SentryTEST – Penetration Tests
Built for Security Programs
Today’s advanced persistent threats are no longer only reserved for governments and large organizations. Devastating attacks such as ransomware, crypto lockers, and large-scale data breaches affect any sized organization, large or small. To combat these threats, Cerberus’s Red Team moves beyond traditional penetration testing methods, employing real-world attack simulations to ensure your security defenses are put to the test.
Traditional Pen Test vs.
Red Team Engagement
One significant difference between a traditional penetration test and a red team engagement is scope. Penetration testing is typically limited to a defined set of endpoints or applications – focused on testing your defenses against exploitation. In contrast, an attack simulation has no defined scope. The Red Team can use any and all means of attack to fully emulate real world threats. This process provides the most realistic security test for your organization’s security defenses and Blue Teams. By fully mimicking real world attacks, in a safe and controlled manner, your defenses are put to the test, giving you confidence in their ability to detect and respond to today’s threats.
Purple Team Engagements
Purple Team engagements are a great way to gain the benefits of an attack simulation while keeping your security team fully engaged. Cerberus’s Red Team works in close coordination with your Blue Team and security defenders to design and execute attacks most impactful to your organization. Purple team simulations combine the attack expertise of Cerberus’s Red Team with your team’s deep insider knowledge of your environment. This pairing provides the best of both worlds, allowing the engagements to progress quicker while ensuring all aspects of your security program are fully tested.
What Kind of Testing is Right for Me?
Application Programming Interfaces (APIs) allow applications to interact and exchange data with other applications. While APIs are often obscured and not intended for direct interaction, overlooking the security of your APIs could lead to significant data breaches and data loss. API testing shares many of the same traits as web security with the addition of unique challenges. Cerberus’s API security testing process focuses on these critical security elements encompassing areas such as:
- OAuth and SAML authentication
- REST, SOAP, JSON, and other API standards
- Cryptographic flaws
- Input handling and validation
- Data leakage and object access security
Application and Mobile App Testing
Web applications and mobile apps are among the most exposed elements of an organization. However, they often receive the least amount of security scrutiny. This imbalance has driven a significant increase in the growing number of large-scale, high visibility data breaches. Cerberus’s application security experts can bring clarity to your application’s security through deep dive assessments designed to uncover your application’s security flaws using manual and automated security testing as well as secure SDLC focused source code audits. Guided by sound industry best practices like the OWASP Web Security Testing Project, Cerberus can strengthen your application security program by evaluating your application’s key security controls, including:
- Identity management and authentication
- Access control and authorization
- Input handling and validation
- Cryptographic flaws
- Privacy issues and sensitive data leakage
- Business logic testing
- Client side and browser-based security flaws
Cloud Security Testing
Public Clouds (including Azure & AWS) and/or Private Clouds
IT systems are migrating to the cloud at an accelerated pace; however, this rapid pace has caused security teams to struggle to keep up. New cloud technologies such as containers and cloud storage require new security strategies and security testing procedures. As a full-service Managed Security Services Provider, Cerberus’s team has extensive experience in architecting, configuring, securing, evaluating and testing cloud networks, including AWS and Azure environments. Cerberus’s Red Team custom tailors a security test to match your cloud environment to evaluate key technologies, including:
- Identity and access management (IAM)
- Cloud storage access controls and information data leakage, including AWS S3 buckets, serverless functions, and other overlooked cloud-specific technologies
- Container security technologies including Kubernetes and Docker
- Public and private cloud penetration testing covering cloud instances such as AWS EC2 and Azure VMs
ICS and ioT Security Devices
Today’s corporate enterprise networks have expanded beyond the traditional servers and workstations model of the past. Modern networks are a blended mix of operational technology (OT) systems and information technology (IT) systems both requiring security controls and testing. As a longtime leader in securing these diverse systems, Cerberus brings a wealth of experience and discipline when evaluating ICS environments such as SCADA networks, as well as specialized IoT devices including medical devices, payment card devices, and flight safety and infotainment systems. Cerberus’s ICS (Industrial Control Systems) and IoT (Internet-of-Things) security testing can include:
- Secure configuration analysis, vulnerability assessment, and threat modeling
- ICS penetration testing and attack simulation
- Hardware and software reverse engineering
- Black-box security evaluations
Specialized review of medical devices for security issues required for FDA approval. This testing can identify issues that can expose patient information or potentially alter device function.
Network and System Testing
Defending your networks and systems from persistent threats requires a defense-in-depth approach relying on multiple layers of security controls working in concert. Validating these controls are working and capable of detecting and resisting attacks is vital before they are evaluated by real-world threats. Cerberus’s penetration testing and attack simulation services leverage the MITRE ATT&CK framework to ensure your networks and systems are put to the test.
Networks and Systems Testing include
- Vulnerability Exploitation
- Privilege Escalation
- Lateral Movement
- Command and Control
Physical and Social Engineering Testing
Testing and evaluating your user awareness training and policy and procedures is equally as important as testing your IT systems. Scams, email phishing, and fraud have been seen in some of the highest profile breaches. Attackers know that targeting end-users often allows them to bypass perimeter IT security defense, gaining a significant advantage. To ensure your security program is ready for these threats, physical and social engineering security testing should be a component of your security testing program to ensure your end-users security controls are working effectively. Cerberus’s experienced security testing team can custom tailor an engagement designed to fit your business with options such as:
- Physical security controls reviews
- Social engineering attack simulations
- Custom email phishing campaigns
- Phone vishing scenarios
Web Application Deep Dive
A deep review specific to web applications that extends normal zero-knowledge penetration testing by simulating what an attacker could do with authenticated access to the application. By doing this, Web Application Pen Testing can identify security issues not easily detected by other means.
Testing of Wi-Fi networks and devices for vulnerabilities or configuration mistakes that may allow intercepting of communications or access to private networks.
Scenario Based / Capture The Flag
Custom tailored penetration testing for specific threat vectors or specific business systems or operations, often with prespecified goals or “flags” for the penetration testing team to achieve.
Penetration testing is an all-encompassing security evaluation, which measures how well an organization’s security controls stand up to malicious threats both internal and external to your environment.
Cerberus’s Red Team, a group of experienced ethical hackers, will simulate a real attack, with the goal of helping your organization proactively uncover and address weaknesses before they are compromised by attackers.
Red Team Engagements
Using current frameworks and standards such as MITRE ATT&CK, Cerberus emulates the tactics and techniques of real-world attackers as they compromise endpoints, escalate privileges, and move laterally within your environment. By simulating the entire attack process, you can gain confidence that your security defenses can not only stop attacks but detect, contain, and eliminate todays advanced threats.
Benefits of Using Cerberus for Your Next Penetration Test
Using a risk-based approach, Cerberus’ penetration tests provide an organization with a broad look at its most critical vulnerabilities and attack vectors. Cerberus’ expert team of penetration testers review multiple vulnerability data sources and evaluate each issue in terms of real-world usage in successful attacks from malicious threat actors. This approach extends beyond traditional vulnerability scoring methodologies such as CVSS and criticality scores to provide a more actionable plan to addresses real risks. Factors included in this analysis include age of vulnerability, known or suspected exploit code availability, attacker tactics and techniques, and real-world difficulty of exploitation. This process allows an organization to focus on its’s most critical targeted vulnerabilities. Correcting the identified issues will ensure many of the known attacker tactics are patched before the organization experiences an attack.