Schedule a Demo

NetSPI Full Service Descriptions


NetSPI offers the following services to achieve our clients’ critical business objectives. Our service recommendations are based on our extensive experience working hands-on to help similar companies mitigate security risks through expert pentesting, analysis, and reporting. Our ultimate objective is to provide our clients with vulnerability findings for in-scope applications or environments, share actionable, prioritized recommendations to help the organization plan remediation activities, reduce risk to their business and operations, easily scale to address the level of complexity of assessments, and improve their overall security posture.

For additional insight into our penetration testing process, view the links below:

Below is a detailed description of NetSPI services:

Web Application Penetration Test

During the Web Application Penetration Test, NetSPI will evaluate Client’s web application for security vulnerabilities and provide actionable recommendations for improving the organization’s security posture.

The following is an overview of the Web Application Penetration Test service:

NetSPI will evaluate Client’s target application for security vulnerabilities from the perspective of both an anonymous user (non-credentialed testing) and authenticated users (credentialed testing). During the testing, NetSPI will follow manual and automated processes that use commercial, open source, and proprietary testing software. All automated test results will be manually verified to reduce false positives. An outline of the test approach is as follows:

  • Anonymous Testing: NetSPI will conduct a comprehensive scan of target systems and web application using multiple vulnerability scanners. This test includes the network and system layers in addition to the application tier. NetSPI will conduct manual verification of exploitable and high severity vulnerabilities. 
  • Authenticated Testing: The primary effort and greatest value of web application penetration testing comes during credentialed (authenticated) testing. This is when NetSPI applies business logic and sophisticated manual techniques to manipulate the application in undesired or unexpected ways: elevate user privilege, manipulate data, gain access to restricted functionality or data, etc. If multiple user types (e.g., user, power user, admin) exist, then NetSPI will perform testing for each type. The testing will target the OWASP Top 10 web application vulnerabilities, as well as application logic weaknesses.

After identifying the strengths and weaknesses of the web application and Client’s application development and security program processes, NetSPI will suggest strategies for improvement and assign priority to deficiencies based on potential business impact and likelihood of process failure or exploitation. NetSPI will also collaborate with Client stakeholders so that notable findings may then be analyzed and compared against program goals and compliance requirements.

Continuous Web Application Penetration Test

Through the Continuous Web Application Penetration Test service, NetSPI expands on the baseline from the deep-dive manual penetration test of Client’s web application to perform application testing on shorter intervals. Ongoing, continuous testing throughout the year can identify new vulnerabilities in a timely manner, if introduced since the last engagement completed.

Continuous Web Application Penetration Tests are lighter touch engagements dispersed throughout the year between deep-dive manual engagements. Continuous tests feature the automation that is included in deep-dive tests, manual verification and reporting of high and critical vulnerabilities, and a concise checklist to verify the highest priority security concerns for the application. The same expert consultants used for deep-dive engagements leverage our Resolve platform and ASM, NetSPI’s proprietary scanning technology, to perform Continuous Tests and build from the knowledge gained during each touchpoint to ensure time spent on the keyboard is as valuable as possible.

API Penetration Test

During the API Penetration Test, NetSPI will evaluate Client’s API(s) for security vulnerabilities and provide actionable recommendations to improve the organization’s security posture.

The following is an overview of the API Penetration Test service:

NetSPI will evaluate Client’s target API(s) for security vulnerabilities from the perspective of both an anonymous user (non-credentialed testing) and authenticated users (credentialed testing). During the test, NetSPI will follow manual and automated processes that use commercial, open-source, and proprietary testing software. All automated test results will be manually verified to reduce false positives. An outline of the test approach is as follows:

  • Unauthenticated Testing: NetSPI will conduct comprehensive vulnerability scanning of target API(s) alongside manual testing and verification of exploitable and high-severity vulnerabilities. This test includes the network and system layers in addition to the application tier.
  • Authenticated Testing: NetSPI applies business logic and sophisticated manual techniques to manipulate the API(s) in undesired or unexpected ways: examples may include elevating user privilege, manipulating data, gaining access to restricted functionality or data, etc. If multiple user types (e.g., user, power user, admin) exist, then NetSPI will perform testing for each type. The testing will target the OWASP Top 10 web application vulnerabilities, as well as application logic weaknesses.

After identifying the strengths and weaknesses of the API(s) and Client’s API development and security program processes, NetSPI will suggest strategies for improvement and assign priority to deficiencies based on potential business impact and likelihood of process failure or exploitation. NetSPI will also collaborate with Client stakeholders so that notable findings may then be analyzed and compared against program goals and compliance requirements. 

Specifically, the testers will focus on the following: 

  • Attacking API authentication mechanism(s)
  • Identifying access control weaknesses
  • Testing of API server security configurations
  • Analyzing exposed information to identify excessive data exposure
  • Fuzzing of API endpoints to identify injection vulnerabilities
  • Identifying server-side request forgery (SSRF) issues 
  • Testing the rate limiting functionality

Human-Driven Automated Pentest (H-DAP)

During a Human-Driven Automated Pentest (H-DAP), NetSPI will use targeted scans and a subset of manual test cases to evaluate Client’s web applications for specific security vulnerabilities and provide actionable recommendations for improving the organization’s security posture.

The following is an overview of the Human-Driven Automated Pentest (H-DAP) service:

NetSPI will evaluate up to five (5) Client’s target applications in a 10-day timebox for security vulnerabilities from the perspective of both an anonymous user (non-credentialed testing) and authenticated users (credentialed testing). During testing, NetSPI will primarily follow automated processes that use commercial, open source, and proprietary testing software along with manually testing a subset of vulnerability categories. These categories include: authentication testing, session management testing, password reset testing, and file upload bypass testing (as applicable). All automated test results will be manually verified to reduce false positives. An outline of the test approach is as follows:

  • Anonymous Testing: NetSPI will conduct a comprehensive scan of target systems and web applications using multiple OS and vulnerability scanners. This test includes scanning of the network and system layers in addition to the application tier. NetSPI will conduct limited exploitation of discovered vulnerabilities.
  • Authenticated Testing: The primary effort and greatest value over vulnerability scanning or simple DAST testing comes during credentialed (authenticated) testing. NetSPI will perform automated authorization testing within Client’s web application on up to 2 user roles. Additionally, NetSPI will conduct targeted injection attacks within the application that are more tailored to the application than DAST. Finally, this is when NetSPI will provide high value to Client by manually testing the most frequently exploited and most severe vulnerabilities typically found in web applications. This manual testing includes authentication testing, password reset workflow testing, session management testing, and file upload bypass testing.

After identifying the strengths and weaknesses of the web applications, NetSPI will assign priority to deficiencies based on potential business impact and likelihood as well as suggest recommendations or security best practices.

Thick Application Penetration Testing

During the Thick Application Penetration Test, NetSPI will evaluate thick applications for security vulnerabilities and provide actionable recommendations for improving Client’s security posture.

The following is an overview of the Thick Application Penetration Test:

NetSPI will evaluate the application for security vulnerabilities from the perspective of an authenticated user. If multiple user types exist, then NetSPI will perform testing using each type. During the testing, manual and automated processes leverage commercial, open source, and proprietary software. All automated tests will be manually verified to minimize false positives. 

The penetration test will target common thick application attack vectors such as the file system, the registry, system memory, network communications, and graphical user interfaces. Specific areas of focus will include, but are not limited to:

  • Static Analysis: During the static analysis phase of testing, NetSPI will review the follow areas:
    • Service account roles and permissions (client, application server, database server)
    • Application file, folder, and registry permissions
    • Application service, provider, WMI subscription, task, and other permissions
    • Assembly compilation security flags
    • Protection of data in transit
    • Hardcoded sensitive data and authentication tokens (passwords, private keys, etc.)
    • Hardcoded encryption material (keys, IVs, etc.)
    • Use of insecure encryption and hashing algorithms
    • Database user roles and permissions
    • Database and server configurations
  • Dynamic Analysis: During the dynamic analysis phase of testing, NetSPI will test and review the following areas:
    • Authentication and authorization controls enforced on the client and server
    • Application user roles and permissions
    • Application workflow logic between GUI elements
    • Web Services utilized by the application using NetSPI’s web application testing methodology
    • File system changes including file and folder creation, deletion, and modification
    • Registry changes including creation, deletion, and modification of keys and values
    • Application objects and information stored in memory during runtime
    • Use of insecure encryption and hashing algorithms
    • Network protocols utilized by the application (SMB, FTP, TFTP, etc.)
    • Database connections

After identifying the strengths and weaknesses of the thick application(s) and Client’s development and security program processes, NetSPI will suggest strategies for improvement and assign priority to deficiencies based on potential business impact and likelihood of process failure or exploitation. NetSPI will also collaborate with Client stakeholders so that notable findings may then be analyzed and compared against program goals and compliance requirements. 

Mobile Application Penetration Testing

During the Mobile Application Penetration Test, NetSPI will evaluate a mobile application for security vulnerabilities and provide actionable recommendations for improving Client’s security posture.

The following is an overview of the Mobile Application Penetration Test:

NetSPI will evaluate the target applications for known security vulnerabilities from the perspective of both an anonymous user (non-credentialed testing) and authenticated users (credentialed testing). Mobile application penetration testing will target both client-side and backend server functionality. During the testing, NetSPI will follow manual and automated processes that use commercial, open source, and proprietary software. An outline of the test approach is as follows:

  • Anonymous Testing: NetSPI will conduct a detailed review the application client binary deployments and perform comprehensive scans of application server and web components. This testing phase uses multiple vulnerability scanners and includes the mobile device, network and server layers. NetSPI will conduct manual verification of exploitable or significant vulnerabilities.
  • Authenticated Testing: The primary effort and greatest value of mobile application penetration testing comes during credentialed (authenticated) testing. This is when NetSPI applies business logic and sophisticated manual techniques to manipulate the application in undesired or unexpected ways: elevate user privilege, manipulate data, gain access to restricted functionality or data, etc. If multiple user types (e.g., user, power user, admin) exist, then NetSPI will perform testing for each type. The testing will target the OWASP Mobile Top 10 application vulnerabilities as well as application logic weaknesses.

After identifying the strengths and weaknesses of the mobile application(s) and Client’s development and application security program processes, NetSPI will suggest strategies for improvement and assign priority to deficiencies based on potential business impact and likelihood of process failure or exploitation. NetSPI will also collaborate with Client stakeholders so that notable findings may then be analyzed and compared against program goals and compliance requirements.

Static Application Security Testing (SAST)

Static Application Security Testing (SAST) is essential for identifying and remediating security vulnerabilities earlier in the software development lifecycle. During SAST engagements, NetSPI will help application security teams take a more strategic approach to application security and shift left in the SDLC.

The following is an overview of the Static Application Security Testing (SAST) service:

After getting access to the source code over a secure channel, NetSPI will perform static analysis with a combination of commercial, open source, and proprietary tools against the application’s source code in scope.

NetSPI consultants will manually review all medium severity and higher vulnerabilities to triage and remove any false positives.

Application source code is analyzed against a large collection of vulnerable patterns, including OWASP Top 10, SANS Top25, and many more. Some of the vulnerabilities that we look for include:

  • Broken Authentication & Session Management
  • Access Control
  • SQL Injection
  • Buffer Overflows
  • Reflected and Stored Cross Site Scripting
  • Client Side Only Validation
  • Code Injection
  • Command Injection
  • LDAP Injection
  • XPath Injection
  • Environment Injection and Manipulation
  • Server-Side Request Forgery
  • Sensitive Data Exposure
  • Connection String Injection
  • Dangerous File Upload
  • Dangerous Functions
  • Data Filter Injection
  • Deprecated and Obsolete Code
  • Denial of Service
  • Security Misconfiguration
  • Files Canonicalization and Manipulation
  • Hardcoded Absolute Path
  • Hardcoded Password
  • Password in Connection String
  • Impersonation Issue
  • Weak Cryptographic Operations

Supported Languages: Java, .Net (C#, ASP, VB), JavaScript Frameworks (Node, React JS, AngularJS), C/C++, PHP, Perl, Python, SQL, Ruby, Android (Java), iOS (Objective-C & Swift) and Go.

The Static Application Security Testing (SAST) assessment findings and recommendations will be presented in a report that includes detailed descriptions of the identified vulnerabilities, location of each instance of the vulnerability (file path & line number), issue severity, remediation recommendations, as well as summary information that will provide insight to senior management on weaknesses in the application’s source code.

Application source code received from the client will be deleted upon completion of the assessment followed by an email confirmation.

Static Application Security Testing (SAST) – OWASP Top Ten

Static Application Security Testing (SAST) is essential for identifying and remediating security vulnerabilities earlier in the software development lifecycle. During SAST engagements, NetSPI will help application security teams take a more strategic approach to application security and shift left in the SDLC.

The following is an outline of the Static Application Security Testing (SAST) – OWASP Top Ten service:

After getting access to the source code over a secure channel, NetSPI will perform static analysis with a combination of commercial, open source, and proprietary tools against the application’s source code in scope.

NetSPI consultants will manually review all medium and high severity vulnerabilities to triage and remove any false positives.

