Guest article by the Aachen Chamber of Industry and Commerce
Going Where it Hurts
RedTeam Pentesting GmbH Puts IT Systems to the Test Worldwide – a Service That is High in Demand
In the film Sneakers, cinema legends Robert Redford and Sidney Poitier form a professional team that specializes in completely legal burglaries. On behalf of companies, such as banks, they identify weaknesses in their systems. And “hacking” already plays an important role in this 1992 film. Around 30 years later, Jens Liebchen and Patrick Hof and their staff can be seen to be the real-world equivalent to the Hollywood team, so to speak. RedTeam Pentesting GmbH, which is run by the two computer scientists, was founded in 2004 as an RWTH spin-off and has since won several awards, offers so-called penetration tests to companies and institutions. “We don't do anything else,” emphasizes Jens Liebchen. “This specialization sets us apart.”
The Aachen-based company can rightly be described as a “hidden champion”. Hardly any of their daily work reaches the public, even though almost everyone knows and uses systems that have been tested by the experts. They were one of the first on the market in this area, and “the number of competitors is small, even on an international level,” says Jens Liebchen. The company has earned a reputation for uncovering errors that would otherwise go unnoticed. Accordingly, they are very successful in this niche market. The IT professionals have already been deployed on all continents, with the exception of Africa.
“We even ward off US competitors.”
In times of countless criminal cyber attacks, some of which have devastating consequences, the demand for the skills of the savvy but ultimately harmless attackers is enormous. “Even when we were still part of RWTH, we were overrun with demand,” recalls the co-founder. Nothing has changed to this day. Quite the opposite, in fact: “We are fully booked for months.”
Software, Washing Machines and Banks Under Scrutiny
The business model consists of putting IT systems to the test – globally. Obviously RedTeam Pentesting does not provide any information about their customers. But this much can be revealed: “We test software and hardware, large networks and small apps, washing machines and televisions, online stores and production lines, hospitals and defense facilities, power plants, laboratories, and banks,” explains Jens Liebchen.
In alternating teams of three, the experts put themselves in the shoes of a criminal hacker and look for security loopholes in the system. They develop a special strategy of attack for each customer. “There are a few standards that we take into account in every test, but the most important thing is to be professionally creative,” says the managing director. There is a predetermined time limit for finding and documenting the loopholes. Our portfolio begins with with five days involving the entire team. "The maximum is usually 15 ‘team days’ per client."
Payment is based on time spent. “Whether we find 20 or 200 flaws does not affect the costs.” And “we always find something”, explains Jens Liebchen. Should the result of a test be dramatic, this may result in drastic consequences: “We sometimes advise shutting down a system as quickly as possible.” In these cases, there is too great a risk of malware infiltrating the system.
In the presentation of the results, the clients are often stunned by how the security systems in place were overcome and how the team succeeded in accessing valuable, even existential data. Communicating such controversial test results and what they actually mean – whether to corporate CEOs or high-ranking politicians – is one of the team members' core competencies.
Trust and Reliability Are the Company's Top Priorities
It is all too understandable that the relationship between customer and service provider must be based on trust. “We don't simulate, but actually penetrate deep into the companies.” And not just on digital paths, but sometimes through real doors.
“We sometimes physically go into companies and see if we can gain access to the server room, for example.” And does it work? “Far too often, unfortunately.”
The growth of RedTeam Pentesting is currently only limited by the number of employees. “Personnel reinforcement is therefore always welcome.” Trust and reliability are more important in the company than university degrees and certificates because the company’s employees deal with highly sensitive data. “Sometimes we show banks how to move a few million euros to demonstrate the extent of a vulnerability.” A good command of German and English is a prerequisite for joining the team. Of course, you also need prior knowledge of the subject matter. “You then learn the relevant techniques with us,” says Jens Liebchen. The team is not just made up of IT specialists; it also includes electrical engineers and physicists.
As the company’s services are in high demand, Jens Liebchen and Patrick Hof could easily take on 10 or 20 more staff. But first, you have to find suitable candidates. The industry is suffering from a shortage of skilled workers. This is another reason why RedTeam Pentesting GmbH recently relocated. The new offices with over 500 square meters of space are located in the listed Kapuzinerkarree building with a view of the inner courtyard. Fiber optic cables deliver images to any workstation in real time. A seven-figure sum was invested in the relocation, the company's largest investment to date.
The necessary work also included special protection of rooms and technology, ensuring that the company itself does not become the victim of an attack itself. “Obviously, our opponents are also highly professional.”
– Author: Daniel Boss