Client
A government project with a budget of +20M USD,
Challenges
The project needs to solve the following major problems within 2 months only:
-
-
-
-
-
- Facing many attack surfaces such as Personally Identifiable Information (PII), system and network configurations, Payment Process Application, Approval Certificate Application
- Minimum service downtime under the attacks like DNS failure, DDoS, Router failure.
- Diverse adversaries with both targeted and untargeted attacks
- Facing with time & resources limits
- Hard to meet and work with key stakeholders
-
-
-
-
Solutions
Our goal is to provide an effective and actionable blueprint for 2-month security testing. Our solution is designed to determine the feasibility of realistic, advanced attacks against sensitive data and services. This is a 4-phase solution as follows:
Phase | Key Activities | How |
---|---|---|
Security Scope Identification, Info Gathering |
|
Pairwise working with functional team and dev team to understand the application domains and identify groups of adversary. Combine various tools like: Whois, nslookup, netcraft, nmap, google dorking to spot out network threats and system misconfigurations. Interview key stakeholders to identify protected data and system architectures |
Threat Modeling |
|
By understanding the motivation factors of all adversaries, Individual Small Group:
Political Groups:
Organized Crime:
|
Vulnerability Analysis and Exploit & Test performance |
|
Identify & Design & perform empirical attacks based on the data collected and risk assessment. Our Attack Anatomies including: System Compromise: These scenarios are to demonstrate that without ever targeting systems directly an adversary can cause actions within the organization to occur that could harm to the services or data
External Attack to manipulate active services
Application Compromise
A combination of tools to bring more effectively: Nessus, Nexpose, Exploit-DB, Metasploit, Burp Suite, ZAP …. |
Reporting |
|
|
Results
-
-
-
-
- The testing attempted to primary goals, providing blueprints and solutions to protect the services
- Minimized security risks by assessing the infrastructure and application vulnerabilities and recommended solutions with proven methods to enhance security
- 24 security bugs raised in categories of Handling Inputs, Authorization, XSS, Data breach, insecure direct object reference, Server Configurations, Firewall configurations. All findings were a big surprise for key stakeholders when the team was limited by given testing time
- Successfully defined follow-up actions, mitigation plans and continuous procedures to minimize security risks
-
-
-