Assumed Breach Penetration Test

Assumed Breach Penetration Test

Secure Network’s Assumed Breach penetration test will determine what actions can be taken by a threat actor that has successfully gained access to the internal network from an external context, such as phishing an employee or exploiting an externally facing host. This test will assess and discover the most likely attack paths that would be used by the attacker to move laterally and escalate privileges throughout the customer domain, with the purpose of gaining access to High Value Assets (HVA) or to escalate to Domain Admin, for the likely outcome of distributing ransomware or stealing protected or proprietary information.

We apply a consistent and reproduceable approach that combines comprehensive identification and validation of risk-based vulnerabilities. This methodology ensures that both new and common threat actor Techniques, Tactics, and Procedures (TTPs) are applied to each test, identifying real world attack paths that could be exploited within mature organizations.

Planning Phase

During the Planning phase, SNT will collaborate with customer Point of Contacts (PoC) to discuss Scope, Rules of Engagement, and to outline what to expect during the assumed breach penetration test. Senior cyber security engineers will be involved with PoC planning meetings to detail engagement information and to answer any questions or concerns.

Reconnaissance Phase

The Reconnaissance phase will be the beginning of the assumed breach scenario. With access to a Windows based workstation or server, SNT will implement commonly used threat actor TTPs to gain information about user context, host, AV/EDR, and the customer domain.

Exploitation Phase

The Exploitation phase will begin once a privilege escalation vulnerability has been discovered. This initial vulnerability may be exposed via software or services vulnerabilities, misconfigurations, man in the middle attacks (MITM), credential stealing, monitoring, or information leakage.

Post-Exploitation Phase

The Post-Exploitation phase continues the exploitation of the attack path to validate the likelihood of a real-world threat actors’ ability to compromise the customer domain. In-depth analysis of Active Directory, base line security configurations, user access, AV/EDR capability, and defense in depth will be exposed to demonstrate the actual impact that an adversary would have within the environment.

Reporting Phase

The Reporting phase will occur after the conclusion of testing. Any attack paths or vulnerabilities that have been discovered and exploited will be disclosed. Mitigation techniques are included in details of findings, where applicable, to provide guidance and a starting point to reduce the overall risk to the customer environment. Complete movements of the threat emulation, along with their corresponding Mitre ATT&CK mapping, will be included in the report to give the customer a exact replication of the attack.

Deliverables

SNT will deliver the final report to the customer along with detailed mappings of the attack path. The deliverables will also include any artifacts gathered during the attack, such as Active Directory enumeration output and privilege escalation tests.