If you own a business or are responsible for an organisation’s information technology, core data or digital business processes, what are you doing to protect against cyberattacks?
Being prepared to defend against a cyberattack means, having the right controls and processes in place to respond to threats quickly and effectively. If these controls and processes are not in place, a cyberattack can lead to financial loss, theft of personal information and damage to your reputation.
At Adept Advisory we use skilled cyber security professionals to review your current security posture, security controls, detection methods and defence processes that are in place to help you understand your current risks, weaknesses in security controls and threat landscape. We offer a suite of services to assist you to be prepared for a cyberattack
We offer the following Cyber Security Services at Adept Advisory:
Cyber Security Assessments
We specialise in conducting cyber security assessments, ranging from traditional audit assurance, best practice maturity assessments and penetration testing techniques. We have had great success with our blended methodology approach, where we use penetration testing to test an organisations’ cyber security defences, and report the results using best practice security frameworks, such as CIS Top 18 or NIST. We also conduct full cyber breach simulations where we demonstrate possible attack routes and likelihood of exfiltrating confidential data.
Know your externally exposed
assets – External Recon
Using open-source intelligence combined with target scope information, we determine externally exposed resources and their open services. As businesses grow and change, they often have old legacy systems or forgotten systems exposed to the internet. These could just be the weak link in your security posture.
During this process we:
- Identify externally exposed business and web applications.
- Identify open ports and services exposed.
- Identify potential threats.
- Develop a threat profile.
Know Your Internal Security
State – Internal Recon
Knowing your externally exposed resources is only part of an effective defence plan, as internal resources could also be exploited. Cyber security needs a holistic approach depending on multiple layered defences. Knowing what systems, services and devices are connected to your network is a critical part in defence.
During this process we use various methods to:
- Identify internal systems and devices including internet of things (IOT) devices connected to your network.
- Identify open ports and services exposed.
- Identify potential threats.
- Develop a threat profile.
Assessment of current security
state – Penetration Testing
Once an external and internal threat landscape has been established, we will assess the ability of the organisation to detect and defend against cyber-attacks. Using various ethical hacking methodologies, we will test the business environment for weaknesses and attempt to gain access to resources.
The penetration test simulates a real-life attack, using the same methods and tools an attacker would use. The tests are done in a way to cause as little as possible interruptions to the business and in some cases are executed after business hours.
We offer Whitebox, Blackbox, Greybox and Advanced Persistent Threat Simulations.
The difference between white, black and grey simulations is in the amount of information shared prior to the assessment. With a grey box test, we are provided VPN access and some company information, but with a black box simulation, we don’t have any credentials to start with, we need to simulate a threat actor and obtain a foothold into the organisation by using exposed services, web applications, phishing or any other possible way to establish a foothold into the organization.
Once we have established a foothold, we will attempt horizontal and vertical movement within the environment and will look for any weaknesses that could lead to access into critical assets.
With the Advanced Persistent Threat Simulation, we follow either black or grey simulations but using slower scanning methods and attempt to evade detection. The goal with this simulation is to remain within the network as long as possible without being detected and contained. This simulation is an excellent way to test the security maturity of your defence team and the incident response team.
The core assessment consists of the following steps:
- Assess the organisation cyber security defence.
- Assess how prepared the organisation is to detect the attack.
- Assess how the organisation can deal with an active attack.
- Determine the monitoring and response maturity of the security operations centre (SOC).
- Determine desired state of critical assets.
- Determine remediation across people, processes and infrastructure.
The above steps are used to understand your environment and help you determine critical assets. This is mainly a reconnaissance phase and follows the same attack methodology a real-life threat actor would do.
Once threats and vulnerabilities have been identified, a remediation plan needs to be created. This will focus on critical assets and low hanging vulnerabilities o that the security posture of the businesses strengthened.
- Prioritise remediation projects.
- Work with defence and monitoring teams to establish detection and response plans.
- Allocate remediation responsibilities.
