Planning Effective Red Team Exercises

Ive very broad scope very deep very uh manual technique oriented and very narrow so we're not looking to get complete coverage across an environment but more looking to see how deep can we go without detection so the objectives here for a red team exercise are different depending on if you're looking at it from the red team perspective or from the client perspective on the red team side we're looking to accurately simulate an attack by a sophisticated adversary and that adversary is seeking to achieve what the business considers to be a nightmare scenario and they're looking to do that without detection their endgame may involve something that's obviously going to be detected eventually such as uh

loss of money shutting down systems ransomware whatever it may be but they're looking to get to that point without detection so that they can move into their endgame on the client side they're looking to understand their resiliency to this style of an attack and at the end of the day what they're really looking to do is drive risk reduction so they're not interested in specific technical vulnerabilities or attack techniques except in so far as it helps them to reduce their overall risk to this style of an attack so this presentation is not focused on the technical aspects the technical Tech techniques that go into a red team exercise but rather how do we plan for Success how do we make sure

that we've done all of the right planning ahead of time so that we can set up this exercise from the very beginning to have the best chance of being successful as defined by both the red team members and those on the client security team so a few key principles here the first is hyperrealism which means that in order to evaluate their resiliency to attack we have to actually attack them and we have to attack them in the most realistic way possible obviously the Cory to that is we're not going to take the final step of actually causing harm to the business so hyperrealism while doing no harm this means we get to the point where we could

push the button to cause some form of Destruction some form of damage to the business but we don't actually do it we don't actually steal the money or disable the braks on the mft elevator or whatever the case may be as we go along there there are two other principles here of zero knowledge and zero notice I'll go into those more in detail later but essentially the zero knowledge refers to the secur the red team's perspective on this engagement they have zero knowledge about the environment that they're attacking about where the assets are that they're looking to compromise and about the security controls that are in place they're essentially given here is your target here is the objective that you're

looking to achieve zero notice is the other side of that coin it refers to the security operations team in their knowledge of the assessment they receive zero notice that this attack simulation is going to occur as far as they know this is a real Attack there's a real adversary out there and until the end of the engagement they are kept in the dark about the fact that this is an authorized legitimate attack against their environment and this feeds back into the hyper realism if we don't have the zero knowledge and the zero notice components we lose a lot of the realism so a number of key considerations that go into planning this style of a a technical

assessment we'll walk through each of these in more detail but just at a high level here we'll look at the scenario we'll look at how we design a campaign plan to achieve those objectives the scope of the assessment what types of attacks to include the Rules of Engagement how do we conduct ourselves as a professional adversary simulator during the engagement and what's the overall mode of communication with the client and what's the escalation plan that we put in place for the various contingencies that we need to account for starting off with the ad the adversary scenario here the first principle is that we're keeping this at a business level this means that we are not looking to have a

a scenario objective of compromise a domain administrator account think of it from the CEO or the the cfo's perspective they likely don't know or care what a domain administrator is we're looking for something that they will understand and this is going to vary from industry to Industry and from client to client within that industry so we want to Define who would be interested in attacking this business the adversary interested in compromising a web hosting company is going to be very different from the adversary who's seeking to undermine uh a gold mining company both of those would be different from the adversary who's primarily interested in targeting a finan institution so first who is going to

attack this particular company the close follow on is why what is their motivation and this is this is going to vary depending on the adversary and depending on the the client as well so it may be straight up Financial motivation it may be that there's a political component of either a a nation state sponsored adversary or a hactivist group it may be a a less sophisticated attacker that is simply doing this for the thrill or to make a statement or bragging rights but it's important to understand why because that defines what a realistic attack is going to look like realistic compared to what what is the adversary that this client should be most concerned about what would the impact be to the

client if this adversary were successful in their attack if they achieve their intent what would the impact to the client be and what is the adversary specific objective now only after we've answered those first three questions do we start to look at a more specific level and again this is not a technical objective but a business objective what is the the the type of data or the type of system that they're looking to compromise so not can I get on database server 231 but can I access plain text card holder information in any form from any system anywhere in the Enterprise the adversary doesn't care much where it comes from and so you lose realism if

