Red Team & Offensive Operations

The true measure of security


One of the greatest heavyweight boxing champions of all time, Mike Tyson, famously said: "Everyone has a plan until they get punched in the mouth." And security is a lot like that. You can follow the best practices, have the best technologies, but it could all fall apart with a first serious cyberattack. The truth is, people who protect things often do not think like people who attack things.

This is where Red Team comes into play. Red Team is a team of ethical hackers, people who try to break into systems in the same way a criminal would. But in the end, they do not lock your data, they do not steal your money, they do not bring down your business to its knees. They document every exploit and write long reports on how to fix problems and ensure nothing bad ever happens.
Their service is extremely valuable because they test your system against real-world attacks. In fact, many industry or state regulators require certain industries to perform regular offensive operations against their systems.

But unlike cybercriminals, Red Team operates by rules of engagement – before any activity organizations are advised on proceedings. How long will Red Team try to beat organization's defenses? When should attacks take place (during work hours)? How much data should Red Team be given (that determines will that be black, gray, or white box testing)? What can Red Team use – do they use only technology, or can they try to fool employees in revealing business secrets (social engineering), can they use 0-day exploits (security problems nobody except us found out)? Only after all that has been agreed upon the operation can start.

In the end clients get a project documentation – there is a management (executive) summary, technical report with detailed descriptions and mitigation recommendations, and videos for critical vulnerabilities.

SANS Certified Instructor as a team leader


SANS is the most trusted and by far the largest source for information security training and security certification in the world. To be one of their 76 Certified Instructors is no easy task, it takes years of true dedication, but our team leader/CTO, Bojan Zdrnja, is just that. His knowledge is immense, and while he is not educating the world's best cybersecurity experts on the web app penetration testing (SANS SEC542), he is making sure Infigo's Red Team is in a class of its own. With a team lead like that, our only choice is excellence!

Without our Red Team, you will never know if your security is good enough

The proper way of doing a security assessment


A security assessment is a great way of identifying existing security vulnerabilities; until you know what the vulnerabilities are, you don't know what you have to fix. But, getting the right results for the best price is always a balancing act, and many organizations are not sure when to use vulnerability scanning, penetration testing, and red team engagement.

Vulnerability scanning is something every organization should be doing on a regular basis. It is the most basic activity in managing vulnerabilities and is often done with software vulnerability scanners with security specialists removing false positives.

Penetration testing is a step up, and here it is important to have the right scope. The goal of penetration testing is to find as many vulnerabilities as possible in the target scope. And if the target scope is clearly defined, penetration testing will yield the best results. Of course, since penetration testing is more time-consuming and requires lots of manual work, it is more expensive than vulnerability scanning.

A red team exercise is the ultimate test of any organization's defenses. In this exercise, the attackers are given a goal and they can use any means necessary to achieve it. This includes writing new exploits, using social engineering, even physical break-ins. A red team exercise might miss some vulnerabilities that penetration testing would find, but it will show how the organization stands against the real attacker.

For more on that, you can read an article by our CTO.

What do we do?


Everything security related! But it mostly falls under a couple of categories that are most useful for organizations big and small.

  • External penetration test – Internet attack simulation that would be used by unauthorized users, criminal groups, competition...
  • Internal penetration test – internal network attack simulation with authenticated/non- authenticated access that an employee, contractor, or business partner could have.
  • Mobile application tests – we test client and server-side, plus application logic where really nasty things can occur.
  • Web application tests – we use specially customized scenarios for the target web application with authenticated/non- authenticated access.
  • Specialized tests – since almost anything today produces some kind of data, we try to exploit it all. From digital power meters and IoT devices, over SCADA systems, to mobile payment schemas (i.e., HCE), and wireless systems (Zigbee, z-Wave, and such).
  • Social engineering – the best security in the world will fail if your employee gives us the keys to your system. Through phishing emails to malicious code, we will do everything to find gullible people, and then your system is ours!
  • Code audit – before you put your application into the world, it is a good security practice to do a code audit. In that way, we will find security flaws before they are made public for others to exploit.

Of course, we combine, pick and choose the best approach and the best offensive action for every client. With more than 15 years in this field and with lots of certificates from leading security organizations (ISC2, ISACA, Offensive Security, SANS...), our only goal is to make your security better.