Offensive Security

Let our hackers test the security of your IT systems!

9611_INFIDEM_icones_v1-secu-offensiveEven if you’re extremely careful about your company’s security procedures, details can slip past you. Whether they’re related to technical configurations or problematic behaviour within the company, vulnerabilities provide opportunities for hackers to compromise or steal your data.

Vulnerabilities might take the form of an error on your website, allowing malicious code to be inserted, or poor configuration on the part of your hosting service provider. But they can also involve a physical intrusion! Access badges are cloned much more often than you may think.

It’s also essential to consider the human factors: information gaps, non-compliance with procedures, oversights, resistance to change, etc. All of these elements can derail your plans and leave you exposed to risk.

The best way to ensure your measures are effective is by putting them to the test. With In Fidem’s offensive security services, this can be accomplished quickly and securely.

Our experts simulate the behaviour of hackers, demonstrating your vulnerabilities so you can reduce your risks and increase your security maturity. You’ll also receive a report that clearly presents the results, necessary corrections and recommended next steps.

Don’t leave your future up to chance. Take control of your security!

Our offensive security services

Web application penetration testing (ERP, CRM, corporate, market, etc.)

Through their expertise and strategic alliances, our security experts have developed high value-added methodologies and approaches for testing your security that include setting up an application security team, offering training on secure development, and ensuring SAP and SCADA system security.

In Fidem has forged strategic alliances with other innovative security firms including Cigital, AspectSecurity, Virtual Forge, Onapsis and organizations including OWASP and ISO.

Network penetration testing: Internal networks

The aim of penetration testing on the company’s network is to simulate an attack by malicious actors (an unhappy employee, industrial spies, etc.) to validate the security of the internal network and the organization’s response mechanisms in case of an incident.

Our validation process includes:

  • Network and enumeration analysis: the technological environment is assessed to map the network and identify the organization’s high-risk services.
  • Intercepted communications: our team takes an offensive approach, applying methods used by hackers and cyber spies, such as spoofing NBNS, LLMNR and ARP protocols to intercept communications passing through the network and confirm the presence of sensitive or confidential information that could endanger the organization’s security.
  • Logical analysis of vulnerabilities: the testing team conducts an in-depth analysis of the organization’s vulnerabilities and the logic of the applications being assessed. This step involves validating false positives and trying to form a kill chain that a potential attacker could follow tothoroughly exploit the organization, as well as achieving objectives identified with the security team.
  • Configuration and practice assessment: through their activities, the consultants at In Fidem come into contact with the security practices used within the internal infrastructure, as well as the role and authorization management for the various systems. Our team can then identify any anomalies and make relevant recommendations.

Network penetration testing: External perimeter

External tests allow us to gauge the organization’s public coverage and Internet presence and determine the different possible uses for the services, systems and applications available to the public.

Our team uses techniques common among cyber attackers to verify the risks your organization may face:

  • Information searches of open-source intelligence (OSINT)
  • Dictionary and brute force attacks:
    • Optimized lists and rules from our field experience (including crawling)
    • High-performance password-cracking system (off-line)
  • Placement of cookies on the systems – data exfiltration
  • Advanced social engineering techniques (including spear phishing and watering hole attacks)
  • Application portal searches (such as on VPN gateways or administrator interfaces like phpMyAdmin)
  • Validation of protective mechanisms against brute force attacks
  • Identification of common application vulnerabilities allowing access without authentication
  • Searches for faulty configurations in the services or controls identified
  • Exploitation of discovered vulnerabilities that pose no risk to system operations for
    demonstration purposes or to obtain access to additional information

Phishing campaigns

Phishing refers to a process where criminals send emails or text messages that appear to come from a credible, legitimate source, aiming to trick the recipients in order to extract sensitive information or infect computers with malware.

Despite campaigns warning about phishing scams, users are often not as careful as they should be. Our experience has shown that one of the most effective behaviour change methods is to send an unannounced email. During this exercise, recipients who click a link or open a document are immediately informed of how they just put the organization at risk.

Our phishing campaign approach is divided into three main steps:

  1. Creation of a plausible pretence for the target organization that is likely to engender a positive response from the employees.
  2. Quick launch of the campaign where the messages are sent over a maximum of one business day to avoid contamination of the results.
  3. Collection of the results and statistical analysis for different reaction metrics such as reading the email, opening the included links or attached documents, entering sensitive information, etc.

Social engineering tests (telephone, social networks, office, etc.)

Most hacking under real conditions occurs through malicious phone calls.

Calling employees is a simple way attackers can :

  • Extract sensitive or confidential information on the architecture of the company’s internal network
  • Remotely execute malicious commands by exploiting the good intentions of the targeted employees, allowing the attacker to enter the internal network and access protected systems

The goal of this type of activity is to launch an attack campaign against the organization through the Internet without having any prior knowledge. The methods used range from recognition of the company’s digital footprint to fraudulent phone calls.