you define it too narrowly finally what's the starting point for this type of an assessment are we looking at an Insider threat where the the adversary already has access to the internal Network and some level of credentials or are we looking at an external adversary who first needs to breach the perimeter set up that foothold on the internal Network and then become an Insider threat so to speak so a few different client concerns here and for for each of these I'll go through the the client concerns and some items that we're trying to avoid here for the the adversary scenario the concerns are usually around these two items first well I I need to check the

boxes there's a regulation there's a a client uh my management had told me that I need to do an external test an internal test test this application and a wireless assessment our response is usually that's fine we'll do that but don't limit yourself to that instead wrap all of those specific attack techniques into the context of a broader adversary simulation so that you can get the benefits of that broader assessment while still checking the boxes and keeping The Regulators happy another one is simply that they don't see themselves as a target for this style of an attack and regardless of what industry they're in this is a process of walking them through who would be interested in attacking that

industry because even if they don't feel that they're a target for that attack as we've seen more and more from the high-profile breaches they may be a Target or they may be a Home Depot or they may be any other type of entity that has something of value to the adversary we want to avoid defining only those it objectives and we want to avoid dilution of effort this means an adversary coming back to us and saying well I've got these half dozen different objectives that I want you to achieve the problem is if you're doing say a six- week engagement and you have six different objectives you're going to be simulating six different adversaries who

are only willing to spend a week each attack in the Enterprise what's more deadly and what we urge our clients to consider is more focus on the one adversary that matters the most who's willing to devote six weeks of effort focus on that one assessment and then maybe consider others down the road so once the adversary scenario has been defined and agreed upon next you move into the campaign plan to achieve the objectives and I I know this is is an election year but we're not talking about a plan to get elected here it's an attack campaign the offensive campaign few key principles on this one first be creative anything that the adversary can do should be in scope

here if the adversary can attack from the internet you include that in scope if the adversary can send a malicious email that's included can they pick up the phone and call an employee yes can they um Identify some dirt on an employee and use that to coers them yes but there we run into the question of legality and ethics there are obviously lines that we as an adversary or as a simulated adversary can't cross but what you can do is simulate that those have been effective so for example we've gone through engagements where we've identified given individuals reached out to the client and said this individual has information out on LinkedIn that identifies them as a likely Target based

on other sources we've identified that this individual might be susceptible not questioning their ethics in any form but simply there are some U leverage points that may be available then we reach out to the client and say let's let's simulate that this had occurred not with this particular employee but with someone in this role within the organization if that person decided to turn against you how effective would they be operating in conjunction with an external adversary so if they provide everything that they know and all everything that they have access to to the adversary how much easier would it be for the adversary to bring down the organization at that point be adaptive this means that we don't have a

single attack pathway in mind when we first start out in the engagement in that six we engagement I mentioned we don't don't know in week four or sorry we don't know in week one what we're going to be doing in week four we let it evolve organically we know what attack techniques we have at our disposal and we know how we're going to adapt as we move along but we let it evolve organically and adapt to the conditions on the ground so to speak again hyperrealism the adversary is going to adapt the adversary is not going to say well there's a larger attack surface over here but we also need to make sure that we do this Wireless test so we're

going to stop this fruitful attack in order to move over to this area that doesn't make sense it's not realistic so instead let the red team follow their nose so to speak and adjust where they're going to spend their time based on the available attack surface finally be resilient in conjunction with the the zero the the zero notice principle this means that The Blue Team the security operations team who's defending against this simulated attack is going to be countering your efforts so make sure that your attack takes that into an into account if for example we have three different attack techniques of external network uh physical onsite uh compromise and planting a device on the network and social