Source code of an application is analyzed against a large collection of vulnerable patterns limited to OWASP Top Ten (2021) vulnerabilities. Some of the vulnerabilities that we look for include:

  • Broken Authentication & Session Management
  • Access Control
  • SQL Injection
  • Reflected and Stored Cross Site Scripting
  • Code Injection
  • Command Injection
  • LDAP Injection
  • XPath Injection
  • Environment Injection and Manipulation
  • Sensitive Data Exposure
  • Connection String Injection
  • Data Filter Injection
  • Security Misconfiguration
  • Hardcoded Absolute Path
  • Hardcoded Password
  • Password in Connection String

Supported Languages: Java, .Net (C#, ASP, VB), JavaScript Frameworks (Node, React JS, AngularJS), C/C++, PHP, Perl, Python, SQL, Ruby, Android (Java), iOS (Objective-C & Swift) and Go.

The Static Application Security Testing (SAST) – OWASP Top Ten assessment findings and recommendations will be presented in a report that includes detailed descriptions of the identified vulnerabilities, location of each instance of the vulnerability (file path & line number), issue severity, remediation recommendations, as well as summary information that will provide insight to senior management on weaknesses in the application’s source code.

Application source code received from the client will be deleted upon completion of the assessment followed by an email confirmation.

Secure Code Review (SCR)

Secure Code Review (SCR) is essential for identifying and remediating security vulnerabilities earlier in the software development lifecycle – which saves time and resources. During SCR engagements, NetSPI will help application security teams take a more strategic approach to application security and shift left in the SDLC. SCR is an excellent supplement to other pentesting activities (such as Web App or Mobile App testing) to add an additional layer of comprehensiveness. A SCR test will include a thorough review of all lines of code to examine the secure development practices that have been used by the client development team.

The following is an overview of the Secure Code Review service:

After getting access to the source code over a secure channel, NetSPI will perform a secure code review with a combination of commercial, open source, and proprietary tools against the application’s source code. NetSPI consultants will manually review all tool reported vulnerabilities to eliminate noise. Additionally, NetSPI will follow a deep-dive approach to review source code manually and identify vulnerabilities that automated scanners cannot detect. Examples include complex injection attacks, insecure business logic, use of weak or improper encryption techniques, insecure error handling, authentication issues, and authorization issues.

The Manual Code review component within our SCR offering provides additional coverage utilizing a more thorough ‘contextual’ review approach to get insights into the real risk associated with insecure code. We’ll report on what is a real risk to your application vs. a generic application. 

NetSPI will review the application’s configuration, underlying frameworks, and libraries to search for vulnerabilities.

Source code of an application is analyzed against a large collection of vulnerable patterns, including OWASP Top 10, SANS Top25, etc. Some of the vulnerabilities that we look for include:

  • Broken Authentication & Session Management
  • Access Control
  • SQL Injection
  • Buffer Overflows
  • Reflected and Stored Cross Site Scripting
  • Client Side Only Validation
  • Code Injection
  • Command Injection
  • LDAP Injection
  • XPath Injection
  • Environment Injection and Manipulation
  • Server-Side Request Forgery
  • Sensitive Data Exposure
  • Connection String Injection
  • Dangerous File Upload
  • Dangerous Functions
  • Data Filter Injection
  • Deprecated and Obsolete Code
  • Denial of Service
  • Security Misconfiguration
  • Files Canonicalization and Manipulation
  • Hardcoded Absolute Path
  • Hardcoded Password
  • Password in Connection String
  • Impersonation Issue
  • Weak Cryptographic Operations

Supported Languages: Java, .Net (C#, ASP, VB), SQL, JavaScript Frameworks, C/C++, PHP, Python.

The Secure Code Review assessment findings and recommendations will be presented in a report that includes detailed descriptions of the identified vulnerabilities (including vulnerabilities that are typically detected using manual techniques), location of each instance of the vulnerability (file path & line number), issue severity, remediation recommendations, as well as summary information that will provide insight to senior management on weaknesses in the application’s source code.

NetSPI ensures that the source code within its possession or control is handled safely and securely and we can provide documentation upon request.

Application source code received from the client will be deleted upon completion of the assessment followed by an email confirmation.

Secure Code Review (SCR) – OWASP Top Ten

Secure Code Review (SCR) is essential for identifying and remediating security vulnerabilities earlier in the software development lifecycle (SDLC). During SCR engagements, NetSPI will help application security teams take a more strategic approach to application security and shift left in the SDLC. 

The following is an overview of the Secure Code Review (SCR) – OWASP Top Ten service:

After getting access to the source code over a secure channel, NetSPI will perform a secure code review with a combination of commercial, open source, and proprietary tools against the application’s source code in scope. NetSPI consultants will manually review all vulnerabilities to triage and remove any false positives.

NetSPI will also follow a deep-dive approach to review source code manually and identify vulnerabilities that automated scanners cannot detect. 

Manual Code review component within our SCR offering provides additional coverage utilizing a more thorough ‘contextual’ review approach to get insights into the real risk associated with insecure code.

NetSPI will also review application’s configuration, underlying frameworks, and libraries to determine any known vulnerabilities that can be exploited based on how the application has been stitched together.

Source code of an application is analyzed against a large collection of vulnerable patterns limited to OWASP Top Ten (2021) vulnerabilities. Some of the vulnerabilities that we look for include:

  • Broken Authentication & Session Management
  • Access Control
  • SQL Injection
  • Reflected and Stored Cross Site Scripting
  • Code Injection
  • Command Injection
  • LDAP Injection
  • XPath Injection
  • Environment Injection and Manipulation
  • Sensitive Data Exposure
  • Connection String Injection
  • Data Filter Injection
  • Security Misconfiguration
  • Hardcoded Absolute Path
  • Hardcoded Password
  • Password in Connection String

Supported Languages: Java, .Net (C#,ASP,VB), SQL, JavaScript Frameworks, C/C++, PHP, Python.

The Secure Code Review – OWASP Top Ten assessment findings and recommendations will be presented in a report that includes detailed descriptions of the identified vulnerabilities (including vulnerabilities that are typically detected using manual techniques), location of each instance of the vulnerability (file path & line number), issue severity, remediation recommendations, as well as summary information that will provide insight to senior management on weaknesses in an application’s source code.

Application source code received from the client will be deleted upon completion of the assessment followed by an email confirmation.

Static Application Security Testing (SAST) – Triaging

Secure Code Review (SCR) is essential for identifying and remediating security vulnerabilities earlier in the software development lifecycle. In our SAST Triaging offering, NetSPI consultants will analyze and identify true positive vulnerabilities from your existing SAST tool output, so developers can focus on issues that really matter.

The following is an overview of the Static Application Security Testing (SAST) – Triaging service:

NetSPI provides support to augment your AppSec team’s SAST capability and builds elastic capacity to triage source code scan results from existing tools.

We help you remove any false positive findings before the SAST results are provided to development teams.

We will provide development teams access to security consultants that can discuss remediation techniques and strategies with the appropriate stakeholders.

We identify opportunities for automation to add efficiencies to existing secure code scanning processes.

Supported SAST Tools: Checkmarx (CxSAST), Veracode Static Analysis, Fortify on Demand (FOD) / Fortify Static Code Analyzer (SCA), AppScan Source, Coverity Static Application Security Testing (SAST), SonarQube, SpotBugs, and Microsoft Code Analysis Tool .NET (CAT.NET).

Infrastructure Security Testing

External Penetration Test

NetSPI’s approach to identifying network and application vulnerabilities is unique. During the External Penetration Test, NetSPI will identify security issues on relevant Client Internet-facing infrastructure and provide actionable recommendations for improving Client‘s security posture.

NetSPI’s External Penetration Test follows this process:

NetSPI will work with Client to gather information on the current network architecture, implemented technologies, and planned security initiatives. NetSPI will discuss any areas of concern that Client’s management may have about the testing. A risk management plan is developed and approved by both NetSPI and the client.

We will evaluate Client’s networks, systems, and applications for known security vulnerabilities and misconfigurations from the perspective of an anonymous Internet attacker (unauthenticated testing). During the testing, NetSPI will follow manual and automated processes that use commercial, open source, and proprietary software. An overview of the test approach is as follows:

  • Information Gathering: Open Source Intelligence Review
    NetSPI will review open source intelligence resources for confidential data leakage such as emails, passwords, configuration information, source code, and sensitive documents.
  • Information Gathering: IP Ownership Review & DNS Enumeration
    NetSPI will review the IP addresses and domains provided by Client. Ownership of these assets will be confirmed and additional DNS record and subdomain enumeration will be performed to obtain a complete picture of the targeted environment.
  • Information Gathering: Public Cloud Exposure
    NetSPI will attempt to enumerate and identify publicly-available cloud services that are potentially owned by Client, such as AWS S3 buckets and Azure Storage Containers, that allow unauthenticated access to sensitive information.
  • Reconnaissance: Live System and Service Discovery
    Based on IP ranges or a list of individual targets provided by Client, NetSPI will identify relevant IP addresses, domain names, open ports, and accessible services that will be targeted during testing by scanning the targets for exposures, reviewing the results, and investigating open ports or services. 
  • Vulnerability Enumeration: Automated Vulnerability Scanning
    This testing phase uses multiple vulnerability assessment scanners, including web application scanners from an unauthenticated perspective. Network and system testing includes, but is not limited to, identifying open ports, services, and known vulnerabilities related to missing patches and configuration weaknesses. 
  • Vulnerability Enumeration & Exploitation: Manual Testing & Verification
    NetSPI performs manual testing and exploitation in addition to using automated scanners. Manual verification of medium and high severity issues is conducted to identify exploitable or significant vulnerabilities. During this phase NetSPI will attempt to leverage identified issues to gain unauthorized access to systems, applications, and other resources that may contain sensitive data.
  • Vulnerability Enumeration & Exploitation: Manual Web Application Testing
    Using manual and automated processes, NetSPI will identify application vulnerabilities and exploits with anonymous and/or self-registered users. Our testing includes, but is not limited to, OWASP Top 10 vulnerabilities such as advanced SQL injection, cross site scripting/request forgery, injection flaws, identification of usernames and passwords for user and administrative interfaces, information leakage, forced browsing, and weak access controls (including bypassing access controls). 
  • Exploitation: Password Attacks
    NetSPI will gather potential usernames and email addresses from publicly accessible resources and attempt to guess associated passwords in order to gain unauthorized access to Microsoft O365/AzureAD environments, VPNs, systems, applications, and other resources that may contain sensitive data. As part of this effort, NetSPI will identify management interfaces where multi-factor authentication is not in use. 
  • Post-Exploitation: Local Privilege Escalation & Network Pivoting
    NetSPI will attempt to perform local privilege escalation on compromised hosts and applications in order to elevate privileges. Common techniques for this escalation include but are not limited to shared password reuse, system and service misconfigurations, excessive privileges for user accounts, and outdated software exploitation. Additionally, NetSPI will attempt to pivot through internet facing systems and applications to gain a foothold on the internal network using a variety of tools in techniques. This includes, but is not limited to reverse SSH tunneling, ICMP tunneling, TCP tunneling, UDP tunneling, and web shells.
  • Post-Exploitation: Domain Privilege Escalation
    When possible, NetSPI will map domain trust relationships, identify excessive privilege paths, and exploit them to gain administrative access in the domain in order to facilitate access to critical resources.
  • Post-Exploitation: Access Sensitive Data and Critical Systems
    Using successful exploit paths, NetSPI will attempt to gain unauthorized access to critical information assets such as systems, applications, and databases that are considered high value by your organization.
  • Clean Up: Restore Original Configurations & Remove Files
    After exploitation of a vulnerability is documented, NetSPI will attempt to return systems and applications to their original configurations, remove any files created on the exploited asset, and remove any users created during the exploitation process. Should NetSPI not be able to perform these actions, Client is notified so that appropriate action can be taken to clean up files and restore any configurations that were altered.

After identifying the strengths and weaknesses of the environment and Client’s security program processes, NetSPI will suggest strategies for improvement and assign priority to deficiencies based on potential business impact and likelihood of process failure or exploitation. NetSPI will also collaborate with Client stakeholders so that notable findings may then be analyzed and compared against program goals and compliance requirements.

Continuous External Penetration Test

With the emergence of Infrastructure as Code and DevOps, networks are constantly in flux. Point-in-time penetration testing helps identify common gaps in a network but does not provide security insights throughout the rest of the year. During the Continuous External Network Penetration Test service, NetSPI will expand on the baseline from the deep-dive manual penetration test of Client’s external network and will perform testing on a shorter interval to identify newly introduced vulnerabilities since the last engagement completed.

Continuous External Network Penetration Tests are lighter touch engagements conducted throughout the year between deep-dive manual penetration tests. Continuous tests consist of all automation that is included in deep-dive tests, manual verification and reporting of high and critical vulnerabilities, and a concise checklist to verify the highest priority security concerns for the network. The same expert consultants that perform deep-dive engagements perform Continuous Tests and build off the knowledge gained during each touchpoint to ensure time spent on the keyboard is as valuable as possible.

