We are closing in on another completed circle around the sun. A journey that has produced, yet again, more newsworthy data breaches that eclipsed those of yesteryear. Common headline, different time. Although these breaches are raising organizational and consumer awareness, we still commonly encounter two familiar end-of-year themes:
- Your organization is scrambling to execute security assessments to fulfill calendar-year regulatory or compliance requirements. You need to dial up an assessment quickly!
- Your organization has a budget surplus and is looking to expand and enhance its security posture through additional offensive engagements, which will identify the security flaws before the bad guys do.
In our experience, these two scenarios describe approximately 75% of our 4th quarter customers. Organizations often scramble to address their situation, enlisting the help of a 3rd party services provider.
Regardless of your motivation, Sienna Group and its partner STACKTITAN can fulfill your security assessment needs. The following sections describe our delivery capabilities, ranging from compliance-mandated assessments to advanced, threat actor simulations.
A Vulnerability Assessment is a non-intrusive test of your perimeter or internal logical network environments. The assessment utilizes a combination of manual and automated techniques, commercial and proprietary tools, and specialized industry-knowledge to identify flaws in network nodes and services. Modeled after industry-defined methodologies, the Vulnerability Assessment may not fulfill popular compliance objectives (e.g., PCI penetration testing) but goes beyond traditional vulnerability scanning by eliminating false positives, identifying uncommon flaws, and adjusting and aligning data to its relative environmental context. The output includes strategic and tactical approaches to risk and vulnerability mitigati
on as well as detailed information allowing asset owners to understand and reproduce vulnerable conditions.
A Penetration Assessment is an extension of its little sister, the Vulnerability Assessment (VA). However, a Penetration Assessment extends a VA by including more intrusive techniques aimed at actively exploiting identified vulnerabilities and leveraging the information or access to perform relevant post-exploitation activities that concretely demonstrate impact. These activities often include privilege escalation, persistence, and lateral network movement relative to achieving some larger, more relevant and meaningful objective (e.g., locating cardholder data). Unlike a VA, a Penetration Assessment can be used to fulfill various compliance requirements such as that mandated by PCI. That’s why the Penetration Assessment is our most popular compliance-driven end-of-year offering.
Application Security Assessment
An Application Security Assessment includes a comprehensive review of a single application. This can include both active application testing as well as source code review. Oftentimes, this assessment is performed using manual and automated techniques to evaluate the application designer’s adherence to secure-coding best practices and an attacker’s ability to bypass or subvert intended security controls. These assessments are commonly conducted using multiple user roles so that role and permission segmentation can be adequately evaluated.
Cloud Security Assessment
With the increased popularity and movement to an Internet-of-Things (IoT) approach, organizations are more reliant on cloud-based infrastructure and services to provide and deliver business objectives. A Cloud Security Assessment combines aspects of our Vulnerability and Penetration Assessments to evaluate network, system, and application security posture but takes the assessment further by performing and aligning the activities to DevOp/CICD, infrastructure, and provider best-practices.
Social Engineering has long been considered the path-of-least-resistance for a threat actor. A Social Engineering assessment evaluates the organization’s security awareness and security control effectiveness intended to thwart common social engineering campaigns. For maximum effectiveness, Social Engineering tests are conducted in a highly-targeted fashion, created with respect to the organization’s business environment and objectives while also leveraging cyclical and news worthy elements to increase the believability of the ruse. The campaigns are delivered using various platforms including email (spear phishing) and phone (pretexting). This allows the organization to gauge the effectiveness of its security awareness training, while augmenting deficiencies with compensating technical controls.
Endpoint Resiliency Assessment
While an Endpoint Resilience Assessment (ERA) may not fulfill a regulatory or compliance need, it provides valuable insight regarding the effectiveness of existing security controls and environment hardening. Testing is conducted against a single client endpoint: a fully-configured, gold-image deployed within the organization’s domain. The system is subjected to a litany of tests encompassing payload delivery, execution, privilege escalation, persistence establishment, lateral network movement, and data exfiltration. Using an iterative approach, the ERA performs the assessment across a spectrum of different tactical complexities ranging from vanilla cases to heavily obfuscated, encrypted, advanced techniques. The ERA enables an organization to evaluate deficiencies within email gateways, antivirus, next generation endpoint software, IDS/IPS, web gateways, firewall configurations, group policy, and more. The ERA is commonly leveraged by organizations looking to evaluate and improve their existing layered, technical security defenses through systematic testing of common tactics, techniques, and procedures (TTPs).
The most advanced offering appropriate for only those organizations with mature security postures, the Adversary Simulation emulates a highly skilled threat actor in an effort to breach the target organization. Conducted using non-attributable, covert techniques, an Adversary Simulation characterizes itself through its opportunistic approach, executing attacks only as needed, against only targets-of-interest that serve a purpose directly aligned with the final objective. Unlike other standalone services described above, the Adversary Simulation assumes a blended approach, exploiting social, logical, wireless, physical, and procedural weaknesses as appropriate. The outcome of the this allows an organization to evaluate the capabilities of its incident response teams, determine the organization’s ability to withstand a highly targeted, planned, realistic attack, and identify critical flaws that could be leveraged during a complex threat campaign.