Are you looking to launch a new business application? Are you trying to find vulnerabilities in your infrastructure to mitigate them before the attackers start exploiting them? Do you want to go above and beyond and challenge your security capability with a red-team exercise? Have you identified your crown jewels and want to test whether they are well protected or not?
Most cyber-attacks around the world involve a cognitive process
Where the adversary is a human that utilises his creativity and decision-making abilities to dodge the implemented security controls.
When you try to be proactive and find vulnerabilities in your application or infrastructure before the attackers, automated vulnerability scans cannot identify or exploit the vulnerabilities like a skilled and determined human. This approach often results in several critical flaws and vulnerabilities being missed that eventually allows cyber-criminals to take advantage of them.
If you are looking for anything related to offensive security, you need not to go anywhere else. With the expertise of highly skilled red-teamers and penetration-testers from the industry, Evoionos provides you something more than just automated vulnerability scans. Our experienced professionals mimic the adversary's thought process and challenge your security controls to provide you with strategies to mitigate threats. Because, the more you sweat in the ring, the lesser you bleed in the battlefield!
Cybersecurity Assessment Services
To ensure that the IT infrastructure and applications are completely secure -- against the probable cyber-attacks and threats -- is a continuous challenge for the organizations. This challenge becomes huge for the enterprises having large number of employees, dozens of information systems, data centers, cloud accounts and multiple office locations across the globe. To combat the hackers, the defenders need to mimic the thinking patterns of hackers.
Penetration testing is a practical demonstration of multi-layered attack scenarios -- where a hacker/crafty attacker uses a combination of man and machine driven techniques -- to identify exploitable vulnerabilities and to bypass security controls deployed in an infrastructure to obtain privileges to infiltrate, move laterally, persist and exfiltrate confidential and sensitive data of the organizations.
We Offer
Cloud Security Assessment
Amazon web services (AWS), Microsoft Azure and Google Cloud Platform (GCP) security assessment is performed based upon the CIS security benchmarks. To go above and beyond, we use our custom scripts and tools to cover all security aspects for cloud infrastructure
External Infrastructure Pentest
Pentest conducted through the Internet by an ‘attacker’ with no preliminary knowledge of your system
Infrastructure Internal Pentest
Pentest scenarios based on an internal ‘attacker’ , like a legitimate infrastructure user or visitor with only physical access to organization network or a guest with limited systems access
Build and configuration review Pentest
Build and configuration review testing uses an authenticated -- credential base access and scanning -- approach to identify vulnerabilities, security baseline & configuration settings, potential illegitimate access to sensitive data and other issues and potential compromises on devices
Wireless Network Pentest
Wireless network pentesting provides an ordered list of issues, their associated qualitative risks, and remediation guidelines for identified vulnerabilities
Web/Mobile application Pentest
Web and Mobile applications are tested for exploitable vulnerabilities identifications and business logic flows. Please refer ‘modes of penetration testing’ below for further details
Social Engineering based Testing
End users are the weakest link of cybersecurity control chain. An assessment is conducted to test the security awareness among the personnel of the organization that includes phishing, pseudo-malicious links in emails, and crafted suspicious attachments etc.
Red Teaming
Unlike VAPT’s breadth intensive activities in vulnerability identification, our red teaming service is a depth intensive activity. It is based upon non-destructive methodology -- during the emulation of attacker’s behavior -- to achieve the ‘mutually agreed mission objectives’ with the Customer IT/security teams.
Our Methodology
Evoionos’s broad penetration testing methodology is given here with brevity. But a carefully define scope would leverage actual components of the testing.
Planning and Preparation
Defining the scope and goals of a penetration testing activity including the systems to be addressed and the testing methods to be used.
Passive & Active Reconnaissance
In passive Recon, Pentest team attempt to gather information from sources of Open-Source Intelligence like paste sites, leaked password repositories etc. -- to gather information about the employees and the organization. In active Recon, pentester characterize the target systems and network -- to identify potentially exploitable vulnerabilities or misconfigurations.
Exploitation
Attempt to gain unauthorized access to target systems. Once the foothold is setup, use the newly established foothold to gather information specific to the level of privilege gained that was previously not available.
Privilege Escalation & Lateral Movement
Pentest team attempt to gain administrator-level access to target systems and leverage collected data to move laterally throughout the network, with a focus on obtaining access to critical systems and data.
Maintain Access
Depending on the scope of the test, ensure that com- promised systems may be accessed throughout the test.
Cover Tracks
Depending on the scope of the test, ensure that all traces and footprints of the attacker activity are re- moved from system and it is restored to the clear state.
Reporting
Finally, penetration testing team compile all gathered information during the penetration test for technical and executive management teams.
Assessment Standards
Penetration Testing Execution Standard (PTES)
NIST Special Publications 800-115 Technical Guide to Information Security Testing and Assessment
Open Source Security Testing Methodology Manual (OSSTMM)
Web Application Security Consortium (WASC) Threat Classification
Open Web Application Security Project (OWASP) Testing Guide
Common Vulnerability Scoring System (CVSS)
Modes of Assessment
Black Box Pentest (BBP)
Black box penetration is conducted from outside -- the by pentester -- with zero preliminary knowledge of an infrastructure and/or applications. In BBP, pentesters pay attention to break into the perimeter defense of an infrastructure; in case of application testing, they focus on inputs entering into the software and outputs it generates. BBP is also known as dynamic application security testing (DAST)
Gray Box Pentest (GBP)
In gray box testing, pentester may have a partial understanding of the application. They login through all available user profiles of the application and try to escalate privilege to hack into the application and design more targeted test scenarios. BBP is an integral part of gray box testing. GBP is also known as interactive application security testing (IAST).
White Box Pentest (WBP)
if static application security testing (source code review) is integrated with gray box penetration it is labelled as white box pentesting.