Internal Penetration Test

The described approach to identifying network and application vulnerabilities is unique to NetSPI. During the Internal Penetration Test, NetSPI will identify security issues on relevant Client internal infrastructure and provide actionable recommendations for improving Client’s security posture.

NetSPI’s Internal Penetration Test follows this process:

NetSPI will work with Client to identify assessment requirements and goals. We will gather information on the current network architecture, implemented technologies, and planned security initiatives, and ask Client to identify any areas of concern that they may have about the testing or reporting process.

We will evaluate Client’s networks, systems, and applications for known security vulnerabilities from the perspective of an anonymous user (non-credentialed testing). During the testing, NetSPI will follow manual and automated processes that use commercial, open source, and proprietary software. An outline of the test approach is as follows:

  • System and Service Discovery
    Based on IP ranges or a list of individual targets provided by Client, NetSPI will identify relevant IP addresses, domain names, and accessible services that will be targeted during testing by reviewing public resources, performing DNS enumeration, and scanning identified IP addresses. 
    Important note: NetSPI will only perform asset discovery against the number of IP addresses and web applications specified in the statement of work. Any additional discovery activities must be explicitly defined in the scoping section of the statement of work to be executed.
  • Vulnerability Enumeration: Automated Vulnerability Scanning
    This testing phase uses multiple vulnerability assessment scanners, including web application scanners from an unauthenticated perspective. Network and system testing includes, but is not limited to, identifying open ports, services, and known vulnerabilities related to missing patches and configuration weaknesses. 
  • Vulnerability Enumeration: Manual Verification
    NetSPI conducts manual verification of medium and high severity issues to identify exploitable or significant vulnerabilities. During this phase NetSPI will attempt to leverage identified issue to gain unauthorized access to systems, applications, and other resources that may contain sensitive data. 
  • Vulnerability Enumeration: Manual Web Application Testing
    Using manual and automated processes, NetSPI will identify the accessible web applications within the scoped environment. Once an inventory has been compiled, NetSPI will attempt to identify web application accounts configured with weak or default passwords. NetSPI will also review a sample of the web applications for common high impact vulnerabilities such as SQL Injection and remote command execution from an unauthenticated perspective. As time allows, additional testing may be conducted against applications that support anonymous and/or self-registered user access.
  • Vulnerability Enumeration: Manual Network Protocol Attacks
    NetSPI will attempt to gain unauthorized access to data and systems through common protocol attack that provide a man-in-the-middle position. Common attacks include, but are not limited to, NBNS spoofing, LLMNR spoofing, ARP spoofing, DTP spoofing, VLAN tag spoofing, DHCP spoofing, and PXE attacks.
  • Vulnerability Enumeration: Manual Dictionary Attacks
    NetSPI will gather potential usernames and email addresses from publicly accessible resources and attempt to guess associated passwords in order to gain unauthorized access to VPN, systems, applications, and other resources that may contain sensitive data.
  • Network Pivoting
    NetSPI will attempt to pivot through systems and applications to gain a foothold on protected internal network using a variety of tools in techniques. 
  • Domain Privilege Escalation 
    NetSPI will map domain trust relationships, identify excessive privilege paths, and exploit them to gain administrative access in the domain in order to facilitate access to critical resources.
  • Access Sensitive Data and Critical System
    Using successful exploit paths, NetSPI will attempt to gain unauthorized access to critical information assets such as systems, applications, and databases that are considered high value by your organization.

After identifying the strengths and weaknesses of the environment and Client’s security program processes, NetSPI will suggest strategies for improvement and assign priority to deficiencies based on potential business impact and likelihood of process failure or exploitation. NetSPI will also collaborate with Client stakeholders so that notable findings may then be analyzed and compared against program goals and compliance requirements.

Internal and External PCI DSS 3.2.1 Penetration Test Language

Note: This language applies only to InPen / ExPen service descriptions for any network pentests related to PCI compliance.

PCI DSS 3.2.1 Compliance Considerations

NetSPI’s penetration testing methodology is fully compliant with the PCI DSS Requirement 11.3, provided that the internal and external scope of the assessment includes all network segments / hosts considered to be part of Client’s PCI scope. In order to ensure the methodology is fully compliant, NetSPI will:

  • Conduct penetration tests using methodologies and techniques based on multiple industry accepted standards such as NIST SP800-15, OSSTM, ISSAF, PTES, and OWASP
  • When available, review results of prior penetration tests and / or vulnerabilities identified over the past 12 months
  • Work with Client to fully validate the effectiveness of any network segmentation or other scope reduction controls by testing inside and outside of the Cardholder Data Environment (CDE)
  • Include network and application layer penetration tests
  • Conduct application layer testing for all vulnerabilities stated within the PCI DSS Requirement 6.5
  • Manually validate and prioritize identified vulnerabilities in context of the threats identified based on the exposure and function of impacted systems or services
  • Review all findings with Client to ensure clear understanding of all identified vulnerabilities, and make report available for access and download by designated project liaisons for up to two years

Wireless Penetration Test

Wireless network devices are often misconfigured or being used without the explicit permission or knowledge of the company, leaving critical internal systems and sensitive information vulnerable to threats such as disgruntled employees, contractors, and external attackers. During the Wireless Penetration Test service, NetSPI will evaluate Client’s wireless networks and devices for known security vulnerabilities and provide actionable recommendations for improving Client’s security posture in order to prevent system or data compromise through this attack vector.

The following is an overview of the Wireless Penetration Test service:

NetSPI will begin by conducting an interview with Client to discuss the wireless implementation. Topics will include a high-level overview of the wireless architecture, configuration management, authentication, and encryption methods.

NetSPI will evaluate Client’s wireless networks and devices for known security vulnerabilities from the perspective of an anonymous user. During the test, manual and automated processes will be followed that leverage commercial, open source, and proprietary software. The following objectives are typically targeted during this phase of the assessment:

  • Attempt to gain unauthorized access to in scope wireless networks.
  • Attempt to gain unauthorized access to workstations via wireless connections.
  • Perform a site walk through to identify existing rogue access points.
  • Install rogue access points to determine if end users will connect to unknown devices.

After identifying the strengths and weaknesses of the wireless network and Client’s security program processes, NetSPI will suggest strategies for improvement and assign priority to deficiencies based on potential business impact and likelihood of process failure or exploitation. NetSPI will also collaborate with Client stakeholders so that notable findings may then be analyzed and compared against program goals and compliance requirements.

Host Based Penetration Test: Generic

During the Host Based Penetration Test, NetSPI will evaluate the security of a standard system image. Testing is intended to identify vulnerabilities that have the potential to provide unauthorized access to systems, applications, and sensitive data. 

Testing may include the review of: 

  • Physical security controls
  • Software security controls
  • User and group configurations 
  • Local access control configurations 
  • Local system configurations 
  • Local patch configurations 
  • Clear text storage of passwords 
  • Clear text storage of sensitive data

Host Based Penetration Test: Windows

During the Windows Host Based Penetration Test, NetSPI will evaluate the security of a standard Windows system image. Testing is intended to identify vulnerabilities that have the potential to provide unauthorized access to systems, applications, and sensitive data. 

Testing may include the review of:

  • Physical security controls
  • Software security controls
  • User and group configurations
  • Local access control configurations
  • Local system configurations
  • Local patch configurations
  • Clear text storage of passwords
  • Clear text storage of sensitive data

Host Based Penetration Test: Linux

During the Linux Host Based Penetration Test, NetSPI will conduct an assessment to evaluate the security of a standard Linux system image. Testing is intended to identify vulnerabilities that have the potential to provide unauthorized access to systems, applications, and sensitive data. 

Testing may include the review of:

  • Physical security controls
  • Software security controls
  • User and group configurations
  • Local access control configurations
  • Local system configurations
  • Local patch configurations
  • Clear text storage of passwords
  • Clear text storage of sensitive data

Host Based Penetration Test: MacOS

During the MacOS Host Based Penetration Test, NetSPI will conduct an assessment to evaluate the security of a standard MacOS system image. Testing is intended to identify vulnerabilities that have the potential to provide unauthorized access to systems, applications, and sensitive data.

Testing may include the review of:

  • Physical security controls
  • Physical security controls
  • Software security controls
  • User and group configurations
  • Local access control configurations
  • Local system configurations
  • Local patch configurations
  • Clear text storage of passwords
  • Clear text storage of sensitive data

Host Based Penetration Test: Virtual Desktop

During the Virtual Host Based Penetration Test, NetSPI will conduct an assessment to evaluate the security of a standard Virtual Desktop system image. Testing is intended to identify vulnerabilities that have the potential to provide unauthorized access to systems, applications, and sensitive data. In addition, NetSPI will evaluate the restrictions applied to the virtual desktop to determine if they can be bypassed.

Testing may include the review of:

  • Physical security controls
  • Virtualized platform vulnerabilities 
  • Virtualized insecure configurations
  • Virtualized desktop security restrictions
  • Virtualized desktop ingress and egress controls 
  • Software security controls
  • User and group configurations
  • Local access control configurations
  • Local system configurations
  • Local patch configurations
  • Clear text storage of passwords
  • Clear text storage of sensitive data

Virtual Application Breakout Test

During the Virtual Application Breakout Test, NetSPI will identify the risks specific to applications published through the virtualization platform. Testing is intended to identify insecure configurations and application functionality that could provide unauthorized access to systems, applications, and sensitive data. NetSPI will also review the application for common vulnerabilities.

Testing may include the review of:

  • Virtualized platform vulnerabilities 
  • Virtualized insecure configurations 
  • Virtualized application security restrictions 
  • Virtualized application ingress and egress controls 
  • Virtual application configurations and functionality
  • Dynamic testing of controls enforcing authorization, authentication, and data protection 
  • Static testing of binaries for stored secrets and common insecure coding practices (if available)

Cloud Infrastructure Penetration Test

During the Cloud Infrastructure Penetration Test, NetSPI will identify security issues on relevant Client’s cloud infrastructure and provide actionable recommendations for improving Client’s security posture.

NetSPI’s Cloud Infrastructure Penetration Test follows this process:

NetSPI will evaluate Client’s networks, systems, and applications for known security vulnerabilities from the perspective of an anonymous internet-facing user (non-credentialed testing). NetSPI will also complete configuration reviews of relevant cloud hosted services from the perspective of an authenticated cloud platform user (credentialed testing).

During the testing, NetSPI will follow manual and automated processes that use commercial, open source, and proprietary software. NetSPI will be assessing both internal and external services. An overview of the test approach is as follows:

  • System and Service Discovery 
    Based on IP ranges or a list of individual targets provided by Client (or determined through cloud infrastructure management access), NetSPI will identify relevant IP addresses, domain names, and accessible services that will be targeted during testing by reviewing public resources, performing DNS enumeration, and scanning identified IP addresses. Discovery will include External facing services as well as internal cloud networks.
  • Vulnerability Enumeration: Automated Vulnerability Scanning
    This testing phase uses multiple vulnerability assessment scanners, including web application scanners from an unauthenticated perspective. Network and system testing includes, but is not limited to, identifying open ports, services, and known vulnerabilities related to missing patches and configuration weaknesses. 
  • Vulnerability Enumeration: Manual Verification
    NetSPI conducts manual verification of medium and high severity issues to identify exploitable or significant vulnerabilities. During this phase NetSPI will attempt to leverage identified issues to gain unauthorized access to systems, applications, and sensitive data.
  • Vulnerability Enumeration: Manual Web Application Testing
    Using appropriate web layer tool platforms, NetSPI will identify application vulnerabilities and exploits with anonymous and/or self-registered users. Our testing includes, but is not limited to, OWASP Top 10 vulnerabilities such as advanced SQL injection, cross site scripting/request forgery, injection flaws, identification of usernames and passwords for user and administrative interfaces, information leakage, forced browsing, and weak access controls (including bypassing access controls). 
  • Vulnerability Enumeration: Manual Dictionary Attacks
    NetSPI will gather potential usernames and email addresses from publicly accessible resources and attempt to guess associated passwords in order to gain unauthorized access to VPN, systems, applications, and sensitive data. Additional checks will be completed against cloud platform users to ensure that users are utilizing strong passwords.
  • Network Pivoting
    NetSPI will attempt to pivot through systems and applications to gain a foothold on protected internal networks using a variety of tools and techniques. 
  • Domain Privilege Escalation 
    NetSPI will map domain trust relationships, identify excessive privilege paths, and exploit them to gain administrative access in the domain in order to facilitate access to critical resources.
  • Access Sensitive Data and Critical System
    Using successful exploit paths, NetSPI will attempt to gain unauthorized access to critical information assets such as systems, applications, and databases that are considered high value by your organization.
  • Cloud Services Configuration Review
    Using a mix of automated and manual techniques, NetSPI will review the configurations and architecture of the cloud environment. This will include a review of the cloud network design (virtual machines, firewall rules, etc.) and the configurations of any cloud hosted services (web services, file storage, etc.). Common items NetSPI will look for will include:
AWSAzureGoogle Cloud
Data Storage:
Review of publicly available files and policies		S3 bucket access policy reviewBlob Storage Account access policy reviewStorage bucket access policy review
Virtual Machines: 
Review of publicly available servicesRemote management services (RDP, SSH, etc.)Application serviceNetwork infrastructure services (VPN, Firewall, etc.)		EC2 instance user data review and CloudFormation template reviewVM deployment parameter review and Security Group configuration reviewCompute Engine deployment review and VPC firewall rule review
Databases: SQL user misconfiguration checksWeak credentialInsecurely stored credentialsOverly permissioned accounts RDS public exposure reviewSQL server firewall reviewsSQL firewall, SSL connections, and user access review
IAM: Review of user permissions and policies for available servicesReview of MFA configurationsIAM account reviewRoles, Policies and Permissions reviewsStale access keys and password reviewsReview of AzureADUsers, groups, and application permissions reviewSubscription, resource group, and asset level permissions reviewIAM permissionsRoles and Policies reviewUser, Service Account, Resource, and Group permissions reviewDefault Service Account permissions check
Serverless Code:
Review of internet facing web services hosted in serverless cloud services 		Review of Lambda code for secrets and IAM review of Lambda execution rolesReview of Function App code for secrets, Automation Account Runbook code for secrets, and IAM review of RunAs accounts and credentialsReview of Cloud Function code for secrets and IAM review of cloud functions
Key ManagementReview of IAM policies for Secrets ManagerReview of usage of Secrets Manager across other servicesReview of IAM policies for Key VaultsReview of usage of Key Vault secrets across other servicesReview of IAM policies for Google Key Management Service and Secret ManagerReview of usage of KMS and Secret Manager across other services

After identifying the strengths and weaknesses of the cloud environment and Client’s security program processes, NetSPI will suggest strategies for improvement and assign priority to deficiencies based on potential business impact and likelihood of process failure or exploitation. NetSPI will also collaborate with Client stakeholders so that notable findings may then be analyzed and compared against program goals and compliance requirements. 

