Picture of Thomas

Thomas

The author works at and owns Mint Security, a mean and lean security company founded in 2015. No fuzz (literally - we do not fuzz, there are companies better equipped to do that).

What is this?

Recon and red teaming can be done separately, but they also work hand in hand. It may be a good idea for a company to do a thorough recon to understand the adversaries view on the organization – and this not only in the technical sense. This may provide good input and updates to the risk register as well as prepare for an in-depth threat modelling session.

While the recon phase may seem a bit theoretical (and rightly so), the red teaming exercise is where recon results as well as the red team skillset is put to the test. This is where the enterprises defenses are torn down – except for specific (business or technical) limitations (specifically set by the customer) on what the red team can do – there are essentially no limitations.

Tell me more about recon

Recon (or cyber reconnaissance) is what we do when we need to find out as much as possible about the enemy – this is after all, a military term. The enemy, or in this case the target, is our customer. Any recon is both ethical as well as legal. We do not use any techniques that put you or us in a legal conundrum. During the recon we provide a picture of your cyber landscape, a vision on how you are perceived by your enemies. Of course, a recon exercise also gives insight into how susceptible you may be to occasional spray-and-pray attacks as well as “shit happens” -scenarios.
The main reason for doing a recon is simply to level the playing field. The opposition knows your weaknesses – so should you. A recon exercise uses a vast amount of different techniques to assess the threats and risks. Some are very standard – some may be business or domain specific.
A continuous recon provides constantly up-to-date information on what is going on. This is especially beneficial for organizations with complex structures, assets, and many stakeholders.
Examining whois data
Examining a company website for organizational information and personnel
Looking into the past for things that organizations want to forget – the Wayback machine
Consulting Shodan for low hanging fruits on existing assets

Recon - tools of the trade

The following are examples on what a recon mission may include:

  • Examining a company website for organizational information and personnel
  • Using a search engine to further refine the understanding of the organization as well as its assets – including non-public
  • Review Job postings for information on technologies and infrastructure
  • Searching for leaked credentials for employees
  • Looking into the past for things that organizations want to forget – the Wayback machine
  • Consulting Shodan for low hanging fruits on existing assets
  • Examining whois data
  • Delving into certificate transparency logs
  • Scavenging storage services

Tell me more about red teaming

A penetration test (or pentest) is limited by both (calendar) time and scope. This is good for finding out the weaknesses about something very specific – a web application, a server, or a cloud service. Red teaming, however, focuses on the bigger picture. A red team does not care which application, which service, which configuration – or door – has a vulnerability. Once a vulnerability is found, the scope is narrowed down to focus on exploiting. This means that a red teaming exercise gives real world results on how the adversaries would think and act. Of course, all the vulnerabilities found in previous pentests have already been fixed – naturally. A red team makes heavy use of recon findings – the weaknesses that have been found in one way or another.
The resources needed for red teaming is very different than for pentesting. Red teaming – even digital approaches (which exclude physical entrance) may need a long time to be successful. It may also require time to just be quiet – and stay dormant.
Using a search engine to further refine the understanding of the organization as well as its assets – including non-public
Searching for leaked credentials for employees
Review Job postings for information on technologies and infrastructure
Delving into certificate transparency logs
Scavenging storage services

Red teaming - tools of the trade

Red teaming tactics and tools include

  • Phishing
  • Social engineering
  • USB-sticking
  • Hacking
  • Scanning
  • Opening (and closing) doors
  • Waiting – repeating – and waiting some more

Where, how and when do we start?

We are here to help. We do one-off recons as well as continuous recons providing constantly up to date information on your organization. We can do one off red teaming exercises or set up a yearly contract where we will surprise you a few times during the year.

Let’s get the party started – yesterday. You have already been bleeding information for a long time. Your information is already out there for others to find. Start now, prepare to defend, and then fight back. Fighting back is when the blue team kicks in – but that is a completely different story.

Mint Security people

Security Testing

Security testing in brief Applications and systems are commonly assessed for security problems using penetration testing. A beloved child has many names, thus penetration testing

Read More »
Mint Security people

Auditing

Auditing Auditing in short Auditing means many things. For us, it means customized reviews of systems, environments and processes for our customers. In addition to

Read More »
Picture of Thomas

Thomas

The author works at and owns Mint Security, a mean and lean security company founded in 2015. No fuzz (literally - we do not fuzz, there are companies better equipped to do that).

contact us

Please do contact us. We most likely respond faster than you thought,