- Develop incident response processes.
Most organisations use active directory to manage user accounts, computer accounts and other resources of the organisation. It is used to manage permissions and access to network resources. The biggest weakness in active directory stems from its ease of use. Leaving deployments in default configured states are often one of the paths used by attackers to gain access to a domain account or to elevate existing accounts to a higher privileged account. It is therefore critical to evaluate the security state of your organisation’s active directory.
We will run various non-invasive tools against your active directory environment, to test for weak or default configurations. There are many tests that are done to determine risks and vulnerabilities within your active directory environment. These tests include but are not limited to:
- Expose default or weak configurations.
- Expose known vulnerabilities.
- Expose legacy operating systems.
- Expose weak security policies.
- Expose passwords not changed or not required.
- Expose misconfigured delegation.
- Identify inactive objects.
- Establish users with administrator rights.
This service is included in the remediation and response stage, but can be requested as a separate service. We assign a penetration tester to work together with your SOC team. The tester will inform the team that a particular test is about to start and the SOC team will then determine if the attack can be detected. Detection rules and response plans can then be crafted to prevent similar attacks in the future.
- Test the SOC team’s ability to detect attack.
- Establish detection rules to alert on future attacks.
- Establish and test response and containment plans for similar attacks.
This is a more specialised type of penetration test, focusing on web applications. During this test we will perform a recon against the target web application to establish possible attack vectors. We will map the website using various tools. Using the OWASP Top 10 as framework we test for vulnerabilities in the web application. All input fields are tested for possible exploit. These include the test of web API endpoints.
Examples of areas covered:
Authentication bypass and session management.
Cross Site Scripting.
Sensitive data exposure.
Cross Site Request Forgery.
Using vulnerable third-party components.
Unvalidated redirects or forwards.
Weak passwords or the re-use of passwords within a network or domain environment can lead to the exploitation of the environment. We use similar tools used by hackers to test your network and environment against dictionary attacks and brute force attacks. We run these tests against a copy of your AD password file, so the test is non-invasive.
Determine weak password usage.
Determine re-use of passwords.
Phishing Attack Simulation –
Training and Awareness
Level 1 is the most basic and are used for environments where the security maturity is not yet fully established and where user awareness training is still at a low level. The attack should easily be detected by the employee, if he/she fails the test and clicks on the link, they are redirected to a user awareness page, with details on what to look out for.
Level 2 is more advanced phishing and geared towards a mature environment.
Levels 3 is the most advanced phishing attack, and is more targeted towards the skilled IT professional, where we would create fake domain names looking similar to the target domain. In all cases we can test for who clicked the link, and if credentials where supplied. The test requirements are built or structured around your requirements.
Testing Application Programming Interface (API) Security
API (application programming interface) endpoints are used in many web-based applications to create a connection between the front-end application and the back-end database, but they are also used in mobile applications, IoT devices and many other environments. Broken or insecure APIs could expose the internal data that could lead to exposing sensitive data. Testing for weaknesses in APIs follows the OWASP framework for API tests. API testing is also done during web application assessment, but could also be done as a standalone exercise:
- Broken Authorization
- Broken Authentication
- Excessive Data Exposure
- Lack of Rate Limiting
- Mass Assignment
- Security Misconfiguration
Testing Wireless Network Security
Wireless penetration testing is used to examine the security implemented on wireless networks. As these APs (Access Points) are most often connected to the internal network, they could be used as an entry point within your secured environment. The process used to test wireless access points includes:
- Scan to discover Wireless Access points (Including Hidden SSID)
- Perform common WiFi attacks
- Check for WEP Encryption
- Check for WPA/WPA encryption
- De-Auth Attack to attempt to collect Key
- Disassociation Attack
- Brute force attack against key to test for weak key password
- WPS Attack
- PMKID Attack
- WPA Enterprise (MGT) Test
- User Enumeration
- EAP-Brute force (password spray)
- Evil Twin Attack
- Rogue Access Point Attack