Its critical to have a well thought out plan for any penetration testing services that can range from a compliance required test of an environment to a simulated attack of your organization (Red Team). Business goals and targeted outcomes should be discussed in depth as part of the planning phase to ensure all parties are clear on the work scope and business value.
- Business Charter
- Identify target environment
- Validate threat sources
- Impact regulatory requirements/approach (if any)
- Rules of Engagement (Offensive or Compliance Based)
The penetration testing team will look to identify responsive assets and start building its attack plan based off identified threat sources and overall engagement goals. They will look to review open source/closed source data and finalize the attack/simulation plan.
- System Enumeration (account, application, system, service discovery)
- Social Discovery / OSINT / Pretexting (open-source data)
- Passive/Active scanning
The penetration testing team will engage with different simulated adversarial tactics, techniques, and procedures (TTP’s), as outlined below, in strict adherence to the Rules of Engagement to expose and document organizational weaknesses.
- Privilege Escalation
- Lateral Movement
- Credential Access
- Defense Evasion
- & Exfiltration
- Other (Phishing, etc.)
A comprehensive report will be generated in several different formats depending on the agreed upon business objectives (Compliance/Offensive based). All reports will provide detailed evidence for any successful compromises. (Incident re-creation). We will work with key leadership to outline security improvements areas as well as security detection capabilities.
- We will customize a penetration testing engagement that works for your organization (Compliance/Offensive | announced/unannounced | Black/White/Gray box | Internal/External)
- Monitor the adequacy and effectiveness of your security protections
- Enhance security detection and incident response capabilities
- Provide a detailed report that outlines identified problems and remediation steps