In most Attack Simulations we have defined a goal for the simulation. The goal can be set to nearly anything like access to a Domain Administrator account or access to a specific server/network segment. A goal can also be physical access to a specific device or room in your premise.
In the Reconnaissance phase of the attack we already have the goal in mind when collecting information. We continue with a deeper collection of data and use gathered information from our Threat Intelligence phase as a base. Overall, the phase aims at collecting information about the target (TA0043). Collected information is also used to prepare the Red Team’s attack environment for further activities (TA0042).
Typical actions performed in this phase include collecting publicly available information from the target’s website and social media. Additionally, we collect details about exposed network services via search engines for Internet-connected devices. Collected information includes technical information about technology in use, but also topics of interest. Those could, for example, be used as part of Phishing campaigns, like an announced company event. If the attack plan includes physical attacks against premises, then we also start observing your premise and employee’s behavior. This includes observing for „How are they dressed“ and „When/How do they enter the building“.
Collected information is then used to spin up our dynamically extendable environment. We have create a dynamic infrastructure that allows us to create new servers during the simulation and automatically tailor their configuration to what we require.