VulturSec Red Team Methodology

Red Team Assessments are highly precise assessments with the objective of compromise critical assets in our customers network, with any possible technique available. Unlike a traditional penetration test, in which our team attempt to exploit any vulnerability in a before-defined scope these engagements simulate a real attack on your organization.

Using the combination of multiple types of attack techniques, we can find an attack vector to compromise any critical business assets. Discovering existing vulnerabilities in your applications, networks, IoT devices, and employees. We can also determine any flaws on your security monitoring, logging and alerting capabilities, as well as weaknesses in your incident response policies and procedures.

These assessments are used by our customers to see the big-picture on their organizations on a cyber-security level, and priorizate/plan on any future security initiatives.

1 – Scope

Red team Assessments are focused on compromise critical business assets and the scoping process defines areas to exclude from the assessment.

These are the steps followed by our team on this stage:

• Create a list of goals or “flags” to accomplish during the assessment.
• Crate a “Rules of Engagement,” making clear what activities are allowed and what are forbidden (such as on-site social engineering and other sensitive techniques).
• Make clear exclusions from the attack surface, for example: IP addressess, applications, and any specific/sensitive employees.
• Confirm the testing period, timezone, communications limitation/availability.

2 – Reconnaissance phase

Our information gathering phase combine a mix of Open Source Intelligence (OSINT) resources for gathering data on our customer organization, adding both public and private methods of intelligence gathering in order to develop an early plan of attack.

These are some activities executed during our reconnaissance:

• Discover external network IP ranges, hosting providers and open ports or services.
• Collect previously breached credentials and any security sensitive information available to the public on internet.
• Enumerate IoT, Routers, Gateways or any embeeded devices used by the organization.
• Collect information about employees like email addresses, phone numbers, social media profiles.
• Discover Web applications, Mobile applications, and Cloud providers used by the organization.

3 – Mapping and Planning the Attack

On this stage, the process and activities executed varies deppending in our previous phases results and the information obtained on it.

Some of these activities are going to be executed:

• Crafting social-engineering scenarios.
• Initial recon/exploit of applications.
• Verifying cloud services for any vulnerabilities/misconfigurations.
• Checking authentication forms for weak or default credentials vulnerable to any brute-force technique.
• Verifying networks and web applications to find any publicly known vulnerabilities.

4 – Executing Attack and Penetration

All the information gathered in previous phases are used to find any attack vectors on this phase. The following are examples of attack vectores executed:

• Attacking services found in our previous phases.
• Targeting employees using various social engineering techniques.
• Using a combination of attack vectors such as client-side vulnerabilities and phishing emails.
• Accessing any servers using breached credentials, brute force techniques or weak/default credentials.

5 – Reporting and Documentation

Each report is customized to the specific scope of the assesments and specifies any found vulnerability that our VulturSec consultants discovered. The reports are designed to be easily read, complete in the findings descriptions, provide exploitation probability, potential impact for each vulnerability and a remediation strategy for mitigating the risk associated with the vulnerability.