attack timelines can be compared and correlated.
If the engagement includes Cyber Threat Intelligence (CTI), then this will form a separate report which will be completed before the start of the Penetration Testing. The results of the CTI and selected testing scenario(s) will feed into the testing.
We have developed a Red Teaming testing methodology which helps ensure that testing is consistently kept at a high level, but also ensures the attack simulation remains flexible and as realistic as possible, whilst minimising organisational risk.
The high level steps in the methodology include:
2.Staging and Weaponization
4.Control & Movement
5.Actions on Target
6.Persistence and Egress