Penetration Testing

More often than not, Penetration Testing is a commodified experience; a one-size fits all approach that has little or no regard for the customer’s mission, market vertical, or past experience. Black Lantern Security provides network, wireless, and application-based penetration testing that simulates attacker tactics and techniques that a customer is most likely to face in the next 12 months. Testing is designed to make the most efficient use of resources and provide remediations and fixes that will drive the largest reductions in risk.

For many organizations out there, the first time they get to see whether or not those expensive network security appliances or endpoint solutions work as promised is when they are under direct attack from a real-world adversary; much the same can be said for the incident handling process itself. We all know that no matter how good our gear is we never want to field our teams and play for the championship without having practiced our playbooks 100s of times before! Information Security Programs should be approached in exactly the same way. We need to give our defenders multiple and if not continuous opportunities to implement and execute the defensive playbook. This is the BLS “Attack to Defend” mindset. That is, the fundamental objective of a Red Team Engagement or Penetration test is to provide for a better defense. We exist for the explicit purpose of improving and empowering network defenders, protecting organizations, and reducing overall risk.

In planning for the penetration test, BLS Engineers are going to examine the threats and vulnerabilities that are most relevant to the business. For test execution, the tactics, techniques, and procedures (TTPs) utilized by the penetration tester will provide validated and relevant threats and attempt to demonstrate the greatest potential to negatively impact near and/or long term business operations. Our resulting analysis and recommendations are designed to empower the business and defend those critical business resources that add to the bottom line every day.

Our Penetration Testing methodology is based on industry accepted standards, including NIST SP800-115 and the Penetration Testing and Execution Standard (PTES).

Planning, Scope, and Customer On-Boarding

  • Looks at structured and unstructured testing of network, application, and host based security controls
  • Considers the maturity of the information security program, business objectives, resources, and overall mission
  • Establishes test scope and blacklisted systems
  • States test objectives and overall goals
  • Establishes test duration and rules of engagement (ROE)

Passive Information Gathering

  • Considers how the business makes money
  • Identifies critical resources (Point of Sale (PoS) systems, Databases, Enterprise Applications, Intellectual Property, PII, PHI)
  • Identifies key personnel (Comptroller(s), C-level Executives, System/Network administrators)
  • Analyzes digital footprint (IP space, domain(s), hosts, mail server)
  • Analyzes physical footprint (physical addresses, adjacent businesses, tenants)
  • Investigates social media presence
  • Identifies partner organizations
  • Researches technologies deployed

Active Information Gathering

  • Identifies public facing systems and services, including web sites and applications
  • Identifies remote access solutions
  • Executes vulnerability scanning
  • Identifies security controls deployed

Attack Planning and Execution

  • Identifies vulnerabilities and/or misconfigurations to be attacked
  • Identifies desired “mission effects” (impacts to business processes, exfiltration of PII/PHI/cardholder info, disruption/denial of service)
  • Establishes mission thread from initial compromise to data exfiltration and clean-up
  • Configuration of tools, utilities, and/or custom exploitation techniques
  • Verifies security controls being tested and expected results
  • Attack execution

Post Exploitation Activities

  • Establish persistent user-level access
  • Escalate privileges
  • Move laterally to additional systems and workstations
  • Create specific mission effects and demonstrate business impacts

Reporting and Mitigation Strategy

  • Includes test timeline and description of activities
  • Provides detailed mitigation steps and strategies that are vendor agnostic and can be implemented by existing personnel
  • Identifies perceived and actual gaps and provides concrete steps for improvement
  • This is not the byproduct of an automated tool

Penetration Testing (External)

Unfortunately, for the majority of organizations, attacks originating from outside their perimeter have become an almost daily occurrence. An external network penetration test will assess the degree of difficulty required to bypass external security controls, access the internal network, and compromise critical resources. The overall goal is to demonstrate the greatest potential to negatively impact near and/or long term business operations.

The external penetration test will:

  • Analyze and leverage publicly available information and intelligence (open source intelligence (OSINT))
  • Attempt to compromise public facing applications and services
  • Evaluate the effectiveness of network and host based security controls:
  • Assess defensive strategies and tactics
  • Evaluate incident response
  • Include Social Engineering activities if the customer desires (phishing, watering hole(s), pre-texting)

Penetration Testing (Internal)

For even the most casual observer it should be obvious that for a determined adversary it’s not a matter of if they will get in but when. An internal network penetration test assumes that an attacker or malicious insider has already established access to the internal network(s) and/or domain. The data suggests that this isn’t an unreasonable assumption and it permits our customers to more immediately address how well a network is defended from the inside.

The internal penetration test will evaluate:

  • The degree of difficulty required to compromise critical resources
  • Misconfigured and/or vulnerable systems, services, and applications
  • The effectiveness of network and host based security controls
  • Defensive strategies and tactics
  • Incident response

Wireless Penetration Testing

Internal and public facing web applications are attractive targets for attackers as they typically contain valuable data (PII, PHI, Intellectual Property) and provide a gateway into internal corporate networks. A web application penetration test will look to exploit vulnerabilities, misconfigurations, and logic flaws to attack an organization. BLS test methods are based on the long-standing OWASP framework and controls.

Web Application Penetration Testing

Internal and public facing web applications are attractive targets for attackers as they typically contain valuable data (PII, PHI, Intellectual Property) and provide a gateway into internal corporate networks. A web application penetration test will look to exploit vulnerabilities, misconfigurations, and logic flaws to attack an organization. BLS test methods are based on the long-standing OWASP framework and controls.

Red Teaming

A red team engagement will simultaneously address all of the individual attack surfaces (internal/external network, physical, social, wireless, web/mobile applications) through a coordinated attack against the entire business or organization. An inter-disciplinary team of testers will use any means necessary to demonstrate the greatest “potential” to negatively impact your near and/or long term business operations. Red team engagements provide an excellent opportunity for the organization to thoroughly assess and understand their ability to withstand real world attackers, who routinely operate with no regard for scope, sensitivity, boundaries, or politics. This is a more advanced form of testing where multiple attack vectors may be leveraged in series or parallel. There will also be instances where individual vectors are used as force multipliers.

Learn More About Penetration Testing

Interested in learning more about penetration testing? Drop us a line. We’d love to hear from you.

Contact