Following a high-profile third-party breach, a major UK public sector organisation turned to Resillion for a three-month Red Team exercise .

Red Teaming is a form of ethical hacking where security professionals simulate real-world cyber attacks to test an organisation’s ability to detect, respond to and defend against threats. It challenges the effectiveness of security measures across the organisation’s workforce, operations and systems, using realistic scenarios.

The number one fear for this organisation was an attacker successfully gaining control of their Pension Officer’s IT account and being able to access their multi-million-pound pension fund.

This was their first Red Team engagement, a bold step toward embedding a security-first culture and validating their newly implemented policies and technical controls.

The aim was to test the robustness of the protections in place around the pension fund. The exercise would attempt to simulate how an attacker might try to bypass controls and gain access. At the same time, the plan was to rigorously assess the organisation’s overall cyber resilience across people, processes and technology.

Third-party sensitivities
Testing their systems posed a diplomatic challenge. Given their history of breaches, they were understandably hesitant to participate.

Strong technical defences
The organisation had already deployed robust security measures, including conditional access policies and privileged identity management. These defences required the Red Team to develop creative, non-standard attack strategies.

Policy versus practice

Despite having sound policies in place, execution gaps were evident. For instance, clear-text passwords were found in accessible SharePoint files, and weak passwords were used to protect sensitive documents.

Human vulnerabilities
Employees were susceptible to novel attack vectors, such as spear-phishing via Microsoft Teams, highlighting a need for more nuanced user awareness training.

Credential management flaws
The discovery of clear-text passwords in shared locations pointed to systemic issues in how credentials were stored and protected. 

The human error factor

Despite strong technical controls, the Red Team ultimately gained access to the well-guarded pension fund following a prolonged targeted attack. This highlighted the reality that even the most secure systems can be undermined by human behaviour.

By compromising the Pension Officer’s actual email account, we were able to take control. The client, including the Pension Officer, was shocked to discover that their worst-case scenario had become a reality.

Strengthening cyber resilience and future readiness

Overall, getting access to the pension fund was far from easy for the Resillion team. The gatekeeper for the Officer was security conscious, and our client’s security defences proved effective in most cases. However, our focused persistent efforts resulted in the infiltration and subsequent control of the officer’s email address.

While the Red Team did succeed in breaching the pension fund, the Resillion team came away impressed by the overall maturity of the security posture. The breach was not due to a lack of controls, but rather a reminder that human factors remain the most unpredictable element in cyber security.

The engagement’s findings helped the organisation secure funding for future cyber security initiatives to improve detection and response capabilities over time.

For more information on the services we can provide, visit our Security Assessment web pages.