Overview

Aristi delivered a comprehensive red teaming engagement for a major UK energy supplier. The objective was to simulate a realistic adversary campaign across external, internal, and IT-to-OT boundaries, providing the client with a clear understanding of its resilience to sophisticated cyberattacks.

‍

Engagement Scope

The exercise encompassed:

• Initial access: phishing-based intrusion attempts.
• IT environment: lateral movement and privilege escalation.
• IT-to-OT boundary: attempts to pivot into OT/ICS networks via CyberArk session management.
• Critical assets: targeted assessments of business-critical systems and pathways, mirroring real-world attack scenarios.

Methodology

1. Threat Modelling & Planning
   
   • Applied the MITRE ATT&CK framework to identify high-impact attack paths.
   • Prioritised scenarios involving credential abuse, privilege escalation, and misuse of remote access tools.
   • Aligned methodology with CBEST and TIBER-EU principles, supported by threat intelligence tailored to the client’s risk profile.
2. Safeguards & Risk Management
   • Established strict engagement controls: pre-approved target lists, clear escalation paths, and real-time SOC coordination.
   • Designed OT/ICS interactions to be strictly non-invasive, with safeguards aligned to safety and operational risk tolerances.
3. Execution
   • Used advanced adversary simulation tools (e.g. Brute Ratel) alongside custom payloads.
   • Incorporated OT-specific considerations in planning and testing, with particular care for ICS/SCADA systems.
   • Conducted continuous monitoring to minimise operational risk throughout the engagement.

Key Findings

The red team assessment identified several critical risks:

• Insufficient segmentation between IT and OT environments.
• Weaknesses in identity and access management, particularly around privileged credentials.
• Gaps in session monitoring and auditing, especially concerning CyberArk usage.

‍

Outcomes

Our team worked with the client to design and implement a robust remediation roadmap, which included:

• Enhancing IT/OT segmentation to restrict lateral movement.
• Strengthening access control policies and credential governance.
• Improving session monitoring and detection capabilities.
• Establishing governance structures to embed red team readiness into ongoing security operations.

‍

Impact

The engagement provided the client with a realistic view of adversary behaviours and demonstrated how attackers could exploit IT-to-OT pathways. The resulting improvements significantly strengthened the organisation’s cyber resilience across both IT and OT domains, ensuring better preparedness against advanced persistent threats.