Benefits of Advanced Penetration Services
White Knight Labs Red Teaming Services enable organizations with mature security postures to do next level testing of their protections, procedures, and responses. In a standard penetration test, the testers are “allowed in” and are not actively being stopped when noticed. In an Advanced Penetration Test, your team will have standard protections in place and may stop the attack in process, causing the team to reassess and pivot, to achieve an agreed upon goal. Our team will leverage multi-faceted attacks using more advanced real-world scenarios.
Attacks performed, tactics used, and results collected during these simulations are compiled into actionable reports that identify risk to your organization’s most valuable assets.
Our reports provide you with highly valuable information about your security posture and the security awareness levels of your employees, physical protections, blue teams, and technology deterrents. This vital information is a crucial component toward measuring your overall security posture and helps pinpoint where security gaps need to be filled and where budgetary dollars should be directed.
What are the types of Advanced Penetration Services
Our engagements offer flexible options to match your security objectives.
Red Teaming
Our Red Team Engagements involve establishing a goal that could be technical or physical and the rules of engagement to attain that goal. Then White Knight Labs Security consultants will develop a plan for achieving that goal. This could involve them being physically onsite at the target location. They could either overtly interact with staff to persuade them into performing certain actions or covertly attempt to blend in and gain access into certain areas or information. Both overt and covert tactical approaches can easily be blended into a single engagement for a more comprehensive evaluation. A Red Team engagement could also include gaining network control, compromising cameras and security systems, or extracting data. Goals during a Red Team engagement can be technology based or physically based and can include physically breaching buildings. A Red Team Engagement could test your security awareness training, corporate policies, physical security systems, response procedures and your technology protections and alerts.
Advanced Adversary Simulation
A remote, or Advanced Adversary Simulation, involves setting a goal that is related to your technology (i.e. being able to extract HR information) and establishing the rules of engagement to obtain it. These types of engagements do not involve physical breaches, however, they may involve email phishing, phone vishing, dropping or mailing USB drives or breaching the network. The Advanced Adversary Simulation may also include testing email filters, security awareness training, network protections, alerting and your blue team responses.
Regardless of the type of Advanced Penetration Test you choose, RedTeam will work closely with you to create your rules of engagement to solidify details such as:
- Authorized Actions the red team may perform in pursuit of their objectives
- Roles and Responsibilities for each team member involved in the attack
- A high-level description of the types of attacks that could be implemented
- Explicitly restricted tactics
- Authorized targets and target spaces
- Restricted items (blacklist)
- Engagement objectives
- The types of hardware and software that might be used
Additionally, at the end of the engagement, White Knight Labs can conduct a highly valuable technical out-brief. This technical exchange of information provides the opportunity for a step-by-step review of each tactic, procedure, and result. This additional discussion provides immediate nearly hands on training while the events of the engagement remain current to all involved. With such a detailed walkthrough and the benefit of a question-and-answer venue, your team will hear firsthand how the red team was able to accomplish the goal.
Offensive Endpoint Evasion
True red team assessments require a secondary objective of avoiding detection. Part of the glory of a successful red team assessment is not getting detected by anything or anyone on the network. As modern Endpoint Detection and Response (EDR) products have matured over the years, red teams have followed suit.
When it comes to measuring the effectiveness of EDR products, White Knight Labs specializes in testing Endpoint Detection and Response (EDR) products to determine if host-level security is effective. WKL will test your current EDR solution and match its effectiveness against Microsoft’s industry recognized EDR product Advanced Threat Protection
Evasion Concepts
Endpoint Detection and Response (EDR) products monitor programs during execution to detect/respond to suspicious behaviors. This complements traditional anti-virus functionality which uses signatures and heuristics to block unwanted programs prior to execution.
While evasion can be a broad term, attacker responses to EDR typically fall into these buckets:
1. Avoidance:
Furthering mission goals on systems that don’t have the product installed or enabled (e.g. operating from an un-provisioned endpoint, or proxying traffic through a provisioned endpoint).
2. Blending In:
Hiding in the noise of what’s commonly recorded by EDR sensors (e.g. using common parent-child process relationships).
3. Abusing Blind Spots:
Taking advantage of areas that the sensor doesn’t capture or report on (e.g. using certain APIs not being logged, making direct syscalls).
4. Tampering Sensors:
Altering sensor behavior to the attacker’s advantage (e.g. removing hooks, patching the sensor so malicious behavior is not reported and/or collected).
The White Knight Labs Offensive Endpoint Evasion service offering involves testing:
- Malicious payload execution against your current endpoint protection
- Logging capabilities and threat detection
- Application control and device policy enforcement
- Basic privilege escalation and lateral movement
