Penetration Testing

Our penetration testing assessments can test people, process, and procedures as well as technological controls.

Tailored to any Goal
None of our assessments are ‘out-of-the box’ Red5 collaborates every client to develop a framework that assesses specific areas of concern in line with business objectives.

Red5 have worked with clients in some of the most highly regulated industries and understand the unique business challenges and risks faced by the sectors

Red5 use only technitions accredited by CREST, the OSCP, Zeropoint Security CRTO’s and are Tiger-Certified, possessing Certified Cyber Security Consultancy status with the National Cyber Security Centre (NCSC)

After completing an engagement, Red5 will collaborate with your internal security team to enhance your cyber defences and resolve any vulnerabilities that were found.

Red5 assessments are goal-orientated and actually simulate the tools, tactics and procedures that would be used by a real-world attacker

Organisations that don’t regularly perform penetration testing often face challenges in protecting sensitive data and systems, maintaining compliance and customer trust, and reducing the risk of a successful cyber attack.

Penetration testing – or pen testing – helps organisations identify vulnerabilities that could be exploited by an attacker to access sensitive data, such as customer information or financial records. These vulnerabilities can also result in financial losses for an organisation, either through direct financial theft or through the costs of responding to and recovering from a successful cyber attack.

Pen testing can help organisations identify and address vulnerabilities before an attacker can exploit them, thereby reducing risk and securing their business. This also supports compliance through helping an organisaiton meet regulatory requirements by relevant industry bodies (such as the PCI-DSS).

Red5’s approach to penetration testing incorporates advanced remote testing solutions.
As a result, there’s no need for Red5 personnel to be on-site unless specifically requested or desired by the customer, which can reduce potential overheads for the client as there is no requirement for dedicated space and support for on-site personnel.

Our penetration testing team consists of ex-sysadmins, developers, network engineers and system architects who bring years of experience developing and securing environments.

This ensures our assessment considers all aspects of your organisation’s infrastructure, incorporates lesser-known attacks and vulnerabilities, and considers business-impact of a potential breach.

All our engagements are tailored to support the specific requirements and objectives of your organisation. This generally aligns with the following process:

Red5 were engaged by a financial services organisation who were looking to undertake a real-world test of their security controls.

A large financial organisation engaged Red5 to provide a testing scenario that could simulate a real-world attack scenario. The organisation placed a large focus and pride on the security of their network perimeter, providing a significant amount of confidence to their board that they would be protected from any form of external cyber-attacks.

The Red5 team and security consultants held several meetings to fully understand the client’s requirements, agree time scales and identify the core scope and objectives of the assessment. These were identified as:

A real-world approach would be taken, simulating attacks from all possible vectors and without scope limitations with the exception of ‘denial of service attacks’.
Attack vectors could include social engineering, physical access attempts, active reconnaissance and full suite of technical penetration testing techniques such as infrastructure, web applications, mobile applications and controlled forms of malware deployment.
Red5 agreed that the engagement would be undertaken over the period of 3 months and from the point of contract signature and go-live, there would be no further contact between the parties (with the exception of any validation of testing vs real-life attacks taking place).

The Red5 team, in collaboration with security consultants, conducted numerous meetings to gain a comprehensive understanding of the client’s needs. They also established timelines and pinpointed the core focus and goals of the assessment, which were outlined as follows:

• A real-world approach would be adopted, encompassing simulations of attacks from all conceivable angles. The assessment would have minimal scope restrictions, except for excluding ‘denial of service attacks.’
• Attack vectors could encompass social engineering, physical access attempts, active reconnaissance, and a full array of technical penetration testing techniques. These techniques would cover infrastructure, web applications, mobile applications, and controlled deployment of specific forms of malware.
• Red5 and the client mutually agreed that the engagement would span a three-month period, commencing from the contract’s signature and go-live date. Following this, there would be no further communication between the parties, except in cases where validation of testing versus real-life attacks was necessary.

