Case Study
Penetration TestingThis customer wanted to throughly replicate what an attacker could potentially exploit within his environment. They hired Anchor Technologies to ethically hack their environment from the Internet and from within the network.
Intro
How We Improved Executive-Level Cybersecurity Risk Awareness
The engagement began with exploring all information available in the Open Source Intelligence (OSINT) realm on the Internet. From this investigation we discovered the IP address blocks and vendors the organization was using to hosts their core customer facing application. The investigation also provided key information on employees that worked in important roles at the organization, their email addresses, and in a few cases, even their login IDs and passwords were harvested from the Dark Web. This certainly had an impact with the organization’s executives in reviewing the findings report.
Details
Hacking your organization before the bad actor does.
Challenge
How to test your security controls using the same methods that a real attacker would, in a safe controlled non-disruptive manner. Maybe even test your staff’s ability to respond to a cybersecurity attack.
Solution
The Penetration Test exploits technical vulnerabilities extending the Vulnerability Assessment activities into a proof of exploitability vs. just a theory. This test is extremely valuable after the organization has a reasonable level of confidence in its security controls. This test replicates what an attacker will actually do to break into your environment, but in a safe and cooperative controlled manner.
Accounts Compromised
3
Vulnerabilities Tested
40k+
Network Penetrated
100%
Budget Increase
18%
Engagement Summary
The test resulted in a 100% penetration level of the internal network while pivoting through the external network. Multiple entry points were identified and proof of each penetration step was documented and supported with detailed evidence on how the weakness was identified and exploited.
It was shown how an attacker could identify the key systems, gather enough OSINT to effectively plan an attack then probe the system vulnerabilities until a path inside was found.
Once inside, the attacker could have utilized a combination of two lower severity vulnerabilities to gain domain level credentials. Once the domain credentials were acquired, then fake system accounts were setup to evade detection and the internal resources were explored for data of interest. Once the data was identified, then a sample was exfiltrated through the minimally restricted outbound encrypted SSL ports to the attacker’s waiting external host. This evaded all detection from the existing advanced security controls.
Testimonial
“I can’t believe it took us this long to perform this test. So happy that we did. The results don’t lie.”
Organization’s CEO
Get In Touch
6315 Hillside Court, Suite J, Columbia, MD 21046
866.841.0777