Internal Penetration Test (Red, Blue Team Approach)
Client Profile: Multinational Financial Services Firm
Client Requirements: Gauge detection and response capabilities to attacks on critical systems
KoreLogic Approach: With zero knowledge and no credentials, conducted red team exercise with a goal of adding unauthorized systems to the internal network and pivoting attack towards high-value financial systems/networks handling funds transactions. Steadily increased activity to determine inflection points at which attacks were detected. Support client blue team analysis of the response results.
Key Results: Identified high-risk vulnerabilities used to compromise multiple internal Windows domains, the Unix environment, and internal systems used to perform fund transfers. Provided the client a detailed timeline of all attack steps, a list of specific attacks that were detected, those that should have been detected as well as a collaborative analysis of why they were not detected. This allowed the client to correlate the results and the alerts generated to improve detection-to-response performance.
Annual External Penetration Test
Client Profile: Fortune 500 Firm
Client Requirements: To gauge its resistance to a sophisticated attack, the client directed KoreLogic to "Over the Internet, using stealthy techniques, attempt to gain access to our internal networks. Do this without any information from us."
KoreLogic Approach: Used open source collection and technical reconnaissance to identify an Internet-facing toehold and expand access to internal network. Collected information about client personnel, email addresses, system information, etc. to leverage in formulating an attack.
Key Results: Compromised a user account on an Internet-facing website to gain a toehold and moved laterally to an internal system. Achieved full compromise of all Windows domains, gained access to credentials stored in various password vaults and identity stores, obtained administrator level access to mainframe systems handling financial transactions, accessed various file servers/shares that contained financial reports, scripts. Provided the CISO with leverage required to request funding increases to effect needed changes.
Cloud Penetration Test
Client Profile: Managed Mobility Service Provider
Client Requirements: Test the internal cloud's resistance to attack. The cloud environment consisted of segregated PCI networks, multiple Class B networks with virtual machines (VM), management networks with hypervisors and cloud computing servers, and the supporting network infrastructure.
KoreLogic Approach: KoreLogic was able to compromise several insecurely configured VMs, capture additional encrypted credentials, and then leverage the KoreLogic cracking grid to crack the captured hashes.
Key Results: The entire cloud infrastructure (every VM), the PCI networks, the back office networks, the Windows Active Directory (AD), and Unix servers were compromised because they used a single sign-on model synced with the Windows AD. KoreLogic's testing activities were not detected.
Hardware-Level Security Test
Client Profile: Mobile Networking Vendor
Client Requirements: The Client's customers utilize their hardware to extend mobile coverage to areas that do not have service. The vendor requested a hardware-level security assessment of their proprietary devices used to provide their service.
KoreLogic Approach: KoreLogic performed system-level firmware analysis as well as hardware analysis of the device. The hardware analysis looked for things that an attacker might utilize such as JTAG or UART headers and EEPROM chips that could potentially hold sensitive data such as secret keys. The firmware analysis utilized KoreLogic-created custom code review applications that looked for vulnerabilities in web-based scripts used to administer the devices. Analysis at the file system level was also performed to determine other attack vectors such as setuid binaries that could potentially be abused to elevate privileges if a vulnerability were to be found in a web-based script.
Key Results: Discovered multiple, exploitable vulnerabilities in both the hardware and firmware. Determined that an attacker could utilize the web-based scripts to execute arbitrary commands as the webserver user. The hardware also provided a populated JTAG header that could potentially be used to program the SoC or other chips on the JTAG chain. The vendor used KoreLogic's results and recommendations implement fixes to enhance the security of their devices.
Application Security Assurance Testing
Client Profile: Management Collaboration Solution Provider
Client Requirements: The client required analysis and testing to assess their collaboration solution was resistant to attack and unauthorized disclosure of the confidential information.
KoreLogic Approach: Given that the application is used on different platforms, the attack surface of each had to be studied and tested. Penetration testing consisted of application-layer testing of iOS, Windows, OSX, web-based, and Android platforms. In addition, KoreLogic performed external and internal penetration testing of the supporting application infrastructure.
Key Results:Analysis revealed vulnerabilities in how client information was encrypted and stored at rest on the end users' systems and devices. In the case of mobile applications, rooted and jail-broken device detection could be bypassed and sensitive information such as document storage keys could be obtained. The client used this information to implement a new code obfuscation method and application layer checks to detect application tampering.
Critical Systems Threat Profiling
Client Profile: Fortune 500 Firm
Client Requirements: Given that detection and response is essential, but not sufficient, the client engaged KoreLogic to perform annual threat profiling of its most critical systems as part of its program to help anticipate cyber security threats and guide subsequent risk management efforts.
KoreLogic Approach: Based on our in-depth knowledge of the client's systems, KoreLogic identified key business processes/systems where security threats could potentially cause catastrophic impact affecting customers, revenue, and/or the client's brand. KoreLogic then performed open source collection on the target systems including breaches of similar systems, developed system threat profiles, and analyzed the profiles with client system subject matter experts to vet the threat scenarios.
Key Results: The client's security team briefed the CISO using KoreLogic's executive summary that described the most significant threats and potential impacts for each system analyzed. The client is contemplating using KoreLogic's threat profiles as a new input into its indicator of compromise (IoC) detection program.
Product Pre-Release Security Assurance Testing
Client Profile: Fortune 500 Firm
Client Requirements: Like many OEMs today, this client's products are the target of vulnerability researchers which, in turn, poses a risk to the client's brand. To reduce the risk of releasing a new hardware platform that contained vulnerabilities, KoreLogic was retained to perform pre-release security assurance testing focusing on the product's firmware and embedded software components.
KoreLogic Approach: KoreLogic evaluated the security of the client's new platform focusing on various embedded components (remote management interfaces, etc); controller (network services it exposes and relies on); firmware interfaces (e.g., secure boot); BIOS / firmware update mechanisms (e.g., signature validation, integrity checking), and supporting applications. In addition to manual testing and reserve engineering, KoreLogic employed its proprietary fuzzing framework to test protocols generated or consumed by the platform.
Key Results: KoreLogic identified high-risk vulnerabilities including control validation bypass made during firmware updates, key exchange protocol (password capture), and configuration file content (unauthorized access and modifications). The client used the test results to address the vulnerabilities found thereby reducing product security risk.
Validation of Blue Team Infrastructure
Client Profile: Financial Services Firm
Client Requirements: Test the effectiveness of the client's SIEM and other monitoring and alerting infrastrucuture. This client had previously experienced multiple APT infections and data breaches, and as a consequence had substantially invested in expanding their Blue Team's monitoring, alerting, and response capabilities. They needed a way to measure the return on those investments and identify gaps.
KoreLogic Approach: KoreLogic first validated the system's intended and stated functionality: confirmed that all data sources were being ingested properly by the SIEM, and built test-cases for each configured dashboard/alert to confirm that they fired on the intended circumstance. Next, KoreLogic looked for gaps by considering various different attacker workflows, similar to the "cyber kill chain" modeling approach. Each stage of each attack was mapped to the types of behavior that systems and the network would exhibit ("indicators of compromise", or IoCs), how they might be detected, and whether or not the client's infrastructure had coverage necessary to record, and alert upon, the malicious activity.
Key Results: KoreLogic identified several flaws and gaps. Numerous alerts did not fire as expected due to errors in rule creation, configuration drifts (hostnames or IP addresses not being updated, etc.), and changes to third-party tools causing data ingestion to silently fail; the client was able to quickly fix these. KoreLogic also identified numerous attack scenarios and IoCs that were not detected or alerted upon. KoreLogic gave recommendations of additional rules or tuning of tools to the Blue Team.