engineering spear fishing plan for some of these to fail plan for some of them to be detected and ensure that there's no infrastructure shared between those different techniques so that if two out of three are detected and eradicated you still have that third from the the response perspective if you remove 2third of an adversary's access to the environment you failed so we want to ensure that we have the ability to retain that third mode of access so client concerns first simply I don't think I can approve a physical breach or calling an employee or any of these other things what that usually says is that you're too far down in the organization you're not discussing the

the assessment at a sufficiently high executive level in order for them to understand the risk reward trade-off here these engagements are never without risk to the organization there's always the chance that something could go wrong we manage that when we get into the The Rules of Engagement later but you have to have someone who's willing to take on a certain amount of risk in order to reap the reward of doing an adversary simulation second we know someone will click that link this is in in regards to the the social engineering the spear fishing component this is you usually an indicator that they're not thinking of the typ typ of spear fishing assessment that we would include in an adversary

simulation we're not looking to send out a thousand messages and see who clicks the link because that's very noisy it raises the profile and it's almost certainly going to be noticed and blocked by The Blue Team what we're looking at is if we send exactly the right email and we send it to one or two people and they click the link are the technical control in place to respond effectively well first to detect that that's occurred and to respond effectively and are the procedural controls in place in order to quickly take a system offline understand the indicators of compromise understand where else that same foothold might be in the environment and so on so we're

not looking at will someone click the link or not we know there's always someone who's going to click the link we're looking at the compensating controls that a technical and procedural level with the assumption that someone will click the link we want to avoid fragmented Athens of campaigns this means that we're not looking at this as first an external assessment then an internal assessment then a spear fishing assessment then a wireless assessment it's one attack campaign with different attack techniques so as we move along it's going to go organically from one phase into the next if we're doing the external assessment and we're expecting to spend some amount of time on this and a fourth of the way through the

anticipated time we get access to a server and we realize that this server has access to the internal environment we're immediately transitioning to an internal assessment it's all part of the same attack campaign and we want to avoid overly specific plans we've had times where more uh Reg ulated clients or or clients who are extremely risk adverse want us to document exactly what our attack plan is on this day we're going to be trying these types of attacks on that day we're going to be trying these types of attacks we can't do that if that's what the the particular client wants that means they're not really looking for an adversary simulation because you lose a

large amount of the realism if your plans are overly specific now next looking at the scope for the scope we want to think globally and strike precisely thinking globally means that we're looking at the Enterprise as a whole again hyper realism if the adversary can identify that you have a branch office that you don't care much about compared to your corporate headquarters and the security controls are weaker there the physical controls are weaker there and it's possible to say pick a lock after after hours and plant something on the network then it's completely legitimate for us to include that as well once we plug something into the network there then we can move laterally identify which

systems on the headquarters Network are accessible from this branch office pivot through those deeper and deeper into the environment similarly we don't want the client to say here are the 10 systems that I really care about these are the assets that contain the data that you're trying to compromise your scope to these 95% of the time those systems are well secured because they're understood to be high value assets attacking those headon is not going to work instead we're looking for that forgotten development server somewhere that was stood up on a whim for testing and remains on the network is not part of any asset spreadsheet but is out there and is vulnerable and and maybe on the

domain and if we compromise that we get a domain account and our level of access snowballs from there as we escalate Privileges and move laterally across the the Enterprise eventually we get to the point where we have this very Broad and deep level of access we have access to domain administrator accounts yes we target them but that's not the end objective we may have access to SSH keys that provide access to a majority of the Unix environment whatever it may be once we have this access then it's time to strike precisely and this means going after the end objective going then to the assets containing the data we care about but we're then coming in as

an authorized user essentially we have the right credentials all we have to do is ask nicely and we're granted access to those systems client concerns availability is usually the largest one if I give you this full authorization to attack any component of my Enterprise I'm not going to know where you're attacking and I'm not going to know uh what what concerns those system owners may have about those going offline our response to that is usually if if we can easily knock over a system through our type of very man ual White Glove testing then that's a huge finding in and of itself but really at the end of the day it comes down to trust it

