Red Team Assessment

Why Perform Red Teaming?

The Raxis Red Team provides an adversary simulation service and is called on to help organizations understand the effectiveness of their cybersecurity defenses. We’ll deploy our most experienced and accomplished team members to mount a real-world attack on both your physical facilities and business systems. Every company has vulnerabilities; the Raxis Red Team Assessment exposes them.

Our signature Red Team Assessment is a well-planned and well-orchestrated cyberattack. Our elite team of professional ethical hackers launch a customized, real-world attack, just like determined hackers would. We know from experience that our Red Team Assessments expose vulnerabilities that are less apparent during targeted penetration tests, so you can prepare yourself before real cyberthreats come knocking. A Raxis Red Team engagement identifies not only technology vulnerabilities but also business process gaps as well.

What if your company is looking for a real-world assessment but isn’t quite ready for an all-out attack? As always, Raxis works with you to develop a Red Team test that fits your company’s needs. Before testing begins, we work closely with your team to establish boundaries, assuring the Raxis Red Team deliverables align with your goals.

Should I wait to fix known issues before performing a Red Team test?

If you are running security upgrades that are almost complete, you may want to schedule your red team test for afterwards to test your changes. Usually, however, there’s no time like the present. If you have known issues that you haven’t corrected, it may be a budget issue. If so, a Raxis red team can give you the proof your management team needs to see that the changes are a high priority. Maybe you have been putting off changes that don’t seem that important . . . the complex, chained attacks in a Raxis Red Team show clearly how seemingly small vulnerabilities work together to give a hacker more access than you may realize.

What does it mean for a Red Team Assessment to be in timebox?

While malicious hackers may have all the time in the world to attempt to break into your systems, our Red Team Assessments are scoped for a certain amount of hours -- the timebox. Our engagement ends with a report that clearly explains what Raxis accomplished during the time of your test and what you can do to make your environment more secure against a malicious hacker attempting the same things.

How often should I perform a Red Team Assessment?

This often depends on your industry and specific needs of your company, but Raxis recommends at least an annual Red Team Assessment. Raxis also recommends that you follow up with a penetration test about 4-6 months after a Red Team to ensure any findings are properly remediated.

Is there a benefit to changing Red Team or Penetration Testing companies?

While we sometimes work with companies that follow this philosophy, we believe it is flawed. The idea is that different pentesters all have different backgrounds and different strengths, but all pentesting companies are not the same. Raxis pentesters have strong backgrounds and certifications, and they are always working together to learn and share current knowledge about new vulnerabilities and exploits. Not all of our competitors can say the same. We recommend that companies find a trusted pentesting company, such as Raxis, and trust them to perform strong tests year after year.

Is Red Teaming even legal? Do you ever break the law?

We do not break the law. Our contracts spell out what we are and aren’t allowed to do. For example, we will never damage or destroy our customers’ property. What we will do is demonstrate how a real hacker could — and show our customers so that they can take steps to prevent it. Even if most company employees don’t know what is going on, leadership does and has agreed to it.

Are there rules that Pentesters or Red Team Memebers follow?

Yes, and it’s all about system uptime and data integrity. Unlike the bad guys, our penetration tests stop short of real damage, and we always obscure the data we take for proof of access. We also stay within any parameters set by the customer, but we always push to the edge of that envelope.

My application is cloud hosted. How can you penetration test/Red Team a platform that is hosted in the cloud or by a third party?

Once scoped, we work directly with cloud providers to inform them of our activities. Raxis has completed numerous tests on Amazon AWS/EC2, Microsoft Azure, Google Cloud, Rackspace, and VMWare cloud. We’ve worked with content delivery front ends such as CloudFlare and Akamai as well. No matter what the tech stack is, Raxis will find the best method possible for your pentest.

Why do you download and crack password hashes?

Unless otherwise requested, we crack passwords to determine the strength of the password policy and effectiveness of enforcement. We also may re-use passwords to pivot to other systems, which often results in a larger simulated data breach. Raxis uses high-strength encryption to protect the hash data both at rest and in motion. Once our password cracking is completed, we securely delete the password hashes and provide you with a summary including password strength, complexity, and analysis in a redacted pentest report. In a Red Team Assessment, password cracking is a key component in demonstrating a realistic attack.

Why use the Raxis team for your Red Team Assessment?

The Raxis Red Team team is second to none at pinpointing real world security risks by using the same tools and techniques as a malicious attacker. We’re all in the United States (with many of us based in Atlanta), most of us have at least 10 years of experience, and pentesting (a key component of Red Teaming) is our primary expertise. With so many technology defenses prevalent today, a pentester must understand every aspect of security and the latest techniques to bypass those many controls. The Raxis crew never stops learning the latest exploits, and we have a ton of fun sharing our knowledge. We don’t do checkbox security, and we never will.