Assume that you are being hacked!

Assume Breach

Do you recognise the spread in your network?

Assume Breach is a security strategy that assumes that an attack on a system or organisation is inevitable and that it is therefore important to minimise the impact of such an attack as much as possible. The idea behind Assume Breach is that it is better to prepare for the defence of attacks rather than assuming that a system is completely secure.

What measures does Assume Breach include?

When carrying out an Assume Breach Assessment, hackers proceed in a similar way to a Red Teaming Assessment.

In contrast to red teaming, however, the attackers already have initial access to the internal network, for example via a compromised VPN access or malware that is executed on a computer.

The basic idea is this: Just because a network appears secure at the current time, there is a high probability that attackers will still be able to gain initial access in one way or another.

What is the aim of Assume Breach?

The aim of an Assume Breach Assessment is to analyse in a targeted manner whether an attacker attempting to spread within the internal network is detected and effective measures are taken to prevent further spread and the outflow of data.

Typical sequence of events in a real attack on a company

An attacker gains initial access to the company

An employee uses the same password in several places. A social network to which the employee has logged in with the company email address suffers a data leak, as a result of which the employee's password becomes known. A hacker group exploits this and gains access to the internal network via the company's VPN.

No alarms!

As the employee regularly dials in himself via the VPN, the behaviour of the attackers has not yet been conspicuous. They gain access to a host on which the employee has user rights but can access different network shares.

Escalation of privileges!

The hackers can escalate their rights on the host and become the local administrator. This enables the attackers to download additional malware undetected and obtain further passwords and authorisation tokens.

Spreading in the network

The additional user information and authorisation tokens allow the attackers to spread further and further across the network undetected. They use not only hacker tools, but also programs available on the systems that are not recognised as malicious by any anti-virus programs.

Access to the heart of the company

By chaining rights escalations, the attackers gain access to the domain controller and thus control over all roles and rights assignments. Access to the backup server can now also take place undisturbed. The attackers have taken over the company and begin to extract data.


After large amounts of data containing sensitive internal company information have leaked out of the company, the hackers strike and encrypt all the files on the company's computers. They demand a large sum in cryptocurrencies before the decryption key is revealed.