comes down to what is their level of confidence in your team's ability to operate carefully in this environment so in order to to do these types of of Assessments and gain that level of trust what we found is that it really needs to be an all Senior Team of technical experts who have a very robust Broad experience in offensive security and know with a very high level of confidence what's going to happen at each step of the way so that they can make that risk reward decision at each point along the way knowing that if I go to this next step I might get closer to the objective but it might do something that is going to affect system stability

so I need to go in another Direction the second concern is I don't actually own my infrastructure and this is becoming more and more common as we see organizations move to cloud-based systems so in some cases this is easy to address if you have a client with a portion of their infrastructure hosted in AWS or Azure or any of those similar environments there's a structured process for getting authorization to attack those systems on behalf of the client so we can usually go through that process get the authorization and include that as part of the global scope of the assessment sometimes there's a hosting provider that just won't work with you on that and in that case there's really not much

you can do other than document that there's a whole lack of visibility around this component what the client should be doing ahead of time is when they're negotiating the agreements with these vendors including ensuring that they have the right to audit clause in their contract so that when they come and ask for the authorization to attack that environment is it's really a formality the vendor has already agreed to let them do it they're just looking for specific approval in this instance things we want to avoid we want to avoid limiting the engagement to only the areas that the client thinks are important so I mentioned the example of uh the these are the systems that we

care about we also want to avoid letting them even influence the assessment that much what we prefer is to get access to the internal envir environment find the knowledge repositories the wikis the SharePoint sites and explore those on our own to find the type find references to the type of data that we care about again this goes back to that zero knowledge principle how easy is it to find there interesting artifacts that come out of that type of exploration such as are there sites out there on your internet that contain information pointing to the critical data stores is that properly are there proper authentication authorization controls around that sometimes in an extreme example we've even seen domain

administrator credentials on internal SharePoint sites and those are the types of things that we wouldn't have found if we weren't operating from a zero knowledge perspective needing to do that level of Discovery ourselves we want to avoid wh listing only certain submits there will be times when a client comes to us and say says we know these systems will fall over if you touch them we'll Blacklist those but there's a difference between saying this small set of systems is out of scope and saying you can only operate in this circle Rules of Engagement four key principles here all of which go back to the the hyper realism first the the red team autonomy we need to allow the red team

the agility to operate in this manner as we've been discussing here this includes things like having this 24x7 window understanding that they will have access to sensitive data but making sure that the proper Protocols are in place as to how they're going to handle the sensitive data when they gain access so a note on the the 24x7 window yes this means operating in your production environment during business hours we've been on our clients uh Financial systems of record money movement systems and so on during business hours we've been on mine operation systems while the mine is actually operating if an adversary could do that so can we so it goes back to that foundational principle this makes a lot of clients

very uneasy because it does mean that we have access to everything if they have mergers and and Acquisitions data especially if that's part of the uh data that's been defined as as a component of the objective we will likely have access to that we will likely have access to their Executives emails as we go through and compromise workstations will data mine everything that's on those workstations if an employee has put uh sensitive information on that workstation if they have personal photos on there we may well see those we're operating as an adversary there so it comes down to the level of professionalism that they expect from the red team and recognizing that they are granting a very broad

level of authorization here to Target them so then how how do you avoid creating essentially a reportable incident if we're accessing personal information uh electronic personal health information materially nonpublic information about the company's financial performance whatever it may be essentially this all goes back to having the right legal agreements in place so I I'm definitely not a lawyer but make sure that you have a lawyer involved at this process there are things that can be done to officially Grant authorization as a business associate or other form of U formal recognition of the role that you're playing plane so that the client is authorizing you to see this data as part of their business operations even if they're not

provisioning you with access to that data again we're we're avoiding any unrealistic limitation could the adversary attack you on Christmas when they know that your a team is likely home with their families and you've got a more Junior crew on staff and fewer than you normally would yes the adversary could so yes we can do that as well we've actually had clients explicitly ask us please attack us on Christmas because we want to know how we'd hold up we want to know if we have sufficient Staffing and sufficient skills in place so that we can I we can defend against this style of an attack even if we are attacked on Christmas the last thing you want to do

