After initiating the project, we collect the scoping/target information from the client. This information includes IP address range or any specific IP addresses, compromise goals to help us focus on particular attacks, and information that can help us prevent issues, such as dynamically changing IP addresses, account lockout policy and any production web forms to avoid. This process also involves a brief meeting with the client to review and acknowledge the rules of the penetration testing engagement and confirm project scope and testing timelines.
The second phase involves gathering information from publicly available resources using open source intelligence gathering tools and techniques. This data helps to understand the operating conditions of the organisation, which further allows us to assess the risk accurately as the engagement progresses. Target information might include:
• Hosting providers
• Credentials exposed because of any breach.
• Domains and subdomains in use by the organisation.
• Misconfigured web servers and leaked data
During this phase, we scan the network using variety of automated scanning tools and scripts to identify existing vulnerabilities. We will also thoroughly examine all possible attack vectors. This information is collected in order to plan and strategise the exploitation phase. Following are some of the parameters employed while conducting vulnerability analysis.
• Enumerating subdomains and directories.
• Open ports or services.
• Checking possible misconfigurations against cloud services.
• Correlating public and proprietary vulnerabilities with applications/systems on the network
In this phase we attempt to exploit the vulnerabilities identified in previous phases of the assessment and prove the existence of conceptual attack vectors while preserving the integrity of the network. We also eliminate the false positives identified by the automated scanning tools. On successful compromise of the systems/devices, we proceed to escalate the privileges to admin/superadmin user accounts. This helps us to evaluate the realistic risk level associated with the successful exploitation of the vulnerability.
After completing the assessment, SecureTriad provides an assessment report which includes executive summary and technical findings. The executive summary is written for management consumption and is a high-level overview of assessment activities, scope, most critical issues discovered, and overall risk scoring. We also include strategic recommendations to assist business leaders in making informed decisions regarding the information systems/devices. The technical findings include all vulnerabilities listed individually, with details for recreating the issue with necessary screenshots, understanding of the potential risk, recommended remediation actions, and helpful reference links.