In addition to the detailed scoping requirements, Red5 agreed an overview of the key milestones with the client. The key milestones of the assessment were:

• Identify scope, objectives of the assessment, the client and safeguards.
• Agree start date and end dates.
• Conduct multi-faceted testing techniques.
• Conclude testing
• Presenting findings to the clients Executive Board
• Getting to Work

Following on from the agreement of the engagement milestones Red5 assembled their internal team. This consisted of various employees across the company, each with different skill sets that ranged across technical capability, physical entre and social engineering. It is key that multiple attack vectors are effective, and this requires various skills and people.

The team at Red5 devised a comprehensive plan and narratives for the assessment, kicking off with a reconnaissance phase aimed at building an intricate understanding of the client. It is absolutely vital for the Red5 team to grasp and uncover any vulnerabilities to ensure the credibility of potential attacks. This phase encompassed the following aspects:
Physical Assessment – Red5’s consultants conducted reconnaissance at various client sites nationwide, evaluating physical security measures, dress codes, employee behaviours like tailgating, lanyard usage, and the presence of any wireless signals emanating from nearby buildings.

Online Investigation – Red5 conducted thorough reviews of the client’s website, job descriptions, social media profiles, and Open Source Intelligence (OSINT).
Technical Vulnerability Scanning – The Red5 team conducted assessments of the client’s external infrastructure to identify potential entry points and open ports that could be exploited.

Building Relationships – Red5 created several LinkedIn profiles and initiated connections with the client’s employees, inquiring about roles within the company through telephone and email communications.

Following the reconnaissance phase the Red5 team utilised several attack methods to obtain a foothold, which were focused around physical access to enable remote access into the network and social engineering to deliver malware payloads.

Red5 devised a remote access tool using a Raspberry Pi. The Red5 team observed a seven-second delay between the swiping of an access card and the cloning of the client’s badge for physical access.

Once inside the premises, the Red5 team inserted a remote access device and successfully established a connection to the client’s network. From there, they initiated an evaluation of the internal infrastructure, identifying and exploiting a known vulnerability that granted local access to a server and access to credentials stored within the server’s memory.

After compromising the account, Red5 proceeded to access other services, eventually obtaining Domain administrator privileges. They then further pivoted into various network segments, ultimately gaining entry to the client’s primary customer database, which contained approximately 5 million customer records.

Red5 cultivated relationships with various individuals across different departments within the client’s organization. They particularly focused on the Human Resources (HR) department by applying for positions within the IT teams. To achieve this, they created fictitious LinkedIn profiles, crafted fake CVs, and reached out to the department through phone calls to discuss job opportunities. Additionally, Red5 had developed their own malware, designed to grant their consultants remote access to infected user devices upon successful execution. They rigorously tested this malware in a controlled environment to increase the chances of bypassing the client’s email filters successfully.

After conducting a more comprehensive evaluation of the client’s external infrastructure and collaborating with the HR Department, the Red5 team discovered that the client was using a well-known email filtering product. Upon further analysis, they identified a configuration flaw in the implementation of the product, which Red5 could exploit to completely bypass the email filtering.

The result?? Red5 was able to send email attachments to the client and effectively deploy the malware onto the client’s laptops. This granted Red5 Consultants remote access to a significant amount of personal data files, which were captured as screenshots for evidence.

Upon concluding the red team engagement, the Red5 team convened with the Executive Board to deliver a comprehensive overview of their assessment approach and findings. The assessment had commenced with Red5 Consultants having no prior knowledge or access to the client’s systems or premises. It concluded with Red5 gaining the highest levels of access to the client’s network and their primary customer database, which housed approximately five million records.

During this presentation, the Red5 team walked the board members through each phase of the engagement, explaining the intricacies of the test in a manner understandable to both technical and non-technical audiences. The client expressed gratitude to Red5 not only for the assessment but also for their professional and proportionate approach in presenting the findings to the board. Subsequently, the client expressed interest in continuing to collaborate with Red5 to enhance their internal security architecture, identify and prevent similar attack scenarios, and implement a layered approach to security.

For information on reducing risk with Red Teaming, please click here