Microsoft 365 Configuration Review

During the Microsoft 365 Configuration Review, NetSPI will identify security issues on Client’s Microsoft 365 (M365) infrastructure and provide actionable recommendations for improving Client‘s security posture.

NetSPI’s Microsoft 365 Configuration Review follows this process:

NetSPI will evaluate Client’s M365 infrastructure for known security vulnerabilities and misconfigurations using the CIS Microsoft 365 Foundations Benchmark (v2.0.0) as a best practices baseline. NetSPI will complete a mix of manual and automated configuration reviews of relevant cloud hosted M365 services utilizing an authenticated cloud platform user that will be provisioned by Client(credentialed testing).

During the testing, NetSPI will follow manual and automated processes that use commercial, open source, and proprietary software. NetSPI will be assessing the configuration of the services, but will not be doing active exploitation of any identified vulnerabilities. An overview of the test approach is as follows:

  • Automated Configuration Gathering
    M365 and AAD configurations using a user with global reader and automated tools
  • Manual Configuration Gathering
    Due to the nature of the CIS benchmarks, some of the checks require manual intervention from the NetSPI team to identify potential gaps. For this process, NetSPI will manually review M365 configurations and conduct short interviews with client contacts to confirm business use cases for specific configurations.
  • Configuration Analysis and Vulnerability Enumeration
    Using the gathered configurations, NetSPI will begin analyzing the configurations for common best practices. These checks are primarily aligned to the CIS Microsoft 365 Foundations Benchmark (v2.0.0) document, but also include additional checks developed by the NetSPI team.
  • Vulnerability Enumeration: Manual Verification
    NetSPI conducts manual verification of medium and high severity issues to identify exploitable or significant vulnerabilities. During this phase NetSPI will confirm the vulnerable settings identified by manually confirming configuration settings. Additionally, NetSPI may conduct brief interviews with project stakeholders to confirm configurations and how they apply to business processes. NetSPI will not attempt to leverage identified issues to gain unauthorized access to systems, applications, and sensitive data during this process.
  • Reporting
    After identifying the strengths and weaknesses of the M365 environment and Client’s security program processes, NetSPI will suggest strategies for improvement and assign priority to deficiencies based on potential business impact and likelihood of process failure or exploitation. NetSPI will also collaborate with Client stakeholders so that notable findings may then be analyzed and compared against program goals and compliance requirements.

Active Directory Privilege and Entitlement Audit

During the Active Directory Privilege and Entitlement Audit, NetSPI will identify security issues on relevant Client Active Directory domains, associated SMB shares, and SQL servers. As part of the engagement, NetSPI will provide actionable recommendations for improving Client’s security posture.

NetSPI’s Active Directory Privilege and Entitlement Audit follows this process:

  • Information Gathering
    • NetSPI will work with the client to identify assessment requirements and goals. NetSPI will gather information on the in-scope Active Directory domains and associated network architecture and will work with the client to identify any areas of concern that they may have about the testing or reporting process.
  • Vulnerability Enumeration
    • For each area of focus, NetSPI will perform both automated and manual testing:
      • Vulnerability Enumeration: Automated Vulnerability Scanning. This testing phase uses multiple data collection processes from an authenticated domain user perspective to map available Active Directory, SMB Share, and SQL Server resources. It also includes the identification of common vulnerabilities using commercial, open-source, and proprietary vulnerability scanning software. 
      • Vulnerability Enumeration: Manual Verification. NetSPI will conduct manual verification of medium, high, and critical severity issues to identify exploitable or significant vulnerabilities. Testing includes the removal of false positives and identification of data that could be used to identify vulnerabilities not identified by scanners.
  • Areas of Focus
    • Active Directory Audit: Conduct a technical audit of explicit and implicit Active Directory configurations, privileges, and group memberships to identify high risk configurations that result in excessive privileges to data, systems, databases, and applications.
    • SMB Network Shares: NetSPI will work to uncover any SMB network shares associated with Active Directory domain systems and identify potentially excessive privileges explicitly assigned to the “everyone”, “built in\users”, “authenticated users”, “domain users”, and “domain computers” groups.
    • SQL Servers Instances: NetSPI will work to uncover any SQL server instances associated within the Active Directory domain systems and identify excessive privileges that allow domain users to gain unauthorized access to databases, data, and systems.
  • Exploitation (conducted as time allows)
    • NetSPI will conduct exploitation to illustrate the impact of critical vulnerabilities identified during testing, as time allows.

After identifying the strengths and weaknesses of the environment and Client’s security program processes, NetSPI will suggest strategies for improvement and assign priority to deficiencies based on potential business impact and likelihood of process failure or exploitation. NetSPI will also collaborate with Client stakeholders to analyze notable findings and compare against program goals and compliance requirements.

Kubernetes Penetration Test

Now that container based infrastructure is an emerging technology in the marketplace, it is essential for an organization to identify and address the security issues that exist in their clusters in order to prevent unauthenticated and unauthorized access to their systems, applications, and sensitive information. During the Kubernetes Penetration Test, NetSPI will evaluate the cluster for security vulnerabilities and provide actionable recommendations for improving Client’s security posture. 

The following is an outline of the Kubernetes Penetration Test

  • NetSPI will work with an organization to define assessment requirements and goals, identify application data flow, identify areas of risk, and plan a timeline for all phases of the assessment. Additionally, NetSPI will work with to identify and address any areas of concern that an organization may have about the testing. 
  • NetSPI will evaluate the target applications for known security vulnerabilities from the perspective of both a cluster admin, in order to have the most complete picture of the cluster configuration and from the perspective of a compromised pod running with root privileges and network access to simulate an ‘application breakout’. During the testing, NetSPI will follow manual and automated processes that use commercial, open source, and proprietary software. An outline of the test approach is as follows:
    • Cluster Admin Testing: NetSPI will conduct a detailed manual review of the cluster configuration from a cluster admin with kubectl (or equivalent) access to the API. This testing phase also includes the use of multiple automated tools and includes various Kubernetes components. NetSPI will conduct manual verification of exploitable or significant vulnerabilities.
      • Kubernetes Components include, but not limited to:
        • API Server 
        • Kubelets 
        • Enforced Admission Controllers 
        • Volumes 
        • Controller Manager 
        • Scheduler 
        • Etcd 
        • Current running pods 
    • Compromised Pod Testing: NetSPI will also conduct a testing phase that is from the perspective of a compromised application, that would land an attacker inside a pod with root privileges and network access. This helps simulate a scenario in which an attacker has compromised an application and now potentially has significant access to the cluster. This is when NetSPI applies manual and automated techniques to access the cluster in undesired or unexpected ways in order to elevate privileges within the cluster, manipulate data, and/or gain access to restricted functionality through the API Server or other cluster components. 
  • All of the data collected will be consolidated and analyzed using NetSPI’s proprietary Resolve platform. During this phase, additional research will be conducted to identify known vulnerabilities for individual application components. Vulnerabilities will be prioritized based on NetSPI’s three tier severity rating system. This system aligns with best-practice security standards and frameworks, including Common Vulnerability Scoring System (CVSS) scores and vectors, Payment Card Industry requirements, and Open Web Application Security Project (OWASP) guidance. NetSPI will formulate actionable recommendations for mitigating the identified security issues and enrich vulnerability information with contextual screenshots, session captures, and escalation steps. Finally, NetSPI will deliver a comprehensive findings and recommendations report. 
  • NetSPI will review the application’s strengths and weaknesses with Client and discuss the recommendations for addressing security deficiencies. During this phase NetSPI will also gather feedback from Client and update the report accordingly. This collaboration will ensure that Client will be able to understand the issues and effectively implement the recommendations. 
  • The Kubernetes Penetration Test findings and recommendations will be presented in a report that includes both detailed descriptions of the identified vulnerabilities and remediation recommendations, as well as summary information that will provide insight to senior management on the environment’s strengths and weaknesses.

Mainframe Penetration Test

The goal of a Mainframe Penetration Test is to identify and exploit vulnerabilities on in scope Logical Partitions (LPARs) in the client environment. Mainframe penetration tests include testing the z/OS operating system, network configuration and controls, OMVS/USS subsystem, and the External Security Manager (ESM) to ensure they are securely configured to prevent unauthorized access to protected network zones, systems, application functionality, and sensitive data.

The z/OS Mainframe Penetration Test focuses on the following areas:

  • z/OS Operating system Configuration
  • ESM (RACF, Top Secret, ACF2) Controls
  • Network-Based Controls

Objectives

The primary objects for the assessment have been listed below:

  • Identify code, patch, and configuration related vulnerabilities that exist on critical mainframe LPARs from the perspective of an unauthenticated and authenticated remote attacker. 
  • Provide the organization with an understanding of the potential impact vulnerabilities could have by leveraging them to gain access to critical resources.
  • Provide the organization with a prioritized remediation approach to address the identified vulnerabilities and reduce risk to the environment.

Approach

Below is an overview of the standard test plan:

  • NetSPI will work with Client to define assessment requirements and goals, specify target LPARs, identify areas of risk, and plan a timeline for all phases of the assessment. Additionally, NetSPI will work with Client to identify and address any areas of concern that Client may have about the testing.
  • Conduct technical testing:
    • Task group 1: Identify weak and default passwords for the operating system and installed applications
    • Task group 2: Identify weak system, service, and application configurations
    • Task group 3: Attempt to break out of restricted applications to access z/OS
    • Task group 4: Identify insecure storage of sensitive data
    • Task group 5: Identify weak security software configurations
    • Task group 6: Identify missing critical operating system and application patches
    • Task group 7: Target client specific objectives
  • After identifying the strengths and weaknesses of the mainframe and Client’s security program processes, NetSPI will suggest strategies for improvement and assign priority to deficiencies based on potential business impact and likelihood of process failure or exploitation. NetSPI will also collaborate with Client stakeholders so that notable findings may then be analyzed and compared against program goals and compliance requirements. 

Rules of Engagement

Below is a summary of the rules of engagement:

  • No systems will be restarted during testing by NetSPI.
  • No denial of service testing will be conducted during testing.
  • No major state or configuration change will be made by NetSPI during testing.
  • Testing will only be conducted against provided services, URLs and endpoints.
  • Testing will only be conducted against IPs, IP ranges, and LPARs provided for testing.

Requirements

Below is a list of items that will need to be provided by the client team in order to conduct testing:

  • Physical or logical access to the in scope LPARS. Sometimes a physical workstation is provided, but more often testing is done via a remote access medium such as a VDI, Terminal Services Desktop, Citrix Desktop, or Virtual Machine.
  • Network level access for conducting vulnerability scanning and configuration reviews. This is usually conducted via a deployed VM or assessment system that is accessed remotely.
  • TSO credentials which are considered least privilege but have the ability to sign-on and submit jobs.
  • A primary contact on the z/OS team that can be available to trouble shoot any issues.

Embedded Software Penetration Test

NetSPI’s Embedded Software Penetration Test service will evaluate Client’s embedded software from the perspective of an attacker in order to identify security vulnerabilities and provide actionable recommendations for improving the protections around network-enabled devices. This service helps product designers and manufactures of IoT devices identify and address security issues, not only to protect against the loss of sensitive information, but also to reduce the likelihood of kinetic impact.