is get stuck in what I call specific pre-approval help this means that as part of your Rules of Engagement you are required to get pre-authorization for every exploit that you conduct so you find a system on the network you've identified a given vulnerability and you need to go back to the client to ask may I exploit this vulnerability you then exploit that and you see oh I'm I'm running as system on this workstation may I retrieve password hashes may I compro may may I attempt to crack those password hashes you you can see very quickly that this bogs you down it means that you've lost a lot of the realism simply because uh you you've

made the whole process take 10 times as long as you go back and forth with the client and there then wondering can I authorize this do I need to ask somebody else first instead Define it UPF front Define it explicitly in your Rules of Engagement that you are not going to be asking for specific pre-approval but that you will be compromising systems deploying offensive Technologies uh cracking passwords reusing compromised accounts and any other specific Tech attack techniques that you want to include there get agreement on those and have notification procedures in place but not pre-approval required that gets into the the communication and escalation plan this is really around maintaining that zero notice posture as regards the internal

blue team the security operations team first from the very beginning when you are first discussing this type of Engagement ensure that the client knows to keep this on a need to know basis we're usually uh proposing this assessment to the ceso or the CIO or sometimes even the the CEO or board of directors depending on the the level that is concerned about their attack resiliency from that first conversation we will recommend that they only share knowledge that they're even talking to us with the minimum number of people who really need to be in the loop here because if the blue team gets wind that there's going to be this style of an attack you've lost a lot of your

realism the objective is expl itly to keep SE Ops in the dark so they think this is a real Attack like any other real attack and they go through their normal response procedures so that we can evaluate and comment and recommend ways to improve those detection and response procedures what we're really trying to do here is test that response Effectiveness so as an example there was a time when we uh were attacking as an external adversary we identify a system that is accessible from the internet never should have been accessible from the internet has Tomcat manager on there with default credentials we access the the console we deploy a web application back door and they have a host-based uh IPS that

detects that back door and sends up a flag and creates an event in their security operations center there's a junior analyst going through the queue who sees this alert that there was malware detected on a server the IPS noted that this malware had been quarantined and cleaned and the status was green and no further action was required the analyst closed the ticket and went to the next item in the queue with no further thought on our side we noticed what had happened that we uploaded this back door but it wasn't there we modified our payload packed it in a different way and used a different command and control Channel uploaded it again and this time

it worked and that compromise system provided the single Pivot Point necessary to go from the internet to full access to the majority of their internal Network so this was a process failure they had the technical capability to detect that initial back door that we up that we upload and it worked it was detected but the response was not effective that analyst should have asked why is there malware on this system this is a server this is not something where somebody's going to get malware through opening an email or a driveby download or anything like that if there's malware on this system this means that somebody has administrative access to that system that's a problem that should should have

triggered a full incident response investigation if the security operations team had known that this was an exercise there's a very high likelihood that when confronted they would have said well yes we knew there was an exercise going on so we would have ident identified a process failure there that would have been reported as a non-finding because the operations team has this legitimate explanation of we never followed up on this further because we knew it was an exercise so if you maintain the hyper realism you have a much better capability to evaluate the detection and response

controls we do have clients that don't want their security operations team tied up responding to this what if there was a real Attack that occurs during the time frame that we're doing this adversary simulation similarly they'll have concerns around availability what happens if there's an availability incident how do I know whether or not it's related to what you're doing this goes back to having a single point of contact that's high enough highly enough placed in the organization so that they can see what's going on so someone who has the awareness of the availability Command Center or whatever team is responsible for availability of systems someone who has high enough visibility to see what the security

