Infrastructure Penetration Testing is About Protecting Your Assets
Infrastructure Penetration Testing primary goal is to expose the vulnerabilities within the network infrastructure so you can be one step ahead of attackers. Attackers will try to access your business critical assets. The overall process is the same as for Azure Penetration Testing, but differs a bit on the content. Focus is on assets.
Generic Process with an Infrastructure Twist
At Seculyze, we use the generic Penetration Testing Process as depicted in the overall pentesting offering. Two main phases are further split into sub-phases to describe the special nature of Infrastructure Penetration Testing.
- Phase 2: Discover is divided into the subphases 2a: Scan and 2b: Path
- Phase 3: Attack is divided into the subphases 3a: Exploit and 3b: Access
Infrastructure
Process
Four generic phases based on generic process based on NIST 800-115 of which two are divided into sub-phases in the Infrastructure Penetration Testing process
Plan
We will discus the scope with you: What assets an attacker could gain access to e.g., the ERP or backup system. The highest privilege “domain administrator” is usually always in scope. Rules of engagement are agreed such as ‘is it allowed to install security tools on the machine that gets compromised’ or ‘are any systems out of scope’
Enumerate and scan
Seculyze will look for information in the infrastructure, such as service and user enumeration, sensitive information on shares or learning the network by scanning or listening passively. We scan and gather information about your network. Services are categorized, network paths and equipment is identified and
analyzed
Determine attack paths
The attack surface is analyzed so attacks are more effective. Seculyze identifies entry points and loopholes that can either provide taking over devices or alternatively provide data for further vulnerabilities: Access points, flaws identification and vulnerabilities on web non-web services. The most effective attack path is determined
Exploit vulnerable attack path
The exploitation and penetration can result in either a risk assessment of the identified vulnerabilities or an actual attempt to take control, which could include lateral movement of moving from a compromised server to other servers
Access business critical assets
Our main goal is to gain access to high privileged data, accounts or the goal that is set forth in the planning phase of the project. Additional discovery is sometimes needed, to gain more knowledge to exploit some weakness, install additional software or extract information
Report
The report from the Infrastructure Penetration Testing contains results and confidential information about internal systems. Therefore it will show all the misconfigurations found rated by criticality in addition to the attack path of how Seculyze gained access to the different goals defined in the planning phase
MANAGEMENT ON YOUR BACK?
Infrastructure Penetration Testing is an excellent way to test the organizational cyber resilience and also that of your network and systems. Many of our clients use penetration testing as part of their cybersecurity deliveries
Want to know more about Infrastructure Penetration Testing?
