If everybody's thinking alike, somebody isn't thinking
If everybody's thinking alike, somebody isn't thinking
General George S.Patton
The tools, techniques, and practices (TTP) of attackers are constantly changing. Our Red Team services are designed to help your organization stay ahead of them. Our Red Team assessments provide clients with a 'real world' test of their environment that individual assessments cannot be provide. Attackers do not focus on one specific area of your organization to achieve their goals, instead any and all possible avenues are investigated including cyber, physical, and social attacks.
While targeted testing such as specific application penetration tests do serve a purpose and are an effective part of a defense in depth strategy, a full red team assessment enables an organization to truly identify how vulnerable it is.
Underneath our Red Team services banner are a number of specific services which are used by clients to test various aspects of their organization. All our assessments assume the role of an attacker trying to access what is most vital to your organization. Rather then targeting a specific server, or application, we feel that the best way to identify what attackers could do is to think like them - what's my target? and what can I do to get it?
Red Team Assessment
Our red team assessments combine all the elements of our more targeted assessments to provide your organization with a holistic assessment of your security controls. Attackers target organizational assets and will determine the best method to obtain them, this could be in any of the three domains in which we operate - Cyber, Physical, and Social.
Starting from the viewpoint of your adversary we evaluate potential vectors for attack and determine the best courses of action. Often, these are outside the realm of "traditional" security thinking and lead to our clients being made aware of risks they never knew they had.
OSEC uses both automated and manual testing methods to discover, enumerate, and test for the presence of vulnerabilities in web applications. A variety of automated scanning tools are used, coupled with manual investigation to allow accurate verification, and exploitation to gain access to the highest levels of privilege and data. Core testing focuses on common issues, such as those identified in the Open Web Application Security Project (OWASP) Top Ten security vulnerabilities (including XSS, Injection, CSRF, authentication and session management issues, and incorrect use of cryptographic controls), as well as other non-public vulnerabilities in authentication, access control, and data integrity that OSEC's research and assessment teams have discovered in other applications and services. OSEC's investigation and analysis also goes further than most others in our use of fuzzing and other reverse engineering for any service endpoints or protocols that are proprietary to the application and are judged likely to contain exploitable issues.
Our assessment methodology can incorporate both unauthenticated and authenticated testing, with the former replicating attacks using no prior knowledge of the application, insider information, or authentication credentials. We will identify vulnerabilities that could be exploited in discovered interfaces to gain information and access, establish sessions, and where possible, privileges to both log in and extract as much information as possible from the application and associated data stores. Should credentials be supplied, we can assess those parts of the application that authorized users could access and manipulate, and test for issues related to privilege escalation, subversion of business logic checks, or flaws that otherwise compromise the integrity of the application and accessible data. Testing teams will identify vulnerabilities that could be exploited upon login, and once a session has been established, we will iteratively use the above testing techniques and analysis to discover vulnerabilities and attempt exploitation to gain as complete access to data as possible.
Our unique methodology and assessment techniques also extend to how we report our findings and suggest mitigations: for any vulnerabilities exploited, OSEC will evaluate the required level of skill, resources, and time, required for each attack, and weigh the risk versus those factors, incorporating methods similar to those used by attackers, allowing findings to be accurately understood, to gain an appreciation of the level and type of threats being faced, and the likelihood that attackers will succeed in compromising the applications and systems on which those applications run. As with our other services, we aim to concisely and lucidly tell you only the relevant risks and issues, and how most effectively you can fix them.
Network Penetration Assessment
Network penetration tests use both automated and manual testing methods to discover, enumerate, and test for the presence of vulnerabilities on an organizations network. Testing can either be done external to the network or internal, both viewpoints have benefits and both address different types of attack. There are various elements of these tests which are customised to meed the needs of clients, for example what level of access should the testers attempt to obtain, should they target any specific data, and can other testing approaches such as social engineering be used.
Internal testing provides the ability to test for the "insider threat". While external attackers tend to gather the majority of attention, it is the internal attacker who create the most damage. An insider already has access to systems and resources, may be aware of security controls, and is likely to not be thwarted by network security systems (the majority of which tend to be placed at the network perimeter - wherever that may be). Testing from this perspective often highlights risks that had never been considered.
OSEC's in-depth knowledge of popular mobile/smartphone platforms allows us to apply proprietary analysis methods along with automated scanning at both the source and binary level to effectively assess the security of mobile applications. Our researchers analyze both the application itself - taking source code if available, or decompiling and reverse-engineering as necessary - and applying mobile-platform-specific testing in addition to traditional code analysis. As well as constructing exploitation scenarios, we evaluate the hardware, OS and software platform itself to gain a complete picture of associated security risks due to various vulnerability classes. Those classes include overflows, injection, denial of service, and platform issues, as well as risks due to mobile networks (including GSM, WiFi, 3G, and so forth). Once all vulnerabilities have been identified, the analysis team focuses on constructing remediations to eliminate the possibility of exploitation, or where necessary, developing recommendations on other controls that can be applied to reduce associated risks.
Physical Security Assessment
Physical security is often the weakest link in an infrastructure. Considerable focus tends to be given to technical threats and the ability for data to be compromised and stolen by electronic means. However if physical security controls are inadequate then any technical control can be rendered useless.
Our physical security assessments utilize the tools, techniques and practices of real world attackers to determine if your physical security controls will effectively address the threats you face.
Social Engineering Assessment
Social engineering focuses on testing the "human" aspects of your organizations security posture. Physical and technical controls can be bypassed by an employee revealing a password, or holding a door open. Organizations typically use security policies and training to protect against social engineering. We believe that active testing via social engineering assessments is the only way to have confidence that policies and training are being effective.
For large organizations, or those already with extensive security assessment programs, our scenario analysis can provide a unique perspective. Building upon threat modeling, and what is often known as "blue teaming" we create unique attack scenarios that are then tested to identify gaps in the targets security monitoring.