operations team is doing so that they can then make the decision on a caseby Case basis to determine how do I weigh the relative benefits and relative concerns of first wanting to maintain the realism of the assessment and second needing to be agile on the corporation side and determine at a certain point no this is bad we're actually under attack we need all handson deck dealing with the real incident we're going to pull the plug on the adversary simulation end that exercise notify the security team that that was an exercise so that we can focus on this real malicious attack we've seen that happen it's pretty rare but we need to make sure that we have

all of this documented ahead of time so we want to avoid data leakage to the SE Ops anything that would indicate that this is only an exercise so the the operations of the red team need to be done with this in mind so there should be nothing in the the trade craft of the red team that indicates that this is a drill there should be nothing referencing the name of the company who's performing the red team assessment there should be nothing that U looks like this is just part of uh a a a simulation it should look authentic it should cause some level of fear in the security operations team that they are under a real malicious

attack we want to avoid premature termination of the exercise this means that that point of contact needs to be coached so that when they go when they have somebody on the security operations team who comes to them and says we've detected this anomaly here we've noticed that there was a a back door on this system and we've pulled it offline and we believe the problem solved that point of contact should not immediately respond with oh good job we had an exercise you detected it it looks like everything's good because what's normally happened is by that point we moved on to other systems in the organization and we have multiple back doors multiple uh command and control

channels into the environment and we want to to let that response run its course if the security operations team declares success declares eradication of our red team access into the environment but we still have access to one or more systems there's something wrong because that means that if this was a malicious attack they're going to shut down their incident response process while they're still being attacked in a stealthy covert manner by a malicious adversary that's a problem so we want to take all of that into account in planning for the communications and the escalation um process with the client and with that primary point of contact as a side note that primary point of contact is usually someone

outside of the security operations team so that they don't have that inherent conflict of interest it's usually someone who uh is at the executive level or a designated lieutenant of Theo for example so on once we have this all planned out what are the the guidelines for the actual execution of the engagement the first principle is to be strategic recognize that only an executive is likely to have the authority to approve this plan so if you're not talking to an executive in the organization you're likely not going to be able to do a full realistic adversary simulation because all of those various compet client concerns will win out over the realism of the assessment and some Executives don't

have the confidence to approve this they're not willing to put a stake in the ground and say yes we are going to do this because we know that we're going to be attacked eventually and we want to know how prepared we are and I've said it before I'll say it again that technical compromise doesn't matter if you can't show business impact so find what it is that the executive team will understand that's usually especially in a public corporation what is going to affect the stock price if it hits the front page of the New York Times what is there that is going to directly affect the bottom line have a material impact on the business second be

deliberate stay focused stay focused on the objective there have been times where we''ve uh had to politely chew out a member of the red team with less experience when they identify and compromise a system and they're very proud of themselves they've found and exploited a high-risk finding but it doesn't get us access that we didn't already have and so it's not very realistic it's not accurately modeling a sophisticated adversary if we had credentials to log into this system why would we run an exploit here and raise our likelihood of detection we never know with 100% certainty what the security controls are that are in place so stay focused on the end objective remember your opsc remember to

avoid cross-contamination between different Avenues of attack don't use the same command and control server for your Dropbox that was placed on the network through a physical attack and your spear fishing campaign that sends out something from a Powershell embedded in a an office macro you don't want detection of one to result in detection of all of the others keep that objective in mind stay laser focused on that objective think globally but when thinking globally remember to only strike when you know that you can strike precisely and evaluate that risk reward there's always a trade-off there's always every action you take is going to raise the potential for detection know that know the tools know what the tools

do know what the tools look like on the wire know what your manual techniques look like on the wire test your payloads your techniques against the various detective security controls so that you know you can make an intelligent decision at each and every step if I if I undertake this attack technique how much does this raise my likelihood of detection and what new access does it give me that I didn't have before then you can make an intelligent decision about whether to engage in that attack versus any of the half dozen others that you might be able to try finally be agile adaptive and opportunistic don't get too focused on this potential zero day that you might

have found over here that you really want to keep digging into because it's fascinating if that's your best way in sure go for it but if there's a window unlocked over here don't waste hours trying to pick this very complex lock on the front door the real adversary is going to take the path of least resistance so we should do likewise thank