The following is an overview of the Embedded Software Penetration Test service:

NetSPI will evaluate Client’s target devices and software for security vulnerabilities from the perspective of both an anonymous user (non-credentialed testing) and, where appropriate, authenticated users (credentialed testing). During the testing, NetSPI will conduct testing of target systems and applications using commercial, open source, and proprietary tools as well as manual processes. 

Testing includes a phased approach that examines physical security, communications channels, hardware, operating system, and custom software. NetSPI will conduct manual verification of exploitable or significant vulnerabilities. The testing will include targeting the OWASP Top 10 Internet of Things vulnerabilities.

After identifying the strengths and weaknesses of the embedded software and Client’s security program processes, NetSPI will suggest strategies for improvement and assign priority to deficiencies based on potential business impact and likelihood of process failure or exploitation. NetSPI will also collaborate with Client stakeholders so that notable findings may then be analyzed and compared against program goals and compliance requirements.

Operational Technology Network Security Assessment

External OT Network Breach and Attack Simulation

During this phase of the Assessment NetSPI will identify security issues on relevant Client Internet-facing OT infrastructure and attempt to breach the OT network.

  • NetSPI will work with Client to gather information on the current network architecture, implemented technologies, and planned security initiatives.
  • We will evaluate Client’s networks, systems, and applications for known security vulnerabilities from the perspective of an anonymous user (non-credentialed testing). During the testing, NetSPI will follow manual and automated processes that use commercial, open source, and proprietary software. An overview of the test approach is as follows:
    • System and Service Discovery
      Based on IP ranges or a list of individual targets provided by Client, NetSPI will identify relevant IP addresses, domain names, and accessible services that will be targeted during testing by reviewing public resources, performing DNS enumeration, and scanning identified IP addresses. 
    • Vulnerability Enumeration: Automated Vulnerability Scanning
      This testing phase uses multiple vulnerability assessment scanners, including web application scanners from an unauthenticated perspective. Network and system testing includes, but is not limited to, identifying open ports, services, and known vulnerabilities related to missing patches and configuration weaknesses.
    • Vulnerability Enumeration: Manual Verification
      NetSPI conducts manual verification of medium and high severity issues to identify exploitable or significant vulnerabilities. During this phase NetSPI will attempt to leverage identified issue to gain unauthorized access to systems, applications, and sensitive data.
    • Vulnerability Enumeration: Manual Web Application Testing
      Using manual and automated processes, NetSPI will identify application vulnerabilities and exploits with anonymous and/or self-registered users. Our testing includes, but is not limited to, OWASP Top 10 vulnerabilities such as advanced SQL injection, cross site scripting/request forgery, injection flaws, identification of usernames and passwords for user and administrative interfaces, information leakage, forced browsing, and weak access controls (including bypassing access controls).
    • Vulnerability Enumeration: Manual Dictionary Attacks
      NetSPI will gather potential usernames and email addresses from publicly accessible resources and attempt to guess associated passwords in order to gain unauthorized access to VPN, systems, applications, and sensitive data. As part of this effort, NetSPI will identify management interfaces where multi-factor authentication is not in use.
    • Vulnerability Enumeration: Open Source Intelligence Review
      NetSPI will review open-source intelligence resources for confidential data leakage such as emails, passwords, configuration information, source code, and sensitive documents. 
    • Network Pivoting
      NetSPI will attempt to pivot through internet facing systems and applications to gain a foothold on the internal and OT networks using a variety of tools in techniques. This includes, but is not limited to reverse SSH tunneling, ICMP tunneling, TCP tunneling, UDP tunneling, and web shells. 
    • Domain Privilege Escalation
      NetSPI will map domain trust relationships, identify excessive privilege paths, and exploit them to gain administrative access in the domain in order to facilitate access to critical resources. 
    • Access Sensitive Data and Critical System
      Using successful exploit paths, NetSPI will attempt to gain unauthorized access to critical information assets such as systems, applications, and databases that are considered high value by your organization.‌
  • After identifying the strengths and weaknesses of the Internet-facing OT perimeter network and associated Client’s security program processes, NetSPI will suggest strategies for improvement and assign priority to deficiencies based on potential business impact and likelihood of process failure or exploitation. NetSPI will also collaborate with Client stakeholders so that notable findings may then be analyzed and compared against program goals and compliance requirements.

Perimeter OT Network Breach and Attack Simulation – Internal Networks

During this phase of the Assessment NetSPI will attempt to breach the OT perimeter network from inside the corporate network.

  • NetSPI will gather information on the current internal and OT network perimeter architecture, implemented technologies, and planned security initiatives, and ask Client to identify any areas of concern that they may have about the testing or reporting process.
  • We will evaluate Client’s networks, systems, and applications for known security vulnerabilities from the perspective of an anonymous user (non-credentialed testing). During the testing, NetSPI will follow manual and automated processes that use commercial, open source, and proprietary software. An outline of the test approach is as follows:
    • System and Service Discovery 
      Based on IP ranges or a list of individual targets provided by Client, NetSPI will identify relevant IP addresses, domain names, and accessible services that will be targeted during testing by reviewing public resources, performing DNS enumeration, and scanning identified IP addresses.
    • Vulnerability Enumeration: Automated Vulnerability Scanning
      This testing phase uses multiple vulnerability assessment scanners, including web application scanners from an unauthenticated perspective. Network and system testing includes, but is not limited to, identifying open ports, services, and known vulnerabilities related to missing patches and configuration weaknesses.
    • Vulnerability Enumeration: Manual Verification
      NetSPI conducts manual verification of medium and high severity issues to identify exploitable or significant vulnerabilities. During this phase NetSPI will attempt to leverage identified issue to gain unauthorized access to systems, applications, and sensitive data.
    • Vulnerability Enumeration: Manual Web Application Testing
      Using WebInspect and other appropriate web layer tool platforms, NetSPI will identify application vulnerabilities and exploits with anonymous and/or self-registered users. Our testing includes, but is not limited to, OWASP Top 10 vulnerabilities such as advanced SQL injection, cross site scripting/request forgery, injection flaws, identification of usernames and passwords for user and administrative interfaces, information leakage, forced browsing, and weak access controls (including bypassing access controls).
    • Vulnerability Enumeration: Manual Network Protocol Attacks
      NetSPI will attempt to gain unauthorized access to data and systems through common protocol attack that provide a man-in-the-middle position. Common attacks include, but are not limited to, NBNS spoofing, LLMNR spoofing, ARP spoofing, DTP spoofing, VLAN tag spoofing, DHCP spoofing, and PXE attacks.
    • Vulnerability Enumeration: Manual Dictionary Attacks
      NetSPI will gather potential usernames and email addresses from publicly accessible resources and attempt to guess associated passwords in order to gain unauthorized access to VPN, systems, applications, and sensitive data.
    • Network Pivoting
      NetSPI will attempt to pivot through systems and applications to gain a foothold on protected internal network using a variety of tools and techniques.
    • Domain Privilege Escalation 
      NetSPI will map domain trust relationships, identify excessive privilege paths, and exploit them to gain administrative access in the domain in order to facilitate access to critical resources.
    • Access Sensitive Data and Critical System
      Using successful exploit paths, NetSPI will attempt to gain unauthorized access to critical information assets such as systems, applications, and databases that are considered high value by your organization. 
  • After identifying the strengths and weaknesses of the internal network and OT perimeter network, NetSPI will suggest strategies for improvement and assign priority to deficiencies based on potential business impact and likelihood of process failure or exploitation. NetSPI will also collaborate with Client stakeholders so that notable findings may then be analyzed and compared against program goals and compliance requirements.

Adversary Simulation

Red Team Operations: Assumed Breach

NetSPI Red Team Operations: Assumed Breach simulates a threat actor who has either obtained access to the environment via password guessing, phishing, other means or as a malicious insider threat. 

The standard approach in this scenario begins with access to a domain workstation as a domain user. NetSPI will initially operate using tools, techniques, and procedures (TTPs) that are the least likely to be detected. This scenario can be easily modified to simulate the compromise of a third party with network access, such as a trusted vendor. Prior to the start of the engagement, NetSPI will work with the client to determine additional assessment goals. Additional goals often include obtaining access to specific critical systems and regulated data.

Once the primary goals of the Assumed Breach engagement have been met, NetSPI will then provide the option to progressively use TTPs that are more common and more likely to be detected. Once detected, the incident response team can exercise their procedures within the context of a live attack simulation. At the end of the simulation, NetSPI will provide the Client team with the actions that were taken to compromise systems.

Primary Objectives

The purpose for conducting a Red Team Operation is to exercise the people, process, and technology that comprise an organization’s detection, response, and recovery capabilities. NetSPI will develop and execute a customized Red Team Operation based on Client’s requirements and objectives, adapting Tactics, Techniques and Procedures (TTPs) as needed. 

The objectives below aim to provide a holistic view of the “kill chain” used by sophisticated adversaries when attempting to compromise sensitive data in secure networks. This involves attack surface analysis, practical exploitation, covert privilege escalation, and targeted data exfiltration.

  • Gain covert access to internal network(s) with the assistance of Client
  • Maintain persistent access to the environment
  • Identify internal attack surface and vulnerabilities
  • Elevate privileges through vulnerabilities identified
  • Access sensitive resources and exfiltrate data 
  • Assess potential impact to the organization 
  • Attempt to complete client-defined objectives 
  • Provide analysis of and recommendations for mitigating findings 

This assessment is time boxed assessment, as such, NetSPI cannot guarantee the achievement of technical objectives (i.e., initial access, privilege escalation, etc.). Should further effort be desired, this can be requested via a change order process to purchase further time subject to availability. This may require assistance from the Client team in ensuring the continuation of uninterrupted testing, for example, preparing and providing access to assumed breach hosts.

Project Approach

Below is a summary of the approach that will be used during testing. Please note that all tasks may be subject to change depending on information discovered and the progress achieved during testing. 

Planning

  • NetSPI Red Team and Client will hold a kick-off meeting to discuss, agree upon, and finalize project requirements, delivery start dates, the project communications cadence, custom objectives, project scope, and rules of engagement.

Ceded Access

  • Remote access to the Client internal network environment is provided to the NetSPI Red Team using a method agreed upon during the kick-off meeting. Rotate ceded hosts and all indicators of compromise when detected.
  • Leverage ceded access to simulate end-user compromise via social engineering. Achieve detonation of malicious payloads while evading endpoint defenses.
  • Establish persistence on Client resources.

Privilege Escalation

  • Identify and exploit vulnerabilities to obtain elevated access and move laterally to Client internal systems, applications, or non-public data.

Impact

  • Assess the potential impact if a real word threat were to similarly breach the Client environment.
  • Exfiltrate sensitive data using industry standard encryption when data is in motion.
  • Identify critical and sensitive data, high impact systems/networks and additional targets as provided by Client.

Clean-up

  • Conduct post-engagement clean-up activities. All artifacts used during testing will be permanently removed from the Client environment.
  • Provide Client with a final list of artifacts that could not be removed from the environment or otherwise coordinate their removal.

Reporting

  • Provide analysis of and recommendations for mitigating findings.
  • Provide a detailed narrative with timestamps for all major testing activity.
  • If provided, integrate Client Security Incident Report details into the final report.

Project Tools

NetSPI leverages a suite of public, modified, and custom tools to perform emulated real-world attacks. These tools range from enumeration scripts, beaconing backdoors, interactive malware, and exploit kits. NetSPI applies this methodology to reproduce the capabilities of a sophisticated threat actor. The tooling that will be used during this engagement may include, but is not be limited to:

  • Enumeration tools for performing reconnaissance and situational awareness.
  • Vulnerability identification and exploitation tools.
  • An array of initial access payloads designed to evade defenses and deploy a beaconing implant within the context of a social engineering pretext.
  • A custom beaconing implant, Throwback, for maintaining persistent access to compromised hosts.
  • A custom remote access tool (RAT), Slingshot, for interactive operations, privilege escalation, and lateral movement.
  • Various support modules for service exploitation, internal network enumeration, and defensive configuration bypasses.

Red Team Operations: Black Box

NetSPI’s Red Team Operations: Black Box is designed to help understand and measure Client’s ability to detect, contain, eradicate and recover from attacks originating from the internet. This attack perspective simulates a threat actor starting with little to no knowledge of the organization’s assets and environments.

The initial testing will focus on gaining unauthorized access to internal systems, applications, and sensitive data from an external perspective. Techniques used during this exercise may include but is not limited to various forms of social engineering, server-level exploits, web application exploits, credential and authentication endpoint abuse.

NetSPI will initially operate using tools, techniques, and procedures (TTPs) that are the least likely to be detected. Once the primary goals of the Black Box engagement have been met, NetSPI will then provide the option to progressively use TTPs that are more common and more likely to be detected. Once detected, the incident response team can exercise their procedures within the context of a live attack simulation. 

At the end of the engagement NetSPI will provide Client a detailed report deliverable containing a datetime stamped narrative and findings that highlight preventative and detective control gaps will be provided. The findings will include actionable recommendations for addressing gaps in preventative and detective controls as well as response procedures.

