Frequently asked question

What methodology does Proactive risk follow when conducting a full-scope CATSCAN® project?

Phase I - Information Gathering and Vulnerability Detection
A critical phase in a CATSCAN® project focuses on collecting information about infrastructure, facilities, and employees. The team becomes laser-focused on gathering as much information as possible about the target(s). Open Source Intelligence Gathering can be quite telling about a target, its people, its facilities, and its technical makeup, such as physical/logical security controls, foot traffic, terrain, infiltration and exfiltration points, etc.
​​​
Phase II - Information Analysis, Planning and Weaponization
​Effective weaponization involves preparing the operation unique to the target, taking into account intel gathered from the reconnaissance stage. This commonly includes: crafting custom file payloads, prepping RFID cloners, configuring hardware trojans, acquiring social engineering costumes, creating falsified personas/companies, and much more.

​Phase III - Attack and Penetration
The Delivery stage is a critical stage of the execution phase. This marks the active launch of the operation in totality. Here, Consultants carry out the actions on the target(s) intended to reach the CATSCAN® Operation’s goals. Things like physically cloning badges, social engineering face-to-face targets, analyzing cyber vulnerabilities, planting hardware trojans for remote network persistence, etc. Among one of the most important objectives is to note the best opportunities for exploitation.

Phase IV - Privilege Escalation and Exploitation
Exploitation during a CATSCAN® project is exactly what it sounds like. At this point, the goal is to “break-in” or compromise servers/apps/networks, bypass physical controls (ie: gates, fences, locks, radar, motion detection, cameras) and exploit target staff through social engineering by face-to-face, email, phone, fax or sms/txt. The exploitation stage enables the preparation for the escalation and installation phase.

Phase V - Installation
The installation stage’s primary goal is to prepare for persistence. This could amount to cyber persistence or physical persistence, although cyber persistence is generally slightly more common. During this stage, we establish a beachhead by taking advantage steps taken in the exploitation step. Things like privilege escalation on compromised servers, shells, malicious file payload installation, usage of physical key impressions, and lockpicked doors happen here.
CATSCAN® is not a normal penetration testing service. Instead of providing a commodity assessment, CATSCAN® provides novel red team services that closely match the operational cadence of real-world attacks. CATSCAN® enables customers to have much better insight into their security posture by witnessing well-trained and tool-rich operators attempt to gain access to their network. CATSCAN®​ is the next evolution in offensive services.

​Phase VI - Command & Control
Maintaining persistence is the goal for Command & Control. Also generally cyber-focused, ProactiveRISK takes steps to ensure remote access to exploited systems are stable and reliable setting the stage for data exfiltration and other post-exploitation tasks/goals. On the physical and social side, manipulating people into enabling circumvention of physical barriers in order to create backdoors into facilities are key.

​Phase VII - Actions on Objective
During this phase of a CATSCAN® project, the team aims to complete the mission and realize the agreed-upon objectives set by the client and ProactiveRISK Security. Actions on objective happen through lateral movement throughout the cyber environment as well as the physical facilities. Pivoting from compromised systems and from breached physical security controls all along capturing video, audio and photographic evidence supporting each finding discovered.

​Ultimately, the team aims to exfiltrate data, information, or physical assets the target deems critically sensitive.
When attempting to "scope" a project to cost and time we have to ask a summary of questions to determine the size and labor required on the project.  Below are some of the most common questions assocaited with providing you with a not to exceed proposal for the work.  
External Penetration Testing
  1. Please provide approximate number of active hosts/IPs exposed to the internet across office, datacenter and cloud infrastructure.
  2. Are there any day/time restrictions for the testing?
  3. We normally provide a single report with executive summary and technical details as well as third party attestation. Do you have any additional reporting requirements for this project?
  4. Are there any specific deadlines for project execution and report delivery?
 
Internal Penetration Testing
We need to determine size of the internal environment across all offices, datacenters, cloud infrastructure. Approximate number of network-connected systems including, endpoints, servers, infrastructure. Approximate numbers are ok - 100, 250, 500, 2000 etc. Number of employees is also helpful.

  1. Are there any time/day restrictions for the testing to be deliverd?
  2. We normally provide a single report with executive summary and technical details as well as third party attestation. Do you have any additional reporting requirements for this project?
  3. Our standard engagement is performed remotely via CT supplied virtual machine or hardware. Please specify if onsite presence is a requirement for this project.
  4. Are there any specific deadlines for project execution and report delivery?
  