you any questions yes um do we have a

microphone who has the question so how do you handle cases like let's say the mining company where the reaction the prescribed reaction to a threat against a certain set of boxes um is to essentially shut down large portions of the operation and since the red team is operating with zero knowledge they may not have yet discovered the map of what this server controls versus what this other server controls so they're looking at a compromise and they think it's just some random server but it turns out to be something that controls like the power plant and and the response is to shut down that server and shut down the mine and you have this cascading thing that causes real impact

how do you manage that so I if I'm understanding the the question correctly it's uh if we're if our primary objective involves some sort of uh causing a denial of service how do we test that when we may not know the full impact of the the systems that we're affecting no it's more along the Lin mind of that it's not that you cause harm in of of yourself it's that the reaction of the blue team is Extreme right and and it and it's something that maybe you even know about what their standard reactions are but you don't know you've hit that sensitive spot right so so there are usually two criteria that we Define in

our Rules of Engagement that affect uh the decision of do we or do we not inform the team that this is an exercise the first criteria is is the security operations team about to involve law enforcement is is it going to go outside the confines of the organization and the second is is the response process about to in any way impact business operations so that would fall into that second category and that's really on that point of contact who's monitoring The Blue Team monitoring the security operations team to make a judgment call so if there's a single user workstation that has been detected as compromised it's usually going to be worth the risk of business

disruption to pull that workstation offline image it issue that user a clean workstation even though it does result in a loss of productivity for that one user because it is worth uh it is worth that expense in order to reap the benefits of having the more realistic full attack simulation however when we start looking at a response where the next step involves shutting down a server or I mean we've had organizations where someone on the response team proposes we don't know how deep this has gone we know that they're on the system that is the the last top before we send out uh wire transfer instructions to the fedwire system and their next step would be to disconnect

that system from fedwire cut that connection and all of a sudden none none of their uh none of their clients are able to conduct business through their system that's the point at which they call end exercise don't actually shut that system off here's what's going on and then at that point it moves more to a tabletop of what would our next steps be If This Were a real attack and it's often very revealing because usually the the clients haven't fully thought through if this critical system is compromised and it's say if it's not a drill if it's a malicious adversary how do we make that business decision how do you evaluate whether you're going to shut down a critical

system that's required for your business operations versus allowing an attack to continue either way is damaging to the business and either way there's a lot of risk and somebody's going to question the decision that you made afterwards and so it's it's usually very enlightening for our clients to need to be faced with that decision U as part of a drill before they need to face it as part of a malicious attack other questions yes hey h uh how often are you able to get clients to execute a perfect red I I'm sorry I'm having a hard time hearing you okay can you hear me now yes um how often do you get clients where you are able to execute a perfect red

team exercise like you're describing and and apart from executive buyin what else um what are the other factors which help in um getting that perfect red team exercise well budget is an obvious one um of Simply Having the financial resources to commit to this type of exercise uh in terms of how often we do it that's that's really what we focus on that with within Fusion X that is our specialty that is uh what our team has been been purpose-built for so essentially if a if a given client is not wanting to do that type of an assessment uh they'll go somewhere else with the a more Junior Team where they'll pay less money to get the type

of assessment that they're looking for so if a client works with us it's really because they want that full-on adversary simulation in order to understand the ability to prevent detect and respond so with that framing I'd say that uh probably greater than 95% of our assessments are the the full no holds bar to tax simulations hey uh yeah it's time it's time to wrap wrap it up so let's give another round of big Applause to Sean all right thank you Sean thank you and and just just one final note if this sounds like something you want to be doing please talk to me because we are absolutely looking to EXP expand our team thank you thanks again to Shan and behalf on

behalf of bides and our sponsor Fitbit want to present you with the Fitbit oh thank you thank you so much appreciate

[Music] it [Applause] [Music] yeah yes

yes

I do I do one more

here