Penetration Testing Assessment Level 1
Compliance Armor recommends complete testing for all external-facing assets. Once the process of identifying vulnerabilities is complete, the Test Team will carefully select target systems for penetration testing, based on your unique vulnerabilities, as common vulnerabilities we have observed from past experiences. The team will focus on those exploits which pose true risk of illicit access to information assets, such as:
•Remote code exploitation
•SQL injection/data capture
•Any other serious potential data breaches
The team will avoid active exploitation of vulnerabilities which could cause a Denial-of-Service condition, unless specifically requested as in-scope for this assessment.
The Test Team will operate from Compliance Armor's headquarters and utilize the Internet for connectivity to your firm’s external systems.
While each Penetration Test will be tailored to the unique needs of each individual client, we generally proceed with the following steps:
5.Brute Force Attacks
7.Red Teaming/Blue Teaming
Setting the scope sets the pace for overall Pen Test. It lets you know which vulnerabilities we are seeking to find and the ways in which they will be tested. It starts by Compliance Armor's understanding which data is most critical to you and your business, and generally includes such sensitive information as SSNs, financial and health data. Once we know what is important to you, we can start trying to access it.
Knowledge is power, which is why, during this phase, we will gather as much information as possible about not only your company, but your systems, as well – both online and off. We will talk to your employees and access any information that is open to the public so that we can form as well-rounded of a picture as possible. We may even attempt to trick your employees into giving us as much secure access as we can get. Our goal is NOT to get anyone in trouble; we just want to test your security.
The discovery phase of testing is a two-part process that begins by mapping the footprint of the organization’s network and concludes with an analysis of that footprint, where we scour it for areas of potential compromise.
During the initial portion of the Discovery Phase, we utilize ethical hacking techniques and best practices to create footprints and conduct reconnaissance. This allows us to see what an external attacker might see while performing their attack of your firm's networks and systems. Some of these activities are conducted through network port and service identification and are performed with external network service identification tools in order to identify potential targets.
In addition to port and service identification, other techniques are used to gather information on your system, including (but not limited to):
•DNS interrogation (external)
•Packet capture (internal)
Additionally, we review potentially unknown sensitive information published on the organization’s public website(s) or via other publicly accessible areas. This methodology usually leverages, but is not limited to, “Google Hacking”, web crawling of public websites and parsing through publicly accessible data via any legal means necessary to assist in our penetration methodology, goals and testing activities.
Our team’s intelligence gathering dives deep into the technical aspects of the engagement by reviewing the vulnerability scans for ports, services, and applications known to be exploitable. Further weight is also given to the business-critical assets and information; from there, a hierarchy is determined based on which of the targets are most appealing to an adversary. Once the targets have a prioritized attack order, consideration is given to the potential attacker profiles and determining the steps needed to successfully gain a foothold in the environment. At this juncture, assets and attacker profiles have been identified, and the attack vector is defined. The remaining penetration testing activates will be based upon this determination.
In the second portion of the Discovery Phase, we analyze the information obtained through discovery and this phase is absolutely critical to the overall success of the next phase. The testing team, supplemented with a skilled Security Analyst, reviews the results of the Discovery phase, looking for patterns, trends or other hallmarks of weak security controls.
This information is reviewed against relevant vulnerability databases, as well as the tester’s own knowledge of vulnerabilities, allowing the team to inspect for high-risk vulnerabilities that may grant remote code access to a compromised system, or enable the Test Team to compromise a flaw in a system’s given architecture (e.g. insufficient information to develop a Testing Plan, based on which vulnerabilities have the highest degree of potential success for a cyberattack.
Exploiting activities involve utilizing code which will provide the tester with access to the target. Once access is given, the tester will perform tasks that further open access to the tester. These actions may include:
● Privilege escalation
● Establishing persistent connections
● Data exfiltration
● Screen captures
● Password grabbers
By using the compromised host as a pivot, the tester can use the system as a new staging area for further attacks against the environment. The tester will try to gain access to other systems that they would not have been able to access directly. These activities are repeated until no other target can be exploited.
Once a system is exploited, Brute Force Attacks will be used in an attempt to grab system and application passwords. The SAM or “Shadow” password files will be processed to determine if there are any null or simple passwords in the set. If there are insecure passwords identified, the team will then attempt to access those accounts in order to determine if the accounts have access to information otherwise not already obtained.
Additionally, Brute Force Attacks may be initiated against applications identified during the Information Gathering or Vulnerability Scanning phases. In these instances, dictionary attacks will be initiated by using common passwords. If the password policy is provided, the tester may start running through every possible password; however, this is a very time-extensive exercise and is therefore not often followed through to completion.
In the social engineering phase, we will further attempt to entice your employees using social means such as phishing emails, virus-ridden USBs, good old-fashioned phone calls, and other means as we see necessary, to attempt to gain access.
Human error is the number one cause of successful cyberattacks, so this phase is critical.
Red Teaming and Blue Teaming are military references in which essentially the troops are scrimmaging in order to find and then strengthen weaknesses and vulnerabilities. The same concept applies when discussing Red Teams and Blue Teams in the cybersecurity world and crafting an effective “Purple Teaming” approach, which is the blending of Red and Blue Teaming.
A cybersecurity Red Team (aka “adversarial simulation”) reenacts a real-world threat, meaning that we will play the role of a relevant attacker, mimicking their tactics, techniques and procedures (TTPs). Real-life scenarios are constructed and played out to completion, including physical security testing, social engineering, 3rd party relationships, hacking, malware insertion, pivoting and human manipulation.
It focuses on your company’s ability to not only detect, but also respond to a sophisticated cyber threat. It emulates TTPs in order to observe entry points into your systems and networks that might have been overlooked by searching out backdoors while also testing your defenses.
The Blue Team reenactments are similar to the Red Team, but what makes it slightly different is that once a red team has gone in and completed their simulated attack, a blue team will find ways to defend or modify the existing defenses to fortify any future incident response needed by the company.
The Blue Team will attempt to defend against the Red Team by such means as monitoring both network and app traffic, reviewing logs, SIEM data and threat intelligence data, and then analyzing this data to detect any potential openings.
Once we have gathered as much information as possible, it will be written up for the business so that you can understand where you stand. This completes the reporting phase.
During this final step of remediation, we analyze all the data and work with you on securing your networking to protect your business against REAL cybercriminals.
At Compliance Armor, we've spent over 20 years becoming experts so that you don't have to.