Primary Objectives

NetSPI will work towards the objectives below aiming to provide a holistic view of the “kill chain” used by sophisticated adversaries when attempting to compromise sensitive data in secure networks. This involves attack surface analysis, practical exploitation, covert privilege escalation, and targeted data exfiltration.

  • Enumerate external attack surface and social engineering opportunities
  • Execute targeted attacks against exposed assets
  • Attempt to gain covert access to internal network(s) 
  • Maintain persistent access to the environment 
  • Identify internal attack surface and vulnerabilities 
  • Elevate privileges through vulnerabilities identified 
  • Access sensitive resources and exfiltrate data 
  • Assess potential impact to the organization 
  • Attempt to complete client-defined objectives 
  • Provide analysis of and recommendations for mitigating findings

While many testing models conclude when progress stalls, the Black Box Red Team Operation allows for the continuation of testing if a given objective cannot be achieved in reasonable time. This supports a “defense-in-depth” strategy, allowing for the assessment of multiple defensive layers during a single engagement. 

This assessment is time boxed, as such, NetSPI cannot guarantee the achievement of technical objectives (i.e., initial access, privilege escalation, etc.). Should further effort be desired, this can be requested via a change order process to purchase further time subject to availability. This may require assistance from the Client team in ensuring the continuation of uninterrupted testing, for example, preparing and providing access to assumed breach hosts.

Project Approach

Below is a summary of the approach that will be used during testing. Please note that all tasks may be subject to change depending on information discovered and the progress achieved during testing. 

Planning

  • NetSPI’s Red Team and Client will hold a kick-off meeting to discuss, agree upon, and finalize project requirements, delivery start dates, the project communications cadence, custom objectives, project scope, and rules of engagement.

External Reconnaissance

  • Collect and analyze Client data not intended for public release from publicly available resources.
  • Collect and analyze data regarding Client technical and non-technical assets (i.e., systems, applications, personnel name, email addresses, etc.).

External Vulnerability Identification & Exploitation

  • Identify and exploit technical vulnerabilities to obtain unauthorized access to Client systems, applications, cloud environments/assets, Software-as-a-Service (SaaS) or non-public data.

Social Engineering

  • Deliver phishing emails to Client email addresses while attempting to evade e-mail filtering and protections.
  • If applicable, deliver phishing messages to Client employees via alternative means such as vishing, smshing, messaging applications, etc.
  • Achieve detonation of malicious payloads while evading endpoint defenses.

Initial Access

  • Gain code execution and establish command and control (C2) on Client internal networks, assets, and/or cloud environments. Evade perimeter analytics and controls.
  • If initial access is not obtained by the end of the third week of testing, the exercise will fail-over to an assumed breach scenario.
  • Establish persistence on Client resources.

Privilege Escalation

  • Identify and exploit technical vulnerabilities to obtain elevated access and move laterally to Client internal systems, applications, or non-public data.

Impact

  • Assess the potential impact if a real word threat were to similarly breach the Client environment.
  • Identify critical and sensitive data, high impact systems/networks and additional targets as provided by Client.
  • Exfiltrate sensitive data using industry standard encryption when data is in motion.

Clean-up

  • Conduct post-engagement clean-up activities. All artifacts used during testing will be permanently removed from the Client environment.
  • Provide Client with a final list of artifacts that could not be removed from the environment or otherwise coordinate their removal.

Reporting

  • Provide analysis and recommendations for mitigating findings.
  • Provide a detailed narrative with timestamps for all major testing activity.
  • If provided, integrate Client Security Incident Report details into the final report.

Project Tools

NetSPI leverages a suite of public, modified, and custom tools to perform emulated real-world attacks. These tools range from enumeration scripts, beaconing backdoors, interactive malware, and exploit kits. NetSPI applies this methodology to reproduce the capabilities of a sophisticated threat actor. The tooling that will be used during this engagement will include, but may not be limited to:

  • Enumeration tools for performing reconnaissance, site scraping, port mapping, service identification, and situational awareness.
  • Vulnerability identification and exploitation tools.
  • An array of initial access payloads designed to evade defenses and deploy a beaconing implant within the context of a social engineering pretext.
  • A custom beaconing implant, Throwback, for maintaining persistent access to compromised hosts.
  • A custom remote access tool (RAT), Slingshot, for interactive operations, privilege escalation, and lateral movement.
  • Various support modules for service exploitation, internal network enumeration, and defensive configuration bypasses.

Breach and Attack Simulation: Ransomware

The Breach and Attack Simulation: Ransomware engagement helps companies develop a baseline understanding of their current detective control capabilities against ransomware attacks and create a roadmap for improvement over time.

The test focuses on common ransomware Tactics, Techniques, or Procedures (TTPs) used in each step of the ransomware kill chain. During testing NetSPI will work with the client in real-time to execute TTPs that simulate real-world ransomware attacks and determine the level of visibility the current controls offer. After NetSPI performs each test, the client will determine if it was undetected, generated logs, triggered alerts, triggered a response, and what the estimated response time is. Security events may include both common indicators of attack and common indicators of compromise. The Breach & Attack Simulation: Ransomware findings will include direct mappings to MITRE ATT&CK technique IDs. The technique number will be included in the finding references, and directly noted in the finding names provided. 

The test plan includes the following adversary unit test categories:

  • Active Directory reconnaissance events 
  • Local credential access events 
  • Authenticated scanning events 
  • SMB share targeting events 
  • Data exfiltration events 
  • Ransomware deployment events 

Primary Objectives

  • Validate that your endpoint, network, SIEM, and MSSP security controls are working as intended. 
  • Identify and remediate ransomware detection gaps, such as missing data sources, misconfigurations, missing detections, incomplete coverage, and kill chain gaps. 
  • Leverage the AttackSim technology platform to continuously improve your ability to prevent ransomware attacks, track process over time, randomize plays against your environment, and achieve your key performance indicators (KPIs). 

Requirements

Below is a list of items that will be required for the assessment:

  • One point of contact who can be present during testing and can provide feedback on what security events are generating logs and alerts
  • Access to one Windows workstations with representative controls installed
  • One local administrator account on the provided workstation

Breach and Attack Simulation: MITRE ATT&CK TTPs

NetSPI’s Breach and Attack Simulation: MITRE ATT&CK engagement helps organizations develop a baseline understanding of their current detective control capabilities and create a roadmap for improvement over time.

The test focuses on Tactics, Techniques, or Procedures (TTPs) outlined in the MITRE ATT&CK framework. During testing NetSPI will work with the client in real-time to execute TTPs that simulate real-world attackers and determine the level of visibility the current controls offer. After NetSPI performs each test, the client will determine if the attack went undetected, generated logs, triggered alerts, triggered a response, and what the estimated response time is. Security events may include both common indicators of attack and common indicators of compromise. The Breach & Attack Simulation: MITRE ATT&CK findings will include mappings to MITRE ATT&CK technique IDs. The technique number will be included in the finding references, and directly noted in the finding names provided. 

Primary Objectives

  • Validate that your endpoint, network, SIEM, and MSSP security controls are working as intended. 
  • Identify and remediate detection gaps, such as missing data sources, misconfigurations, missing detections, incomplete coverage, and kill chain gaps. 
  • Leverage the AttackSim technology platform to continuously improve your ability to prevent common cybersecurity attacks, track process over time, randomize plays against your environment, and achieve your key performance indicators (KPIs).

Requirements

  • One point of contact that can be present during testing who can provide feedback on what security events are generating logs and alerts.
    • If testing is executed remotely, a NetSPI system will need to be deployed to the environment. 
    • Access to two Windows workstations with representative controls installed. 
    • One local administrator account on the provided workstation. 
    • One Active Directory domain user account that can log into the workstation. This domain user will also require VPN access and an email account. 
    • One Active Directory domain user with “Domain Admin” privileges. 
  • One point of contact that can be present during testing who can provide feedback on what security events are generating logs and alerts. 
  • If testing is executed remotely, a NetSPI system will need to be deployed to the environment.
  • Access to two Windows workstations with representative controls installed. 
  • One local administrator account on the provided workstation. 
  • One Active Directory domain user account that can log into the workstation. This domain user will also require VPN access and an email account. 
  • One Active Directory domain user with “Domain Admin” privileges.

Threat Hunting

The goal of Threat Hunting in this context is to gather configuration information directly from a sample of systems and available data sources in the Windows environment. That information will then be used to identify potential indicators of compromise based on common tools, techniques, and procedures leveraged by real-world threats.

Primary Objectives

  • Provide the client with a high-level understanding of common hunting approaches.
  • Identify potential threats that exist in the environment.
  • Provide actionable recommendations for improving detective control capabilities.

Assessment Approach and Test Plan

A standardized test plan includes:

  • Conduct kickoff meeting
  • Create security controls inventory and identify detective control boundaries through interviews
  • Perform analysis on security control inventory and modify the test plan
  • Conduct hunting exercises with a member of the security operations team:
    • Task Group: Define the target sample using information from Active Directory and DNS and determine gathering method (PowerShell Remoting, WMI, WMI over DCOM).
    • Task Group: Perform authenticated scanning of files for Known Signatures 
    • Task Group: Perform authenticated scanning of Windows Services for Unsigned Binaries
    • Task Group: Perform authenticated scanning of Windows Tasks for Potentially Malicious Jobs
    • Task Group: Perform authenticated scanning of Windows WMI Triggers and Providers
    • Task Group: Perform authenticated scanning of files and Registry for Potentially Malicious Auto runs
    • Task Group: Perform inverse frequency analysis and malware categorization
  • Offline finding analysis, reporting, and quality assurance
  • Report delivery

Requirements

A list of items that will be required for the assessment have been listed below:

  • Access to a physical location that has network access to the IP addresses in scope.
  • Local administrative privileges to all target systems. This typically requires being added to a privileged Active Directory domain group.
  • A member of the operation center or appropriate groups must be available for the duration of the test to ensure NetSPI can communicate the details of the approach and help evaluate potential threats to the environment.

Social Engineering: Security Awareness

To determine the current level of employee security awareness, NetSPI will send phishing messages to Client employees in an attempt to persuade them to divulge sensitive information. NetSPI will also identify strengths and weaknesses within any phishing-related policy, process, and technical controls in place at Client. NetSPI will then provide actionable recommendations for controls and user awareness training to help improve Client’s overall security posture and minimize risk. This engagement and its deliverables will assist Client in reducing risk by continuing employee awareness training and maintaining secure procedures.

The following is an overview of the Social Engineering: Security Awareness Phishing service:

During the test, NetSPI will send phishing e-mails to Client employees in an attempt to persuade them to divulge sensitive information such as usernames and passwords without verifying the identity of the sender. This will help determine risk as it relates employee awareness and potential procedural issues. NetSPI will also analyze any policy, process, and technical controls in place that may reduce the impact and likelihood of a successful phishing attack. 

Scenarios will be designed around Client’s requests and can be based on the following goals:

Security Awareness (Email)

Emails will be crafted to elicit targets to visit an external website. Phishing scenarios can optionally contain any of the following:

  • The web page will be designed to mimic a legitimate Client service and contain a malicious sign-in form to track if data is entered. (Forms are modified to prevent sensitive data retention.)
  • Targets will be prompted to retrieve and execute a malicious payload. The payload will be hosted on an external site designed to mimic a legitimate Client service and will be crafted to exfiltrate workstation details.

The final step will notify users that they were the target of a phishing attack. An informational page will contain instructional content on the dangers of phishing and highlight specific signs that users can identify to warn them of a potential suspicious message. Additional content, such as specific reporting and escalation steps, can be included at Client’s request.

All of the data collected will be consolidated and analyzed. Vulnerabilities will be prioritized based on potential impact and likelihood. NetSPI will then formulate recommendations for mitigating identified security issues. 

Additional reportable metrics include (if applicable): Targets that opened a phishing email, visited a web page, entered credentials, retrieved a malicious payload, executed a malicious payload, messages reported to Client (based on availability of data).

NetSPI will review the identified strengths and weaknesses with Client and discuss the recommendations for improving employee awareness, security processes, and mitigating technologies. This collaboration will enable Client to implement the recommendations.

The Social Engineering: Security Awareness findings and recommendations will be presented in a report that will assist Client in both identifying and reducing risk within the organization as it relates to phishing attacks. The report includes detailed descriptions of the identified issues and remediation recommendations, as well as summary information that will provide insight to senior management on high level strengths and weaknesses.

Social Engineering: Account Takeover

To determine the current level of employee security awareness, NetSPI will send phishing messages to Client employees in an attempt to persuade them to divulge sensitive information. NetSPI will also identify strengths and weaknesses within any phishing-related policy, process, and technical controls in place at Client. NetSPI will then provide actionable recommendations for controls and user awareness training to help improve Client’s overall security posture and minimize risk. This engagement and its deliverables will assist Client in reducing risk by continuing employee awareness training and maintaining secure procedures.

The following is an overview of the Social Engineering: Account Takeover Phishing service:

During the test, NetSPI will send phishing e-mails or text messages to Client employees in an attempt to persuade them to divulge sensitive information such as usernames and passwords without verifying the identity of the sender. This will help determine risk as it relates employee awareness and potential procedural issues. NetSPI will also analyze any policy, process, and technical controls in place that may reduce the impact and likelihood of a successful phishing attack. 

