Our Approach and
Methodology
The SecureState Profiling Team are well known and highly regarded as experts in Penetration Testing. Our approach follows industry accepted testing methodologies such as PTES, NIST 800-115 and OSSTMM. By following these methodologies, our clients can accurately replicate the testing SecureState has performed in their own environment to accurately mitigate identified vulnerabilities. The SecureState Profiling Team also helps identify strategic “root cause” issues through our Penetration Tests. Our Risk Management Team is uniquely positioned to work closely with the Profiling Team in order to assist clients with mitigating these strategic “root cause” issues.
Phase I – Pre-engagement Interactions:
In this phase, SecureState works with the client to establish the rules of engagement as well as the scope and exchanges contact information with both parties. Next, we provide a detailed Project Charter which contains information on scope and all the required elements to conduct the testing. The Project Charter is discussed on the kickoff call prior to the beginning of the engagement
Phase II – Intelligence Gathering:
SecureState begins any Client Side Penetration Test by conducting an extensive search of open source intelligence on the target company and its employees. This research gathers pertinent information regarding the target company and its employees from public databases, tax records, job openings, social networks, Internet search engines, and much more.
Additionally, SecureState will develop scenarios tailored toward the specific company and employees. These scenarios are based off the intelligence that was previously gathered.
Phase III – Pretexting:
Pretexting is all about creating a scenario which will convince the victim to click on a link to visit a website or take some form of action. In some cases, this can involve an elaborate scenario which includes impersonating current or former employees. For example, SecureState can create a website to elicit user account credentials to a web mail system. SecureState calls an employee impersonating a help desk worker and solicits account credentials. Once we have the proper information, SecureState can login and gather more information regarding the victim and company. Another example is to craft a highly convincing, phishing email that is sent to multiple employees. The email appears to originate from the target company and gains the trust of the employees. These types of examples simulate real attacks that have lead to security breaches in the past. Furthermore, SecureState can create custom scenarios based on any threats identified in Phase I.
Phase IV – Exploitation:
Once the pretexting phase is complete, the exploitation phase begins. SecureState sends emails, or makes phone calls based on the pretexting scenarios previously developed. For any of the attacks SecureState initiates in the exploitation phase, the goal is to compromise the clients’ computer so that it can be used to “pivot” to other systems on the network. SecureState may initiate attacks against popular client side applications such as Microsoft Office and Adobe Acrobat Reader. Once this access is achieved, SecureState will look for additional systems to compromise in an attempt to gain privileged access.
Phase V – Post Exploitation:
The Post Exploitation Phase includes pillaging, penetrating further into the network, documentation and erasing any remains we might have left behind.
Phase VI – Reporting:
As part of the deliverable, SecureState provides a report which contains a short graphical summary aimed at senior management, a narrative body which details major findings and a detailed findings section aimed at the technical staff. Additionally, we provide a closing call and high level executive presentation to summarize the penetration test as well as provide an opportunity to ask questions about the engagement.