SecureState Blog

Read SecureState's award winning blog.

SERVICES:  Incident Response Test

Help key on a keyboard

Engagement Background

Like a splash of cold water, SecureState’s Incident Response Team has recently begun adding a dose of reality to the ubiquitous penetration test—with consultants sitting on the inside of a company while a pen test is occurring, an IR Test provides companies a highly effective method for evaluating the quality of a company’s Incident Response Plan (IRP) and the readiness of their IR team.

The methodology is fairly simple. While training and simulations are definitely useful, you can’t truly measure how your plan will work and how your team will react until an actual incident occurs. SecureState’s Incident Response Test makes use of the Profiling Team to create a real incident against which response can be evaluated. While the Profiling Team performs penetration testing on various company assets, the Incident Response Team sits with the client to see what they see and monitor how they are able to respond.


Why This Engagement Was Revealing

SecureState’s penetration testers performed numerous “loud” attacks against the retailer’s systems, including brute forcing passwords. SecureState’s IR Test determined that in the case of a targeted attack against the retailer, a successful breach is not only unlikely to be stopped, but unlikely to even be detected. During the time of the assessment SecureState gained full access to an administration console that supported the retailer’s blog and wiki websites. Had malicious attackers gained the same level of access, they could control all of the content and user accounts for this website. This could result in loss of brand reputation if an attacker decided to remove existing content or replace it with custom content to suit the attacker’s goals.


What the Consultants Had to Say

As the lead member of SecureState’s IR team pointed out, “Unfortunately, many of their applications are third party hosted, and they had no adequate procedure for gathering logs from these third parties. It was difficult to gage the quality of their response to an incident when they didn’t even know an incident was occurring.”

As a result of the test, SecureState was able to provide a detailed list of recommendations to ensure that client would perform better in the event of an actual incident. “We worked closely with the client to develop or revise policies and procedures around the identification, containment, and eradication of and recovery from adverse events.  We also strongly suggested that they look to implement SLAs and NDAs with relevant third parties to ensure access to logs in case of an attack.”