Scenarios will be designed around Client’s requests and can be based on the following goals:

Account Takeover (Email and Text Message)

Emails and text messages will be crafted to elicit targets to perform actions which could compromise their account. Examples include:

  • Advanced credential harvesting pages to capture multifactor authentication and session cookie details
  • OAuth grants and device code attacks to retrieve authentication tokens, which can be used to access Microsoft APIs

NetSPI will access compromised accounts and perform sensitive data discovery to demonstrate the impact of a successful phishing attack. Further escalation can be executed based on project goals or if performed concurrently with an additional Network Penetration Test.

All of the data collected will be consolidated and analyzed. Vulnerabilities will be prioritized based on potential impact and likelihood. NetSPI will then formulate recommendations for mitigating identified security issues. 

Additional reportable metrics include (if applicable): Targets that opened a phishing email, visited a web page, entered credentials, retrieved a malicious payload, executed a malicious payload, messages reported to Client (based on availability of data).

NetSPI will review the identified strengths and weaknesses with Client and discuss the recommendations for improving employee awareness, security processes, and mitigating technologies. This collaboration will enable Client to implement the recommendations.

The Social Engineering: Account Takeover findings and recommendations will be presented in a report that will assist Client in both identifying and reducing risk within the organization as it relates to phishing attacks. The report includes detailed descriptions of the identified issues and remediation recommendations, as well as summary information that will provide insight to senior management on high level strengths and weaknesses.

Social Engineering: Spearphishing

To determine the current level of employee security awareness, NetSPI will send phishing messages to Client employees in an attempt to persuade them to divulge sensitive information. NetSPI will also identify strengths and weaknesses within any phishing-related policy, process, and technical controls in place at Client. NetSPI will then provide actionable recommendations for controls and user awareness training to help improve Client’s overall security posture and minimize risk. This engagement and its deliverables will assist Client in reducing risk by continuing employee awareness training and maintaining secure procedures.

The following is an overview of the Social Engineering: Spearphishing service:

During the test, NetSPI will send phishing e-mails or text messages to Client employees in an attempt to persuade them to divulge sensitive information such as usernames and passwords without verifying the identity of the sender. This will help determine risk as it relates employee awareness and potential procedural issues. NetSPI will also analyze any policy, process, and technical controls in place that may reduce the impact and likelihood of a successful phishing attack. 

Scenarios will be designed around Client’s requests and can be based on the following goals:

Spearphishing Campaign (Email and Text Message)

NetSPI and Client will collaborate to build a custom campaign against a select group of users. The campaign will be designed to accomplish a specific client objective, such as compromising a high-value target or retrieving proprietary information. NetSPI will utilize an open-ended approach, with the goal of identifying missing policies and edge case vulnerabilities. Information obtained will be leveraged throughout the test to build an overall attack narrative.

All of the data collected will be consolidated and analyzed. Vulnerabilities will be prioritized based on potential impact and likelihood. NetSPI will then formulate recommendations for mitigating identified security issues. 

Additional reportable metrics include (if applicable): Targets that opened a phishing email, visited a web page, entered credentials, retrieved a malicious payload, executed a malicious payload, messages reported to Client (based on availability of data).

NetSPI will review the identified strengths and weaknesses with Client and discuss the recommendations for improving employee awareness, security processes, and mitigating technologies. This collaboration will enable Client to implement the recommendations.

The Social Engineering: Spearphishing findings and recommendations will be presented in a report that will assist Client in both identifying and reducing risk within the organization as it relates to phishing attacks. The report includes detailed descriptions of the identified issues and remediation recommendations, as well as summary information that will provide insight to senior management on high level strengths and weaknesses. 

Social Engineering: Phone-Based Social Engineering

In order to determine the current level of employee security awareness, NetSPI will make calls to Client employees in an attempt to persuade them to divulge sensitive information. NetSPI will also review policy and processes that can help reduce the impact of phone-based attacks. NetSPI will then provide actionable recommendations, for controls and user awareness training, to help improve Client’s overall security posture and minimize risk. This engagement and its deliverables will assist Client in reducing risk by continuing employee awareness training and maintaining secure procedures.

The following is an overview of the Social Engineering: Phone-Based Social Engineering service:

Call scenarios can be designed based on two styles:

  • Policy Check: NetSPI will use a standard script and pretext throughout each scenario, with the goal of gathering client-defined sensitive during each placed call. Calls will be siloed and information obtained will not be leveraged throughout the test.
  • Capture-the-Flag: NetSPI will utilize an open-ended approach, with the goal of identifying missing policies and edge case vulnerabilities. Information obtained will be leveraged throughout the test to build an overall attack narrative

All of the data collected will be consolidated and analyzed. Calls will be recorded and reviewed to identify insecure procedures. In addition, vulnerabilities will be prioritized based relevance and likelihood. Finally, NetSPI will formulate recommendations for mitigating the identified security issues.

NetSPI will review the environment’s strengths and weaknesses with Client and discuss the recommendations for improving employee awareness and security processes. This collaboration will enable Client to implement the recommendations.

The Social Engineering: Phone-Based Social Engineering findings and recommendations will be presented in a report that includes both detailed descriptions of the identified issues and remediation recommendations, as well as summary information that will provide insight to senior management on high level strengths and weaknesses. This report will assist Client in reducing risk by continuing employee awareness training and maintaining secure procedures.

Social Engineering: On-Site Social Engineering Assessment

During the On-Site Social Engineering Assessment, NetSPI will determine the level of risk that relates to procedural security controls at Client by attempting to gain unauthorized physical access to sensitive areas, systems, and information. These tests will result in actionable recommendations for improving Client’s security posture. This engagement and its deliverables will assist Client in reducing risk by continuing employee awareness training and maintaining secure procedures.

The following is an overview of the On-Site Social Engineering Assessment:

  • NetSPI will interview key personnel and analyze Client documented policies to identify areas of risk within the current controls and processes. During interviews, NetSPI will review and discuss the following:
    • Existing security policies
    • Physical access and identification policies 
    • Data classification and handling policies 
    • Applicable industry regulations 
    • Employee training programs
    • NetSPI will review the policies strengths and weaknesses with Client and discuss the recommendations for addressing identified security issues. This collaboration will ensure that Client will be able to effectively implement the recommendations.
  • NetSPI will perform on-site assessments to evaluate the security of Client’s procedures, and the level of employee awareness and compliance, using standard social engineering techniques.
    • These techniques may include (but are not limited to) persuasion, tailgating, and impersonation. 
    • During this phase of the assessment, NetSPI will typically assume the role of a trusted individual when attempting to gain unauthorized access to the sensitive areas, systems, and information in scope. 
    • Testing efforts will be uniquely crafted towards testing Client’s specific policies. NetSPI will work with Client to develop repeatable, focused activities which will test employee awareness and compliance with specific policies and processes.
      • E.g., multiple attempts to tailgate through the same door behind different employees. Approaching multiple employees and asking them to insert a USB drive into their computer. 
    • Testing and bypassing of physical controls is not included in the scope of on-site social engineering assessments.
  • NetSPI will consolidate and analyze findings from all the onsite tests conducted. We will consider the findings, business requirements, and current controls to formulate actionable recommendations for mitigating the identified security issues.
  • The On-Site Social Engineering Assessment findings and recommendations will be presented in a report which includes detailed descriptions of the identified issues and remediation recommendations, as well as summary information that will provide insight to senior management on the environment’s strengths and weaknesses. This report will assist Client in reducing risk and maintaining procedures.

Physical Security Controls Assessment

During the Physical Security Controls Assessment, NetSPI will conduct an onsite analysis of Client’s current physical security controls and related policies in order to identify potential weaknesses or gaps that could provide unauthorized access to restricted areas or sensitive data. NetSPI will also interview key personnel in order to fully understand how physical security is currently managed, what security controls are in place to protect the location, and better understand existing policies and key considerations undertaken during the construction and design of the physical office location. Once information gathering is complete, NetSPI will further analyze findings and provide actionable recommendations for improving Client’s internal security policies and physical security posture.

The following is an outline of the Physical Security Controls Review:

NetSPI will work with Client to define project requirements and goals, identify specific locations to sample, and plan a timeline for all phases of the project. 

NetSPI will interview key personnel and analyze Client’s physical security and documented policies to identify areas of risk within the current controls and processes. During interviews, NetSPI will review and discuss the following:

  • Existing physical security controls
  • Physical access and identification policies
  • Data classification and handling policies
  • Environmental controls and monitoring
  • Applicable industry regulations

NetSPI will conduct an onsite walkthrough of Client’s location, including property and building perimeter, office interior, and access to restricted or secured areas.

  • This walkthrough is performed with explicit approved visitor / badged access.
  • Social engineering attempts can be utilized based on project goals, or if performed concurrently with an additional Social Engineering Test.

NetSPI will consolidate findings from the interviews, documentation review, and onsite walkthrough for final analysis. Then NetSPI will create actionable recommendations to mitigate identified risks and improve the overall security posture of Client’s environment. All recommendations are based on industry best practices and professional experience. 

NetSPI will review the physical security strengths and weaknesses with Client and discuss the recommendations for addressing security deficiencies. This collaboration will enable Client to implement the recommendations.

The Physical Security Controls Review findings and recommendations will be presented in a report that includes both detailed descriptions of the identified issues and remediation recommendations. It will also include summary information that will provide insight to senior management on the location’s strengths and weaknesses.

Social Engineering: Full On-Site Physical Penetration Test

During the Full On-Site Physical Penetration Test, NetSPI will determine the level of risk presented by a threat-actor attempting to gain unauthorized physical access to sensitive areas, systems, and information. NetSPI will attempt to accomplish specific, pre-defined goals involving physical access to specific areas or assets. After the campaign, a detailed deliverable will be provided which will contain a campaign narrative and list of vulnerabilities which highlight preventative and detective control gaps.

The following is an overview of the Full On-Site Physical Penetration Test:

  • NetSPI will work with Client to define specific goals for the test. Goals will focus on unauthorized physical access and typically include objectives such as physically accessing a specific area of a building, extracting specific assets from the building, or obtaining specific documents or pieces of information. 
  • NetSPI will perform on-site assessments to attempt to achieve the pre-defined goals. These assessments will evaluate Client’s overall physical security posture and employee awareness.
    • NetSPI will replicate a real-world attacker and attempt to accomplish the pre-defined goals without being detected or intercepted.
    • NetSPI will employ techniques including (but not limited to) Open-Source Intelligence Gathering (OSINT), social engineering, and physical security bypasses to accomplish their goals.
      • Examples of potential actions NetSPI may take while on site include: tailgating, manipulating door locks and handles, badge cloning, persuading employees to provide access, creating mild distractions, calling and emailing employees, utilizing empty workspaces, opening unlocked doors, accessing sensitive documents, and any other actions which will assist with the goals of the test. 
      • Any potentially dangerous or destructive actions are out of scope, unless specifically requested and authorized.
    • NetSPI will communicate their plans with their immediate contacts at Client and obtain approval in advance for their actions. No other employees will be made aware of the test in advance.
  • The Full On-Site Physical Penetration Test is focused on physical access and does not include technical testing or compromises of the customer network, applications, or computer systems. For full end-to-end adversarial simulation, please consider our Red Team Operations.
  • NetSPI will consolidate and analyze findings from all the on-site tests conducted. We will consider the findings, business requirements, and current controls to formulate actionable recommendations for mitigating the identified security issues.
  • The Full On-Site Physical Penetration Test findings and recommendations will be presented in a report which includes detailed descriptions of the identified issues and remediation recommendations, as well as summary information that will provide insight to senior management on the environment’s strengths and weaknesses. This report will assist Client in reducing risk and maintaining procedures.

IoT Testing Services

ATM Penetration Testing

During the ATM Penetration Test, NetSPI will identify security issues on relevant Client ATM systems and provide actionable recommendations for improving Client‘s security posture.

NetSPI’s ATM Penetration Test follows this process:

NetSPI will work with Client to gather information on the current ATM architecture, implemented security and encryption technologies, and planned security initiatives.

We will evaluate Client’s network, systems, and applications for known security vulnerabilities from the perspective of an anonymous user (non-credentialed testing). During the testing, NetSPI will follow manual and automated processes that use commercial, open source, and proprietary software. 

