Organizations that have been through multiple successful rounds of penetration testing resulting in a hardened environment have a very tough problem: How do they get a successful penetration test?
The common approach offered by many penetration testing firms just don’t deliver results in these well defended organizations. Success requires custom attacks, as by definition they are protected against any common approach that could be conducted. Conducting an assessment over a two to three week period of time just does not adequately allow for this to occur. On the other hand, the cost of conducting a multi-month focused assessment is just not in many organizations budgets.
At Offensive Security, these sorts of hardened environments are what we love to work in. A job that requires us to stretch and find new attack methodologies is just what we are looking for, and we have been lucky enough to find ourselves in this situation many times. Because of this we have been able to build a cost effective process for these environments that may be right for you.
How we do it
Offensive Security Attack Simulation Services
A real attacker is not subject to artificial time limitation when it comes to building an effective assault against your organization. Obviously this is not something that is realistic as a service, but we have found effective methods of short cutting this process.
Its a given that custom attacks are required in this sort of environment, and the most important ingredient for building a custom attack is information. Paying an assessment team to collect information that you are already in possession of is just not cost or time efficient. We bypass this by sitting down with your team and let you teach us about your company and systems. As you are the most knowledgeable party on the subject, we depend on your expertise to walk us through what you have in an interactive manner.
This process alone can save months of effort and cost.
Using the information that we are provided, we then go back to our labs and model potential attack points that we have identified. We spend a period of time developing custom attacks that are modeled to be specific against your organization. The unique combination of software in use and the workflow that is put in place always creates targets of opportunity that are overlooked or not practical to attack using traditional methods.
After we have a series of attacks constructed we start the active phase of the assessment. Here we put the new attacks to work, modifying them where needed based on differences encountered in the real world compared to the labs. At this point we are able to actively simulate a determined attacker that has specifically targeted your organization in a manner that is not otherwise possible without spending many months on the project.
With the results of this phase completed, using our experience in dealing with discovery of new software vulnerabilities we work with the various vendors to report up details of newly discovered issues and get them corrected as soon as possible.
Using all of this information we then work with you to conduct an in depth analysis of what happened as part of the assessment, why, and what can be done to prevent it from happening in the future.
Is this right for you?
This solution is not for everyone. Your information security program and defenses have to be mature enough to stand up to this level of effort. However if you are increasingly frustrated with finding an assessment team that can handle your environment this may be the perfect fit for you.
No other company can provide this level of service. Offensive Security has unique experience in a combination of areas from zero-day exploit discovery to hands on training of high security organizations. We are one of the most trusted names in the industry responsible for maintaining the largest public archive of exploits available and the creators of the most widely utilized security focused Linux distribution available.
If you think you are ready for this level of assessment, contact us and we can discuss your options.