Assume Breach

Test your internal security from a hacker’s perspective

Service

Using the tactics, techniques, and procedures (TTPs) of real attackers, we simulate an attacker who have already compromised a system. From that initial foothold we test your internal security and log management. The test identifies attack paths that criminal hackers are likely to use on the internal network and help verify if your detection and response is adequate.

The Assume Breach test does not contain external elements that are normally part of a Red Team, but still contains the tactical network exploitation. This approach greatly reduces the complexity and time required to perform the test and therefore has a significant reduced price as compared to a Red Team, while at the same time still providing great and most of the value of a Red Team.

A variant of the normal Assume Breach test is a Stealth Assume Breach test. In the Stealth Assume breach, only selected few employees are aware of the test, and thus the test focuses more on testing your ability to spot an active cyber attack and your response capabilities.

Value

  • Test your security and resilience against current and real cyber threats.

  • Identify vulnerabilities on critical assets.

  • Test your detection and response capabilities.

Deliverables

  • Debriefing workshop of several hours with your internal IT operations team. During the workshop, we will review the findings, discuss the remediation suggestions from the report, and showcase some attack path examples from the report.

Written report with two primary sections:

  • Management section for management and decision makers with high-level risk picture and executive summary.

  • Technical section with detailed observations for each attack path and security insufficiency identified.

 

Methodology

Together with you we define the scope and goals of the test. You grant us access to a normal domain-joined workstation with the credentials of a normal employee. This simulates an attacker who have already gained initial foothold within your organization.

How we attack the environment will vary greatly depending on the goals and the organization, but the phases are the same:

  • Internal Reconnaissance - We enumerate users, groups, rights, computers, and other types of objects and systems in your environment. We also review network shares for sensitive information, perform vulnerability scanning of systems and more.

  • Post Exploitation - Using the information gathered on your infrastructure and environment, we attack users and systems to gain access to more systems and user accounts. When new access is obtained, we perform more reconnaissance and more post exploitation. These two steps continue until we have achieved the pre-defined goals.

  • Data Exfiltration (or proof thereof) - When we obtain access to one of the goals, we either perform data exfiltration to show we obtained access to it, or if desired, we only document the possibility of exfiltrating it, ensuring sensitive data does not leave your network.

Our methodology is inspired by the penetration testing and assume breach approach and make use MITRE ATT&CK framework, along with custom developed Command and Control profiles.

 
 

Involvement

These tests require limited involvement from your team during the test. After the tests, several hours of involvement are to be expected for a debriefing workshop where we review the findings.

 
 

See our other services