Hacker attack simulation
Penetration testing assesses the security of your IT infrastructure, systems and applications by simulating a hacker attack. While using the same procedures and tools as a real attack, penetration tests have a clearly defined test subject and may exclude actions that could damage the tested system. When testing, we follow appropriate standards such as OSSTMM, PTES and OWASP and use professional tools such as Qualys or Burp Suite.
What you will get:
- We uncover weaknesses in system security that could be exploited in a real attack
- We assess the level of security risk in your company
- We will create a comprehensive report that includes a management summary as well as a detailed analysis and corrective actions for each security weakness identified
What can we help you with?
Read more articles:
With or without information
We also perform penetration tests based on the information we have about the system being tested.
- Black-box: no additional information, just a defined test subject (scope)
- Grey-box: basic information available about the system structure and components used, typically the user account
- White-box: detailed information about the structure and configuration, often admin access or application source code available
How will this work?
First of all, you need to agree on the tactics of testing to best meet your requirements. The actual techniques of the penetration test then depend on what is being tested. These are similar to the techniques used in an actual cyber attack. Our emphasis is mainly on manual testing that takes advantage of the knowledge and experience of ethical hackers. Unlike vulnerability scanning, which only serves here as a possible source of information, penetration testing can reveal more complex vulnerabilities and more accurately assess their severity.
Penetration testing can be simplistically divided into several phases:
- The pre-implementation phase consists mainly of project preparation and communication with the customer.
- Information gathering involves scanning the network and identifying active services; in some cases, it may also involve so-called OSINT analysis, where potentially useful information (email addresses, subdomains or leaked login credentials) is searched for on the Internet.
- In particular, vulnerability analysis involves scanning for known vulnerabilities using an automated tool.
- Exploitation of the vulnerabilities found simulates the next phase of the attack, which consists of an attempt to penetrate the system under test, as well as the elimination of false positive findings from the vulnerability scan and the manual tracking of additional threats.
- Impact identification means identifying what an attacker could achieve if a vulnerability is successfully exploited and then assessing the severity. This may involve, for example, further penetration of the tested system through privilege escalation, obtaining login credentials to other systems, or controlling other devices on the network. Should this involve uploading tools to other computers or creating new accounts, these artefacts are deleted before the end of testing.
- Preparation of a final report that includes both a brief executive summary of the findings and a more detailed technical section describing the vulnerabilities found, possible exploitation process, and recommendations for mitigation. If necessary, the customer can consult with any follow-up questions or recommended further action.
- Retest is an optional component that verifies that the vulnerability has actually been removed as a result of the corrective action.
Read more about penetration testing:
How does a cyber attack work?
Get in touch with us.
Our cybersecurity experts are ready to help you.