CREST provides internationally recognized accreditation for organizations and individuals providing pen testing, cyber incident response and threat intelligence services.
Working alongside the Bank of England (BoE), government and industry, CREST developed a framework to deliver controlled, bespoke, intelligence-led cybersecurity tests. STAR incorporates pen testing and threat intelligence services to accurately replicate threats to critical assets.
Different levels of simulation
There are a number of different levels of testing representing the types and level of attack an organization may face. Typically, the engagement starts with the threat intelligence phase which is used to inform the assessment. The output from this phase of the engagement dictates the type of adversary and skill level that will be imitated during the testing. There are varying levels of attack “noise” which can be replicated during the test, which also corresponds to the level of adversary being emulated such as:
- Low level adversaries - noisy on a network using off-the-shelf products exploiting known vulnerabilities
- Advanced adversaries - less noisy and includes more sophisticated techniques like spear phishing
- Nation state adversaries - covert and run over longer periods of time in order to avoid detection, for example using Remote Access Tools (RATs) to evade security products such as Intrusion Prevention Systems (IPS)
Benefits of red team:
- Identifies the risk and susceptibility of attack against key business information assets
- Techniques, Tactics and Procedures (TTPs) of genuine threat actors are effectively simulated in a risk managed and controlled manner
- Assesses the organization’s ability to detect, respond and prevent sophisticated and targeted threats
- Close engagement with internal incident response and blue teams to provide meaningful mitigation and comprehensive post-assessment debrief workshops
- CREST STAR framework provides consistent engagements that utilize threat intelligence
For a red team assessment to be successful organizational buy-in is essential from senior management from the very start across departments such as IT, HR and legal.
A red team assessment is not just about highlighting the company’s weaknesses but is an attempt to think outside the box when it comes to the security of the business. It is a clear effort from the organization to understand and continuously improve the security posture of the business into the future.
> Read more about pen testing, objective-orientated pen testing and red teaming in our whitepaper