Attack Simulation

An attack simulation simulates one or more components of a real-world cyberattack and examines how vulnerable an organization is to a particular form of attack. This can include Open Source Intelligence (OSINT), Dark Web research, physical security, Wi-Fi audit and Cyber Attack Bounty.

If the following questions are still open in your company, an attack simulation is recommended:

  • What can an attacker find out about our company and our employees on the Internet?
  • Is our company's access data sold on the Darknet?
  • Are our servers physically protected from attacks?
  • Can you access our critical systems from our guest WLAN?
  • Can ethical hackers compromise us without maliciously causing harm?

 

Process

Scoping

Goal and scope

The purpose of the scoping meeting is to define the objectives of the attack simulation and to transfer sufficient knowledge about the environment to be tested so that the offer can then be prepared on the basis of this knowledge. The questions mostly revolve around the test scenarios and conditions.

Offer

Agreement

The offer is prepared on the basis of the scoping meeting. In addition to the objectives, methods, price and general conditions, it also contains a suggested timeframe for execution. Of course, nothing is set in stone and the offer will be adapted to your needs. In principle, we always charge according to the actual effort involved.

Kick-Off

Test details

In the kick-off, the test details are discussed with the responsible persons. In particular, the definition of the exact target environment and the exact procedure are central here. Fast and smooth communication during the test is also ensured in this meeting.

Test

Execution

The tests are carried out in close coordination with the person in charge, thus ensuring that there are no bad surprises. As much test data as possible is then collected in the time available and any critical findings are communicated immediately.

Analyze

gaining insights

The collected data is evaluated and measures are developed. The best measures are of no use if they cannot be implemented or require too many resources. Therefore, the feasibility of the measures in the tested infrastructure is checked in particular and any workarounds are taken into account.

Report

Report writing

The results are summarized and evaluated. Measures are proposed for all risks and their priority is recorded. The report also contains information about the tools and methods used, so that these could also be used in the future.

Closing

final discussion

A closing meeting ensures that the results and measures from the test can be understood and implemented. Since questions usually only arise during the remediation, we are of course always available for further queries and are happy to provide information.

Deliverables

All results are submitted in a final report (PDF, Excel and JSON) and made available via the Mesher platform. This is where the real work begins. Cybersecurity can only be increased if measures are also implemented. Therefore, it is a key concern for us that the findings from the tests arrive at the right place in the right format and that media breaks are eliminated.

PDF
The final report in PDF format contains an introductory section, executive summary, tools and methods, test details, positive aspects and passed requirements, results and measures with detailed description, categorization and prioritization.
 
EXCEL
The Excel contains all results and measures with detailed description, categorization and prioritization. Thanks to the editable format, this list is suitable for further processing of the results and additional information can be easily added.
 
JSON
The JSON file contains all results and measures with detailed description, categorization and prioritization. The JSON format is the most common format for automated further processing of information and can often be fed into existing tools with little effort.
 
Report

Categorization

We categorize all findings according to their probability of occurrence and impact. If required, the CVSS score can also be calculated for each vulnerability.

risk_matrix
Report

Executive Summary

Each report contains an Executive Summary, in which the results and recommended measures are summarized on one page and illustrated in diagrams.

chart_2

Mesher

Via Mesher, your current security level is recorded and you can view the return on investment for the various measures. All results are also visualized here and can be linked to existing tools thanks to integrations. With the platform, technical measures can be assigned directly with tasks to the appropriate people and agile work without media breaks is enabled.

More about the Mesher platform

Mesher Plattform

Code of Conduct

In an attack simulation, social engineering can be part of the audit. The aim of a social engineering audit is to check employees' awareness of and reactions to social engineering attacks. The simulated attacks are based on real attacks. In contrast to real attacks, however, simulated attacks must comply with legal and moral boundaries. The personal integrity and psychological well-being of the persons involved should not be affected in any way by a social engineering audit. The results of such an audit are only made available in anonymized form and should not allow any conclusions to be drawn about the identity of the individual persons tested and their behavior.

 

Open Source Intelligence (OSINT)

In the OSINT module, publicly accessible sources are searched for information that could also be of interest to an attacker. This is especially information that could be used for a targeted phishing attack, for example. This is typically also the first step in real, targeted attacks, and knowledge of disclosed information can help a company to better prepare for such attacks. Even if information that was once publicly accessible can no longer be easily removed (Internet Archive), access to such information can at best be made more difficult and the bar for an attacker can be raised. This module can also help to raise awareness for the disclosure of such information.

 

Dark Web Research

Leaked data and passwords often end up for sale on the Dark Web. Often, these are then bought and monetized by other criminal groups, for example by escalating privileges and encrypting and demanding ransom (ransomware). This also shows the increasingly widespread specialization of criminal organizations and the use of the ransomware-as-a-service model. This means that the individual steps do not necessarily have to be carried out by the same criminal organization, which often leads to time disruptions. This offers the opportunity to detect any data and password leaks before they lead to greater damage. Dark Web research can be used to search for precisely such leaks on the Dark Web once, or ideally through regular monitoring. Should any connections to your company become apparent, you will be informed immediately and steps to mitigate the damage will be discussed and initiated together. Such a Dark Web monitoring could have already saved many a company from greater damage.

 

Physical Security

Cyberattacks that originate from a physical attack vector, such as unprotected LAN access, WLAN or USB sticks with malware, are generally very targeted attacks and tend to be attributed to more experienced attackers. This is also quite correct and the defense against such attacks does not necessarily have to have top priority, but should nevertheless be examined sooner or later and security measures established. Sending a USB stick by mail can become a relatively simple but effective matter for an attacker with a little OSINT and is not so easy to prevent. In this simulation, we look together at the possible physical attack vectors and test the existing security measures for their effectiveness. In addition to the examples mentioned above such as LAN, WLAN, USB sticks, this can also include the physical security of the data center, printers, passwords on post-its, non-locked workstations or social engineering attacks. Since such simulations often involve people and their behavior, we are aware of the sensitive nature and follow a strict Code of Conduct.

 

Wi-Fi Audit

An attack via WLAN can be attributed to a physical attack vector and for a secure WLAN architecture, some points have to be considered. In this audit, we test exactly this security. The separation of guest WLANs, secure encryption and access control are the central components that are tested. By means of so-called wardriving and brute force attacks, the existing security can be tested in a simulated attack. Unfortunately, it is not uncommon that central systems can be accessed from the unsecured guest WLAN and maximum damage can be caused. Such mishaps must be uncovered and cleaned up.

 

Cyber Attack Bounty

For most companies, the primary concern is to protect themselves against financially motivated cyberattacks (for example, ransomware). However, they often lack the resources to conduct in-depth penetration tests or red teaming. Nowadays, only covering the external attack surface is no longer sufficient to protect against current cyber threats. With this service, you allow our Red Team specialists to attack your company under real conditions. We use the same tools and methods as real attackers and your company will be put to a real endurance test. As with real cyberattacks, your company will not only be subjected to a one-time attack, but will be permanently searched for attack paths. Payment is only made after successful attacks, i.e. after predefined targets have been reached, such as initial compromise, access to sensitive data or domain dominance. With our report, exactly these attack paths can be mitigated. If there is no successful attack, nothing is paid, quite simply. This offers probably the most realistic and efficient way to specifically increase the cyber security of a company.