The Reality of Today’s Cybersecurity Challenges
|
|
Assess, Adapt, Overcome
Our RED TEAM is a global group of trusted security professionals dedicated to simulating real-world cyberattacks on your organization's systems, networks, and physical infrastructure. The key difference? Ethics. We employ the same tools, techniques, and methodologies as criminal hackers to rigorously test your cyber defenses. Our ultimate goal is to highlight and measure the effectiveness of your BLUE TEAM's people, processes, and technology in detecting and defending against threats.
We offer simple, firm fixed-price work orders. Our comprehensive reports serve as attestations of the contracted work and can be used to validate or enhance technical controls, including cyber insurance and regulatory requirements for annual third-party assessments.
We offer simple, firm fixed-price work orders. Our comprehensive reports serve as attestations of the contracted work and can be used to validate or enhance technical controls, including cyber insurance and regulatory requirements for annual third-party assessments.
Step 1: Choose Your Scenario for Testing
External Penetration Testing
- Active Hosts/IPs: Could you provide an approximate number of active hosts/IPs exposed to the internet across your office, datacenter, and cloud infrastructure?
- Testing Restrictions: Are there any specific day or time restrictions for conducting the testing?
- Reporting Requirements: We typically provide a single report with an executive summary, technical details, and third-party attestation. Do you have any additional reporting requirements for this project?
- Deadlines: Are there any specific deadlines for the execution of the project and the delivery of the report?
- Security Controls: Are there any existing security controls (e.g., WAF, IDS/IPS) that we should be aware of?
- Internal Environment Size: Could you provide an approximate size of the internal environment across all offices, datacenters, and cloud infrastructure, including the number of network-connected systems (endpoints, servers, infrastructure)? Approximate numbers are acceptable (e.g., 100, 250, 500, 2000).
- Number of Employees: How many employees are there in the organization?
- Testing Restrictions: Are there any specific day or time restrictions for conducting the testing?
- Reporting Requirements: We typically provide a single report with an executive summary, technical details, and third-party attestation. Do you have any additional reporting requirements for this project?
- Onsite Requirement: Our standard engagement is performed remotely via a supplied virtual machine or hardware. Is onsite presence a requirement for this project?
- Deadlines: Are there any specific deadlines for the execution of the project and the delivery of the report?
- Security Policies: Are there any internal security policies or procedures we should be aware of?
- User Count: Could you provide an approximate number of users that would be part of the campaign(s)?
- Campaign Types: Would you like to use multiple types of campaigns for different departments?
- Phone-Based Campaign: Would you like to include a phone-based social engineering campaign?
- Target Discovery: Would you like us to conduct target discovery, or will a target list be provided?
- Specific Scenarios: Are there any specific scenarios or high-value targets you want to focus on?
- Application Details: Could you provide the name and, if available, the URL of the application?
- Functionality Description: Could you provide a brief description of the application's core functionality, target users, and their capabilities?
- User Input Pages: Approximately how many user input pages are there?
- User Types: How many different user type profiles exist within the application (e.g., standard user, client admin, site admin)?
- Public APIs: Are there any publicly facing APIs? If so, can you provide API documentation? If not available, then an approximate number of API endpoints.
- Testing Restrictions: Are there any specific day or time restrictions for conducting the testing?
- Source Code/Logs: Can access be provided to the application source code and/or logs? While not required, access to code and logs can improve coverage and accuracy of the assessment.
- Reporting Requirements: We typically provide a single report with an executive summary, technical details, and third-party attestation. Do you have any additional reporting requirements for this project?
- Specific Standards: Does this application require an OWASP ASVS Cloud Application Security Assessment?
- Deadlines: Are there any specific deadlines for the execution of the project and the delivery of the report?
- Application Details: Could you provide a brief description of the application's core functionality, target users, and their capabilities?
- User Types: How many different user type profiles exist within the application (e.g., standard user, client admin, site admin)?
- Public APIs: Could you provide information on the public APIs the mobile app uses, if available, or the number of API endpoints?
- Mobile Platform: What is the mobile application platform (iOS and/or Android)?
- Certificate Pinning: Does the application use certificate pinning? If so, can a debug build be provided to allow for data transmission analysis?
- App Build: Can you provide an application build outside of the native app store (APK/IPA application file for Android and IPA build for x86 iOS simulator)?
- Reporting Requirements: We typically provide a single report with an executive summary, technical details, and third-party attestation. Do you have any additional reporting requirements for this project?
- Deadlines: Are there any specific deadlines for the execution of the project and the delivery of the report?
- Application Details: Could you provide the name and, if available, the URL of the application?
- Functionality Description: Could you provide a brief description of the application's core functionality, target users, and their capabilities?
- User Input Pages: Approximately how many user input pages are there?
