Penetration Testing Methodology

RedTeam Security's Penetration Testing Methodology

When you build your security strategy, there is no one-size-fits-all solution. The same goes for penetration testing. RedTeam Security combines industry standard methodologies with experience to provide comprehensive and thorough results for our customers, regardless of the type of engagement. A penetration test will focus on identifying security threats on your networks, web and mobile applications, IoT devices, physical facilities, human assets, or other facets of your organization. Our security team will help detect any holes in your security controls and provide remediation recommendations based on best practices to help lower the ongoing risk of future cyber attacks.

RedTeam's approach consists of about 80% manual testing and about 20% automated testing, depending on the engagement. While automated testing enables efficiency, it is limited in its ability to fully assess and identify all risks in an environment and if generally only leveraged during the initial phases of a penetration test. At RedTeam Security, it is our belief that an effective and comprehensive test can only be realized through rigorous manual pen testing techniques.

RedTeam Security's Methodologies vary somewhat based on the type of engagement (network pen testing, wireless penetration tests, physical penetration tests, social engineering or Red Team engagements) but in general, they follow the same high-level steps.

Ultimately, our penetration testers aim to simulate a real-world physical attack on the target's most prized assets without the damaging consequences of an actual attack.

Before beginning any penetration testing engagement, the pre-engagement phase begins. During the pre-engagement phase, RedTeam Security will collect details required to execute and kick off the project. This phase is crucial as it establishes the overall rules of engagement for the penetration test.

Using the information gathered for the kick-off meeting, RedTeam Security will the necessary details to ensure the penetration testing is executed efficiently, effectively and in accordance with the overall objectives.

Information Gathering

The purpose of this step is to collectively map the in-scope environment and prepare for threat identification. Using the information collected for the kick-off meeting, RedTeam Security finalizes the necessary details for Gathering/ Open-Source Intelligence.

With most penetration testing services, the first phase is to focus on gathering as much information as possible about the target. This is done through passive reconnaissance and Open-Source Intelligence (OSINT). This is one of the most critical steps in the process because it helps to examine your organization from the perspective of a "bad guy" and enables RedTeam Security to see everything an attacker would by utilizing public tools, such as Google Earth, social media, and job boards. Using this approach, we can usually learn a great deal of information about your business, surroundings, and the environment.

By carefully examining the public side of your company, we learn helpful indicators about your organization, how it operates and uncover any sensitive information or weaknesses that might exist online.

Threat Modeling

With the information collected from the previous step, security testing transitions to identifying vulnerabilities. For network pen testing, this typically begins with automated scans initially but quickly morphs into manual testing techniques using more pointed and direct tools. During the threat-modeling step, assets are identified and categorized into threat categories. These may involve sensitive information, trade secrets, financial documents, etc.

During this phase, RedTeam Security penetration testers will:

• Use open-source, commercial, and internally developed tools to identify and confirm well-known vulnerabilities
• Spider the in-scope network device(s) to effectively build a map of each of the operating systems, open ports and services, and areas of interest
• Use discovered sections, features, and capabilities to establish threat categories to be used for more manual/rigorous testing (i.e., default admin credentials, session hijacking, known vulnerabilities in out-of-date components)
• Build the network's threat model using the information gathered in this and the previous phase to be used as a plan of attack for later phases of the assessment
• Upload vulnerability information to the customer portal for those vulnerabilities that exist but will not be exploited due to time constraints or risk to devices

Vulnerability Analysis

The vulnerability analysis step involves the review, documenting and analysis of vulnerabilities discovered as a result of information gathering and threat modeling. This includes the analysis of output from the various security tools and manual testing techniques. Vulnerability Analysis will include making a plan for exploitation and gathering exploits.

Exploitation

Unlike a vulnerability assessment, a network penetration test takes such a test quite a bit further specifically by way of exploitation. Exploitation involves actually carrying out the vulnerability's exploit (i.e., buffer overflow) in an effort to be certain if the vulnerability is truly exploitable.

During the Exploitation phase of a penetration test, RedTeam Security's pen testers will attempt to gain access to the devices, networks, or applications through the bypassing of firewalls and other security controls and by the exploitation of vulnerabilities in order to determine their actual real-world risk. Throughout this step, we perform several manual tests simulating real-world attacks that are incapable of being performed through automated means. This phase of a RedTeam Security penetration test consists of heavy manual testing tactics and is often the most time-intensive phase.

Exploitation may include but is not limited to credential harvesting/guessing, network sniffing, leveraging known vulnerabilities in outdated software.

As part of the Exploitation phase, RedTeam Security will:

• Attempt to manually exploit the security issues identified in the previous phase to determine the level of risk and level of exploitation possible
• Capture and log evidence to provide proof of exploitation (images, screenshots, configs, etc.)
• Notify the client of any Critical findings upon discovery by telephone and email
• Upload validated exploits and their corresponding evidence/information to the project portal for client review

Reporting

At RedTeam Security, we consider this phase to be the most important and we take great care to ensure we've communicated the value of our service and findings thoroughly. Upon completion of the assessment, RedTeam will provide an analysis of the current state of the assessed security controls. RedTeam will address comments, make necessary revisions and if requested, schedule a report presentation. The detailed contents of the deliverable are described below.

The report deliverable will include the following high-level sections in a format suitable for management:

• Purpose of the engagement including project's scope and approach
• Positive security controls that were identified
• Tactical resolutions to immediately reduce your network security risk
• Strategic recommendations for mitigating and preventing similar issues from recurring that could ultimately lead to a serious data breach

The report deliverable will also include the following in-depth analysis and recommendations for technical staff to understand the underlying risks and remediation recommendations:

• A technical description and classification of each vulnerability
• Anatomy of exploitation including steps taken and proof in the form of screenshots
• Business or technical risk inherent in the vulnerability
• Vulnerability classification that describes the risk level as a function of vulnerability impact and ease of exploitation
• Technical description of how to mitigate the vulnerability

Tools

In order to perform a comprehensive real-world assessment, RedTeam Security utilizes commercial tools, internally developed tools and some of the same tools that hackers use on each and every assessment. Once again, our intent is to assess systems by simulating a real-world attack and we leverage the many tools at our disposal to effectively carry out that task.