Security stress tests
Evaluate your cyber security! How quickly could attackers gain a foothold and spread in your network? What scale could the damage of a successful attack take?
The benefits of a security stress test
Synonymous terms: Infrastructure penetration test or bad insider assessment
With a security stress test, we uncover security vulnerabilities in your infrastructure and assess their risk. We exploit found vulnerabilities to escalate privileges and to penetrate further systems (lateral movement). If necessary, we search for additional vulnerabilities or chain them together to gain complete control of your IT and access your company secrets.
In contrast to Red Teaming, we do not stop when the target is reached or a step towards it is taken, but look for further vulnerabilities that could be used for an alternative attack vector.
The overall result will give you a good answer as to how far real attackers with access to your network would get and what damage they could do.
For the highest possible coverage and informative value, the focus is also not on remaining mostly undetected. That would only drive up time and costs and limit the potential scenarios. We focus on identifying what a malicious trainee, intern, employee or even an external service provider, or a hacker remotely controlling a system through malware could do.
The evaluation is based on defined test cases according to various aspects such as network security, hardening, patch management, etc. This structured approach allows benchmarking your security level with comparable companies or even between different business units or locations of your organization.
With the "advanced start position" (= access to a standard client with user account) we save you the costs for the initial access, which from our experience is only a matter of time.
Variations
In an advanced hacking attack, the focus is on analyzing the technical actual state of the infrastructure.
Among other things, we apply modern methods and tools that we determine via threat intelligence. With this, we proceed similarly to APT groups or ransomware gangs and can assess risks very realistically.
Preparation
- Meeting to agree on the scope
- Kick-off meeting
Execution
- Analysis of the external attack surface
- Vulnerability scans
- Manual hacking
Evaluation
- Preparation of a detailed report
- Presentation with recommendations for action
When conducting security assessments, HvS follows common industry standards. For realistic assessments, it is obvious to use the Mitre Att&ck Framework, which describes the generic approach of real attackers, with the following focus:
- Reconnaissance: in focus
- Resource Development: not in scopeÂ
- Initial Access: not in scope
- Execution: secondary objective
- Persistence: secondary objective
- Privilege Escalation: in focus
- Defense Evasion: secondary objective
- Credential Access: in focus
- Discovery: in focus
- Lateral Movement: in focus
- Collection: secondary objective
- Command and Control: secondary objective
- Exfiltration: not in scope
- Impact: not in scope
The Cyber Security Health Check extends an advanced hacking attack by additionally assessing the areas of physical security, security awareness and security processes.
The holistic approach helps us to assess whether the identified risks are caused by individual errors, missing processes, lack of security awareness or a combination of these.
Preparation
- Meeting to agree on the scope
- Kick-off meeting
Execution
- Analysis of the external attack surface
- Vulnerability scans
- Manual hacking
- Spear Phishing and Tailgaiting
- Document review
- Interviews with IT staff
Evaluation
- Preparation of a detailed report
- Presentation with recommendations for action
When conducting security assessments, HvS follows common industry standards. For realistic assessments, it is obvious to use the Mitre Att&ck Framework, which describes the generic approach of real attackers, with the following focus:
- Reconnaissance: in focus
- Resource Development: not in scope
- Initial Access: in focus
- Execution: secondary objective
- Persistence: secondary objective
- Privilege Escalation: in focus
- Defense Evasion: secondary objective
- Credential Access: in focus
- Discovery: in focus
- Lateral Movement: in focus
- Collection: secondary objective
- Command and Control: secondary objective
- Exfiltration: not in scope
- Impact: not in scope