- User Types: How many different user type profiles exist within the application (e.g., standard user, client admin, site admin)?
- Public APIs: Are there any publicly facing APIs? If so, can you provide API documentation? If not available, then an approximate number of API endpoints.
- Testing Restrictions: Are there any specific day or time restrictions for conducting the testing?
- Source Code/Logs: Can access be provided to the application source code and/or logs? While not required, access to code and logs can improve coverage and accuracy of the assessment.
- Mobile Platform: What is the mobile application platform (iOS and/or Android)?
- Certificate Pinning: Does the application use certificate pinning? If so, can a debug build be provided to allow for data transmission analysis?
- App Build: Can you provide an application build outside of the native app store (APK/IPA application file for Android and IPA build for x86 iOS simulator)?
- Reporting Requirements: We typically provide a single report with an executive summary, technical details, and third-party attestation. Do you have any additional reporting requirements for this project?
- Deadlines: Are there any specific deadlines for the execution of the project and the delivery of the report?
- AWS Accounts: How many AWS accounts are in scope?
- Account Management: Are you using AWS Organizations (ORGs) or is there another way these accounts are centrally managed?
- EC2 Instances: Approximately how many EC2 instances are within each tenant?
- IAM Roles: How many IAM roles exist across all accounts?
- VPCs: How many VPCs are within each tenant?
- Custom IAM Roles: Approximately how many custom IAM roles are in scope?
- Public IPs: How many public-facing IPs are there?
- Serverless/API Services: Are you utilizing AWS API Gateway, Lambda, Cognito, ECS, or any other AWS "serverless"/API offering?
- RDS Instances: Are there any RDS instances (AWS managed database)?
- Reporting Requirements: Are there any specific deadlines for the execution of the project and the delivery of the report?
- Tenants: How many Azure/Microsoft365 tenants are in scope?
- Licenses: Could you provide the type and approximate number of Azure/Microsoft licenses in use within each tenant?
- Infrastructure: Apart from Azure AD, is there any infrastructure in use within the Azure tenant? If so, please provide details.
- Reporting Requirements: Are there any specific deadlines for the execution of the project and the delivery of the report?
- Physical Locations: Could you provide a listing of all physical locations that are in scope for the wireless physical test? For each location, please include:
- Address or city, state.
- Type (office building, factory, campus, plant).
- Approximate size in square feet, number of floors, etc.
- Approximate number of employees at the location.
- Number of SSIDs at the location.
- Testing Restrictions: Are there any specific day or time restrictions for conducting the testing?
- Reporting Requirements: Are there any specific deadlines for the execution of the project and the delivery of the report?
- Security Policies: Are there any internal security policies or procedures we should be aware of?
- Device Information: Can you provide detailed information about the device model, its intended use, and the environment in which it operates?
- Data Integrity: How does the device ensure the integrity of the data it collects and processes? Are there mechanisms to prevent unauthorized data alteration or corruption?
- Data Exfiltration: What measures are in place to prevent unauthorized data exfiltration through physical interfaces (e.g., USB, UART) or wireless communications?
- Firmware/Software Security: Can you provide the device’s firmware or software binary for analysis? Are there any known vulnerabilities or security flaws?
- Physical Interfaces: What physical interfaces (e.g., USB, UART) does the device have, and how are they secured against unauthorized access or manipulation?
- Wireless Security: Does the device use any wireless communications (e.g., Bluetooth, Wi-Fi)? If so, how are these communications secured?
- Tampering Resistance: What measures are in place to prevent tampering with the device, such as sensor manipulation or unauthorized software modifications?
- Recovery Mechanisms: What recovery mechanisms are in place to restore the device to a functional state in case of an attack or failure?
- Deployment Environment: Can you provide details about the deployment environment and the operational conditions the device will face?
- Data Security: How does the device ensure the confidentiality, integrity, and availability of the data it processes?
- Physical Security: What physical security measures are in place to prevent unauthorized access or tampering with the device?
- Communication Security: How are communications secured, especially in hostile environments? Are there encryption mechanisms in place?
- Resilience and Redundancy: What measures are in place to ensure the device remains operational under adverse conditions, such as physical damage or cyber-attacks?
- Compliance: Does the device comply with relevant military standards and regulations? Can you provide documentation to support this?
- Device Functionality: Can you provide a detailed description of the device’s functionality and its role within the banking infrastructure?
- Data Protection: How does the device protect sensitive financial data? Are there encryption mechanisms in place for data at rest and in transit?
- Access Control: What access control mechanisms are in place to prevent unauthorized access to the device and its data?
- Physical Security: How is the device physically secured to prevent tampering or theft?
- Compliance: Does the device comply with relevant financial regulations and standards? Can you provide documentation to support this?
- Incident Response: What incident response mechanisms are in place to detect and respond to security breaches involving the device?