Internal Penetration Test (Red, Blue Team Approach)
Client Profile: Multinational Financial Services Firm
Client Requirements: Gauge detection and response capabilities to attacks on critical systems
KoreLogic Approach: With zero knowledge and no credentials, conducted red team exercise with a goal of adding unauthorized systems to the internal network and pivot attack towards high-value financial systems/networks handling funds transactions. Steadily increased activity to determine inflection points at which attacks were detected. Support client blue team analysis of the response results.
Key Results: Identified high-risk vulnerabilities used to compromise multiple internal Windows domains, the Unix environment, and internal systems used to perform fund transfers. Provided the client a detailed timeline of all attack steps, a list of specific attacks that were detected, those that should have been detected as well as a collaborative analysis of why they were not detected. This allowed the client to correlate the results and the alerts generated to improve detection-to-response performance.
Annual External Penetration Test
Client Profile: Fortune 500 Firm
Client Requirements: To gauge its resistance to a sophisticated attack, the client directed KoreLogic to "Over the Internet, using stealthy techniques, attempt to gain access to our internal networks. Do this without any information from us."
KoreLogic Approach: Used open source collection and technical reconnaissance to identify an Internet-facing toehold and expand access to internal network. Collect information about client personnel, email addresses, system information, etc. to leverage in formulating an attack.
Key Results: Compromised a user account on an Internet-facing website to gain a toehold and moved laterally to an internal system. Achieved full compromise of all Windows domains, gained access to credentials stored in various password vaults and identity stores, obtained administrator level access to mainframe systems handling financial transactions, accessed various file servers/shares that contained financial reports, scripts. Provided the CISO with leverage required to request funding increases to effect needed changes.
Cloud Penetration Test
Client Profile: Managed Mobility Service Provider
Client Requirements: Test the internal cloud's resistance to attack. The cloud environment consisted of segregated PCI networks, multiple Class B networks with virtual machines (VM), management networks with hypervisors and cloud computing servers, and the supporting network infrastructure.
KoreLogic Approach: KoreLogic was able to compromise several insecurely configured VMs, capture additional encrypted credentials, and then leverage the KoreLogic cracking grid to crack the captured hashes.
Key Results: The entire cloud infrastructure (every VM), the PCI networks, the back office networks, the Windows Active Directory (AD), and Unix servers were compromised because they used a single sign-on model synced with the Windows AD. KoreLogic's testing activities were not detected.
Hardware-Level Security Test
Client Profile: Mobile Networking Vendor
Client Requirements: The Client's customers utilize their hardware to extend mobile coverage to areas that do not have service. The vendor requested a hardware-level security assessment of their proprietary devices used to provide their service.
KoreLogic Approach: KoreLogic performed system-level firmware analysis as well as hardware analysis of the device. The hardware analysis looked for things that an attacker might utilize such as JTAG or UART headers and EEPROM chips that could potentially hold sensitive data such as secret keys. The firmware analysis utilized KoreLogic-created custom code review applications that looked for vulnerabilities in web-based scripts used to administer the devices. Analysis at the file system level was also performed to determine other attack vectors such as setuid binaries that could potentially be abused to elevate privileges if a vulnerability were to be found in a web-based script.
Key Results: Discovered multiple, exploitable vulnerabilities in both the hardware and firmware. Determined that an attacker could utilize the web-based scripts to execute arbitrary commands as the webserver user. The hardware also provided a populated JTAG header that could potentially be used to program the SoC or other chips on the JTAG chain. The vendor used KoreLogic's results and recommendations implement fixes to enhance the security of their devices.
Application Security Assurance Testing
Client Profile: Management Collaboration Solution Provider
Client Requirements: The client required analysis and testing to assess their collaboration solution was resistant to attack and unauthorized disclosure of the confidential information.
KoreLogic Approach: Given that the application is used on different platforms, the attack surface of each had to be studied and tested. Penetration testing consisted of application-layer testing of iOS, Windows, OSX, web-based, and Android platforms. In addition, KoreLogic performed external and internal penetration testing of the supporting application infrastructure.
Key Results:Analysis revealed vulnerabilities in how client information was encrypted and stored at rest on the end users' systems and devices. In the case of mobile applications, rooted and jail-broken device detection could be bypassed and sensitive information such as document storage keys could be obtained. The client used this information to implement a new code obfuscation method and application layer checks to detect application tampering.
Critical Systems Threat Profiling
Client Profile: Fortune 500
Client Requirements: Given that detection and response is essential, but not sufficient, the client engaged KoreLogic to perform annual threat profiling of its most critical systems as part of its program to help anticipate cyber security threats and guide subsequent risk management efforts.
KoreLogic Approach: Based on our in-depth knowledge of the client's systems, KoreLogic identified key business processes/systems where security threats could potentially cause catastrophic impact affecting customers, revenue, and/or the client's brand. KoreLogic then performed open source collection on the target systems including breaches of similar systems, developed system threat profiles, and analyzed the profiles with client system subject matter experts to vet the threat scenarios.
Key Results: The client's security team briefed the CISO using KoreLogic's executive summary that described the most significant threats and potential impacts for each system analyzed. The client is contemplating using KoreLogic's threat profiles as a new input into its indicator of compromise (IoC) detection program.
Product Pre-Release Security Assurance Testing
Client Profile: Fortune 500 Firm
Client Requirements: Like many OEMs today, this client's products are the target of vulnerability researchers which, in turn, poses a risk to the client's brand. To reduce the risk of releasing a new hardware platform that contained vulnerabilities, KoreLogic was retained to perform pre-release security assurance testing focusing on the product's firmware and embedded software components.
KoreLogic Approach: KoreLogic evaluated the security of the client's new platform focusing on various embedded components (remote management interfaces, etc); controller (network services it exposes and relies on); firmware interfaces (e.g., secure boot); BIOS / firmware update mechanisms (e.g., signature validation, integrity checking), and supporting applications. In addition to manual testing and reserve engineering, KoreLogic employed its proprietary fuzzing framework to test protocols generated or consumed by the platform.
Key Results: KoreLogic identified high-risk vulnerabilities including control validation bypass made during firmware updates, key exchange protocol (password capture), and configuration file content (unauthorized access and modifications). The client used the test results to address the vulnerabilities found thereby reducing product security risk.