These types of scenarios test whether it is possible to extract data critical to the company’s activities and include:

  • Information searches of open-source intelligence (OSINT)
  • Advanced social engineering techniques (reconnaissance and watering hole attacks)
  • Vishing (voice phishing) :
    • A telephone attack aiming to collect information on the internal systems (type of operating system, type of antivirus software, wireless network password, etc.)
    • An attack aiming to have employees execute malicious commands (downloading executable files, executing a malicious PowerShell command, etc.)
  • Placement of cookies on the systems – access to the internal network
  • Implementation of a persistence mechanism on the internal network
  • Analysis of the results and recommendations
  • A detailed report on all successful and failed attempts
  • Documentation on the operational team’s observations including an estimate of the company’s risks and recommendations for mitigation

Physical penetration tests

Information theft is a real threat to organizations. When a malicious party gains access to the networks and critical servers hosted on an organization’s premises, they then have access to the data the organization processes and tries to protect each day. When it comes to breaches of security, physical intrusion, despite the risks to the perpetrator, is still the fastest and most effective way of gaining illicit access to sensitive assets.

The strategic goals of any intrusion mission are to assess the robustness of the company’s protective measures, including:

  • Physical obstacles: doors, locks, windows, etc.
  • Surveillance of the perimeter: security guards, video surveillance, etc.
  • Authentication mechanisms: contactless access cards, human authentication procedures, biometric equipment
  • Detection of unauthorized access: alarms, motion detector coverage
  • Security management procedures: the response to incidents and detected breaches

Our operational team will carry out intrusion tests, attempting to gain unauthorized access to the premises and execute the one or more scenarios agreed upon with the target organization such as gaining unauthorized access to a sensitive internal perimeter, stealing equipment, connecting to the internal network without authorization or demonstrating an opportunity to deactivate equipment vital to the organization’s activities.

Wireless network tests

Wireless networks come with their own issues and security mechanisms. It can also often be a complex process to ensure the physical security of a wireless network, leaving it exposed to public access. Simulating an attack by a passerby with malicious intent will test whether it is possible to start a kill chain through vulnerabilities in the wireless network in order to gain entry into the corporate network and access confidential data.

These tests include the following activities:

  • Searches for access points and different wireless networks
  • Analysis of the security mechanisms deployed
  • Attempted attacks for key theft and cryptanalysis
  • Attempted attacks geared toward wireless network users (Redirect to SMB attacks, etc.)
  • Validation of 802.1X configurations (certificates, routing, authentication, etc.)
  • Attempted attacks through a rogue access point on the wireless network

Secure code reviews (web and mobile apps)

The objective of the code review is to validate that the security controls and application code have been set up securely. We use the OWASP ASVS methodology to run checks by type of control in the following areas: authentication, authorization (access control), session management, error and exception management, logging, validating entry and exit,cryptography and deployment environment.

The vulnerabilities identified are categorized and prioritized by risk. Recommendations are then made to help the developers effectively correct these vulnerabilities.

 

Red team exercises

A “red team exercise” is when ethical hackers are asked to assess the overall security of an organization. The goal of this kind of exercise is mainly to demonstrate where it is possible to extract sensitive data or stop production and to gauge the security team’s response to incidents. The objectives of this exercise can vary depending on the  targeted organization.

Unlike traditional tests, where the test area is limited and the results are biased by the controls before they are evaluated, a “red team” takes the most realistic approach possible, using plausible attack scenarios that simulate the tactics, techniques and procedures (TTPs) of cyberterrorists, according to the business needs of the organization targeted:

  • The organization does not provide any prior information.
  • The attack scenarios must be executed so as to subvert the internal security team’s response procedure.

The strategic organization of this type of project includes 5 steps that follow the conventional kill chain model for red team exercises as developed by Lockheed Martin, while guaranteeing that the mandate runs smoothly and meets the organization’s requirements.

  • Our consultants attempt to collect as much information as possible (either access or pertinent information) that would allow them to identify attack vectors and exploit various vulnerabilities using reconnaissance techniques:
    • Passive information search in the network and sites accessible to the tester
    • Active identification of attack vectors (observations on the physical premises, sweeps of the IT systems, discussions, etc.)
  • In the next step, the information collected is processed to create detailed plans of attack involving the equipment configuration, creation of forgeries, lab simulations, exploit programming, etc.
  • The chosen attacks are then executed to obtain a physical or virtual point of entry to the organization’s network.
  • Next, the operational team uses “lateral movement” and “privilege escalation” techniques to spread through the network from the access point to achieve the final targets.
  • The team carries out specific actions related to the objectives set for the exercise (for example, compiling proof of access to sensitive information and exfiltrated data, etc.).
  • The last step is analyzing and documenting the results, approving the deliverables and reporting the results.