Social Engineering Campaign
We typically test using single scenario email-based social engineering campaign to impersonate business partner or service provider. Goal is to test click rates and entice users to reveal their credentials or authorize application access (OAuth attacks). Singe scenarios are typically not effective against entire company so they should be targeted against specific groups or high value targets. We can also perform multi scenario campaigns against different departments.
  1. Please provide approximate user count that would be part of the campaign(s).  
  2. Would like to use multiple types of campaigns for different departments?
  3. Would you like to include a phone-biased social engineering campaign?
  4. Would you like us to do target discovery or target list will be provided?
 
 
Web Application Assessment
  1. Please provide name and if available the URL of the application.
  2. Please provide brief description of the application functionality - what is the core functionality, who the users are what capabilities exist for these users.
  3. Approximate number of user input pages.
  4. How many different user type profiles exist within the application? (standard user, client admin, site admin etc.).
  5. Are there any publicly facing APIs, if so, can you provide API documentation? If not available, then approximate number of API endpoints.
  6. Are there any day/time restrictions for the testing?
  7. Can access be provided to the application source code and/or logs? While not required, access to code and logs can improve coverage and accuracy of the assessment.
  8. We normally provide a single report with executive summary and technical details as well as third party attestation. Do you have any additional reporting requirements for this project?
  9. Does this application require a OWASP ASVS Cloud Application Security Assessment 
  10. Are there any specific deadlines for project execution and report delivery?
 
Mobile Application Assessment
Please provide brief description of the application functionality - what is the core functionality, who the users are what capabilities exist for these users.
  1. How many different user type profiles exist within the application? (standard user, client admin, site admin etc.).
  2. Public API information – application API documentation mobile app uses if available or number of API endpoints.
  3. What is the mobile application platform IOS and/or Android?
  4. Does application use certificate pinning? If so, can debug build be provided to allow for data transmission analysis?
  5. Can you provide application build outside of native app store? (APK/IPA application file for Android and IPA build for x86 IOS simulator)
  6. Are there any specific deadlines for project execution and report delivery?
  
Web Application Assessment with Mobile App
  1. Please provide name and if available the URL of the application.
  2. Please provide brief description of the application functionality - what is the core functionality, who the users are what capabilities exist for these users.
  3. Approximate number of user input pages.
  4. How many different user type profiles exist within the application? (standard user, client admin, site admin etc.).
  5. Are there any publicly facing APIs, if so, can you provide API documentation? If not available, then approximate number of API endpoints.
  6. Are there any day/time restrictions for the testing?
  7. Can access be provided to the application source code and/or logs? While not required, access to code and logs can improve coverage and accuracy of the assessment.
  8. What is the mobile application platform IOS and/or Android?
  9. Does application use certificate pinning? If so, can debug build be provided to allow for data transmission analysis?
  10. Can you provide application build outside of native app store? (APK/IPA application file for Android and IPA build for x86 IOS simulator)
  11. We normally provide a single report with executive summary and technical details as well as third party attestation. Do you have any additional reporting requirements for this project?
  12. Are there any specific deadlines for project execution and report delivery?
 

AWS Configuration Review:
These questions only apply to AWS config review with R/O admin privileges given. For external pen test or web application testing in AWS standard pen test webapp questions apply.
  1. How many AWS accounts are in scope?
  2. Are you using AWS ORGs or is there any other way these accounts are centrally managed?
  3. Approximately how many EC2 instances within each tenant?
  4. How many IAM roles exist across all accounts?
  5. How many VPCs within each tenant
  6. Approximately how many custom IAM roles are in scope?
  7. How many public facing IPs
  8. Are you utilizing AWS API Gateway, Lambda, Cognito, ECS, or any other AWS "serverless"/API offering?
  9. Are there any RDS instances (AWS managed database)?
  10. Are there any specific deadlines for project execution and report delivery?
 
Azure/Microsoft365 Configuration Review:
These questions only apply to Azure/Microsoft365 config review with R/O admin privileges given.
1.How many Azure/Microsoft365 tenants are in scope?
2.Please provide type and approximate amount of Azure/Microsoft licenses in use within each tenant.
3.Apart from Azure AD, is there any infrastructure in use within Azure tenant? If so, please provide details.
  1. Are there any specific deadlines for project execution and report delivery?
 
Wireless Assessment:
​Provide listing of all physical locations that are in scope for the wireless physical test. For each location please include:
  • Address or city, state.
  • Type (office building, factory, campus, plant)
  • approximate size in sqft, number of floors etc.
  • approximate number of employees at the location.
  • number of SSIDs at the location
 

Contact Info

Proactive Risk Inc.
759 Bloomfield Ave #172
West Caldwell, NJ 07006
Tel: +1 (973)298-1160
Web: www.proactiverisk.com
eMail: sales(at)proactiverisk.com
© COPYRIGHT 2021. ALL RIGHTS RESERVED.