Scenario 2 Pen Testing
Breach the Network (Red Team Exercise)
Example: “We are looking to test and improve our overall cybersecurity posture and we need an ethical hacker to try to break into our network.”, OR “We would like to test the detection and response capability of our security controls / security operation center.”
This scenario describes a more traditional penetration test. This type of pen test (also called a Red Team exercise) simulates an adversarial role and is a far more realistic way to test the security readiness of an organization. This testing covers exploitation attempts against People, Process, and Technology.
There are two phases to this type of operation. First, we need to breach the network perimeter and get invited into the network by an insider. This is usually done using social engineering techniques (e.g. phishing).
Given enough time and effort, social engineering will almost always work. So, in order to reduce the scope and budget required, Digital Spotlight will often begin testing from an inside position (i.e. as if an insider has clicked the wrong link or opened a malicious attachment). From that vantage point, your internal security posture can be measured in terms of “did you see us / did you stop us?”. Or, there can be a specific objective such as retrieving a file from an executive fileshare.