An overview of the test approach is as follows:

  • Thick Client Application Penetration Test
    NetSPI uses deep-dive manual testing processes to identify design and configuration weaknesses in thick applications. Through a process of multi-vector testing, NetSPI will identify vulnerabilities and create actionable recommendations to assist Client in reducing risk to the ATM and backend systems.
  • Hard Drive Encryption Penetration Test
    NetSPI does a manual evaluation of the encryption configuration and the technologies used to protect the encryption keys to evaluate whether the data stored on the ATM remains secure and whether it can be extracted or modified by an attacker. NetSPI will identify weaknesses and vulnerabilities in the decryption phase of the system boot, alerting Client to potentials risks and aid in reducing risk to applications.
  • Kiosk Escapes
    NetSPI will use a combination of common techniques and automated fuzzing to determine if there are any easily assessable avenues for an attacker to escape the kiosk mode of the ATM, either from outside the enclosure or via a USB device inserted into the top of the ATM without opening of the safe.
  • Peripheral Security Assessment
    NetSPI will use sophisticated manual processes and automated tools to test the peripherals of the ATM to ensure that sensitive information cannot be leaked and that if the connection to the peripherals is middled there is limited damage that the attacker can inflict on the ATM or the backend network. NetSPI will assess whether non-sanctioned device types and devices are allowed on the system. In addition, advanced hardware-based attacks such as firmware extraction/modification and side channel analysis can be performed to ensure that every peripheral device attached to the ATM is properly hardened.
  • Secure Memory Configuration Assessment
    NetSPI will assess the ATM’s configuration and hardware to determine if the ATM is vulnerable to memory attacks. NetSPI will attempt to leverage the self-decryption of the ATM upon boot to gain access to the system via probing and modifying data on the system’s memory bus, either on the BIOS or OS level.
  • Breach Simulation
    NetSPI will use simulated attacker patterns and methodologies to explore the scope of the protection offered by the group polices and specialized security products on the ATM and assess and their effectiveness in protecting the system from attackers, modification, and malware. This testing focuses on achieving privilege escalation from a low-level account that an attacker has previously obtained. This operation ensures that even if a weakness is found and successfully exploited by an attacker, the risk to the overall system remains at a minimum.
  • Sensitive Data and Critical System Access
    Using successful exploit paths, NetSPI will attempt to gain unauthorized access to critical information assets such as systems, applications, and databases that are considered high value by your organization.
  • Physical Security Controls Test
    NetSPI evaluates the safe, locking mechanism, and any other physical controls or alarms that are in effect to protect the device. 
  • Sensitive Information Storage
    NetSPI will search the system to determine if there is sensitive information stored on the device such as hardcoded keys, sensitive logs, or other information that may qualify as PCI exposure if the data was extracted.

After identifying the strengths and weaknesses of the environment and Client’s security program processes, NetSPI will suggest strategies for improvement and assign priority to deficiencies based on potential business impact and likelihood of process failure or exploitation. NetSPI will also collaborate with Client stakeholders so that notable findings may then be analyzed and compared against program goals and compliance requirements.

Automotive Penetration Testing

NetSPI’s approach to identifying automotive vulnerabilities focuses on the individual components as well as how those components interact with each other and the outside world. During the Automotive Penetration Test, NetSPI will work to identify security issues on relevant Client vehicles, providing recommendations to improve Client‘s security posture.

NetSPI’s Automotive Penetration Test follows this process:

NetSPI will work with Client to gather information on the current software and hardware architecture implemented and planned security initiatives.

We will evaluate Client’s Electronic Control Unit (ECU), Automotive Head Unit (AHU) and network connectivity for known security vulnerabilities from the perspective of a vehicle owner/user (non-credentialed testing). During the testing, NetSPI will follow manual and automated processes that use commercial, open source, and proprietary software. 

An overview of the test approach is as follows:

  • Mobile Application Penetration Testing
    Many new vehicles have mobile device interaction, primarily as Phone as a Key (PAAK). NetSPI’s consultants are experienced with the interaction of mobile, cloud, and automotive to determine whether the communication between the technologies is properly established and secure.
  • Thick Client Application Penetration Testing
    NetSPI uses deep-dive manual testing processes to identify design and configuration weaknesses in thick applications. This includes binaries running on the AHU, from hardening the OS to testing the native and third-party applications that are employed to complete the desired user experience. 
  • Connected Environments
    The addition of 802.11p, WAVE, and V2X means that vehicles will be handling many new communication streams. NetSPI uses a number of open source Software Defined Radio (SDR) implementations to receive, transmit, and attempt to find security weaknesses in the communication implementation.
  • Internet Connectivity
    More vehicles are requiring interaction with the internet and data parsing. NetSPI will use a combination of manual and automated tools to test vehicle network connection and backend data processing to determine whether the system is protected from attacks via USB, Wi-Fi, and in some cases, cellular.
  • Hardware Penetration Test
    NetSPI manually tests the embedded system to discover weaknesses in the design that could be exploited by an attacker. NetSPI will attempt to locate debug interfaces, bypass JTAG/UART protections, extract, modify, and analyze firmware, and assess the difficultly that an attacker would have attempted to compromise the system. NetSPI will recommend actions that Client can take to improve automotive security.
  • Internal Network Security Assessment
    NetSPI uses sophisticated manual processes and automated tools to test the communication and segmentation of the Electronic Control Unit (ECU) communication. NetSPI attempts to use CAN, DOCAN, DOIP, and other communication means to perform Denial of Service (DOS), fuzzing, and segmentation jumps on the network to determine if the system is resistant to attackers.
  • Sensor Data
    NetSPI will use SDR, logic analysis, and custom-programmed Field Programmable Gate Arrays (FPGAs) to tap, middle, and spoof sensor data in an attempt to maliciously affect programming used in autonomous driving decisions. If successful, this would affect various automotive safety features and cause the vehicle to misbehave in unacceptable ways. This action could result in damage or allow Remote Code Execution (RCE) to adversely affect the system. 
  • Containers and Hypervisors 
    NetSPI will review the containers and virtualizations both in the vehicle and in the cloud to determine whether they are secure. NetSPI will recommend steps needed to properly harden the containers and assure the information supplied to the container (sensor info, AI training input, updates) are properly secured. Should an escape be possible, NetSPI will assess the security of the rest of the vehicle system and the security/safety of the user.

After identifying the strengths and weaknesses of the environment and Client’s security program processes, NetSPI will suggest strategies for improvement and assign priority to deficiencies based on potential business impact and likelihood of process failure or exploitation. NetSPI will also collaborate with Client stakeholders so that notable findings may then be analyzed and compared against program goals and compliance requirements.

Operational Technology (OT) Architecture and Security Review

NetSPI’s approach to identifying ICS vulnerabilities focuses on the OT processes in a Defense in Depth strategy. NetSPI will use best efforts to keep the OT processes remain protected, isolated, and unchanged during testing.

NetSPI’s OT Architecture and Security Review follows this process:

NetSPI will begin the review by investigating the configuration and architecture of the systems. We will use this information to perform a network architecture review prior to any manual testing so that the desired testing matches the capabilities of the network and machinery. This helps to avoid damage to systems during the process. NetSPI will address issues with asset inventory, network configuration, and segmentation prior to focusing on issues related to vulnerability analysis or action that can be affected by malicious actors. 

An overview of the test approach is as follows:

  • Architecture Review
    NetSPI does a review of all available configurations on the network and the processes. This also includes conducting interviews with Process Engineers, Operational Technicians, Field Technicians, Programmers, and Administrators to fully understand the process and procedures that need to be protected and maintained.
  • Passive Asset Inventory
    NetSPI will conduct a passive reconnaissance on the network traffic via a packet capture form, a network Tap, or a SPAN port, gathered by Client or NetSPI. This packet capture will be used to identify assets associated with the network to create an inventory, confirm all the computers that have access to specific subnets as intended, as well as determine a more secure configuration that would not adversely affect processes.
  • Active Asset Inquiry
    NetSPI will use the information gathered during the architecture review and the asset inventory to confirm an associated device’s identity and to confirm the software version. This will be done by implementing controlled timed requests to individual devices, starting with servers, and then exploring carefully until all observed devices are identified. When necessary, requests will be limited to the safest version possible at the slowest possible interval. If probing the devices poses any risk to the network, this step will be withdrawn or NetSPI will work with Client to devise a safe way to obtain the information. 
  • Active Network Testing
    If deemed safe, NetSPI will conduct a standard exploit network penetration test on Enterprise, DMZ, and operations levels of the process. This will determine if segmentation hopping is possible between layers and if any devices have access to zones from which they should be restricted. If applicable, NetSPI may advise a full network penetration test be conducted on the various zones of the network that correspond with levels 3-5 of the Purdue security model for network security on ICS/ OT/ SCADA networks.
  • Programming Review
    If required, NetSPI can conduct a code review on the individual devices to determine the potential risk that the device poses to the process from the perspective of both a best practice programing standpoint and an accidental or malicious user perspective.
  • Main System Hardening / Thick Client
    NetSPI will conduct a review of a main system, either on live system or virtualized from a captured image. This review will serve the purpose of determining the current OS security posture as well as determining whether the configuration of the firewall and networking are suitable for the process as-is or if changes to the system configuration are needed.
  • Threat Vectors
    NetSPI will arrange and classify all the devices discovered in the asset inventory via the Purdue model, and classify any discovered potential threats based on those described in IEC 62443. NetSPI will utilize this model to advise Client on potential architecture areas of improvement and will attempt to find solutions to any discovered discontinuities in a manner that will least affect the process.
  • Attack Simulation
    If a non-production environment exists or can be deployed prior to the test, NetSPI will conduct a simulated attack on individual devices or on the system. This attack will take the form of a combination network/thick client embedded system penetration test, as required by the target device/system.

After identifying the strengths and weaknesses of the environment and Client’s security program processes, NetSPI will suggest strategies for improvement and assign priority to deficiencies based on potential business/security impact and likelihood of exploitation. NetSPI will also collaborate with Client stakeholders so that notable findings may then be analyzed and compared against program goals and compliance requirements.

Medical Device Penetration Testing

NetSPI’s Medical Device Pentest will help Client determine whether its medical devices meet or exceed the current standards and recommendations by the FDA Premarket Cybersecurity Guidelines. NetSPI’s approach to finding security vulnerabilities in medical devices typically consists of two stages, depending on client need: 1) a threat model/architecture risk analysis and 2) a penetration test. These can occur independently or in tandem. 

NetSPI’s Medical Device Threat Model follows this process:

  • NetSPI will work with Client to gather information on the current Medical Device architecture by reviewing available design documents, configuration files, and interviewing system architects and programmers to determine the most viable attack path for a time-boxed assessment. 
  • NetSPI will conduct a survey of the device to determine possible design flaws in the software, hardware, and communication methods that could weaken the security of the device.
  • NetSPI will identify the risks inherent in the design/implementation of the device and suggest modifications that can increase the security of the device. 

NetSPI’s Medical Device Penetration Test follows this process:

If a Medical Device Threat Model was done previously, NetSPI will use it to guide testing and confirm whether or vulnerabilities identified in the threat model are exploitable. If no threat model occurred, NetSPI will work with Client to gather information on the current device architecture, implemented security and encryption technologies, and planned security initiatives; NetSPI will then used to gather documentation to create a test plan.

An overview of the test approach is as follows:

  • Hardware Survey
    NetSPI will review the hardware of the device, looking for any flaws in the design or configuration that could allow an attacker to access sensitive information or modify the expected device behavior. Depending on the device, NetSPI will identify exposed debugging interfaces, chips with known vulnerabilities/flaws, or exposed communication protocol lines that may allow access to sensitive data or operations. When destructive testing is in-scope, NetSPI may use techniques such as depopulation and repopulation of components for the same purpose.
  • Firmware Analysis
    NetSPI will use both manual review and automated scanning to identify libraries or binaries within the firmware that are outdated or have known security vulnerabilities. NetSPI will assess the likelihood and severity of the firmware being reverse engineered by an attacker. In addition, NetSPI will review the process for updating the system’s firmware provided to identify vulnerabilities within the update process and determine if any information contained in the update could impact the security of the device.
  • Authentication and Authorization Analysis
    NetSPI will attempt to bypass authentication methods to escalate privileges of various users. NetSPI will also assess the existing user roles and software running on the system to determine if they follow the principle of least privilege.
  • Wireless Configuration Analysis
    NetSPI will analyze the configuration of known wireless protocols (Bluetooth, Wi-Fi, ZigBee, etc.) to ensure they are configured correctly and securely. In addition, custom wireless or inductive protocols will be studied or reviewed to identify vulnerabilities that may exist within the custom protocol and determine the likelihood and impact of an attacker reverse-engineering the protocol.
  • Network Testing
    NetSPI will use manual and automated tests to survey the communication protocols used by the device as well as scan for any open ports. NetSPI will then attempt to identify and exploit any services with known vulnerabilities as well as identify service misconfigurations with a potential security impact. If applicable, NetSPI will also review the system’s Wi-Fi configuration.
  • Cryptographic Analysis
    NetSPI does a manual deep dive into the encryption methods used to protect the data stored on the device to ensure it maintains its integrity, confidentiality, and authenticity. NetSPI will identify weaknesses and vulnerabilities in the decryption phase of the system boot, alerting Client to potentials risks and aid in reducing risk to applications. NetSPI will also analyze encryption methods used to communicate sensitive data or operations, either externally to the device or within the device itself.
  • Operating System Hardening
    NetSPI will test the operating system hardening against industry best-practices. This may include testing for software security controls, user and group configurations, local access control configurations, local system configurations, and secure data storage.
  • Tamper Protection Survey
    Medical devices may employ tamper protection systems to protect the device. These systems can range from the addition of potting epoxy to resistive foil security sensors. NetSPI will use a variety of techniques to attempt to bypass and evaluate the effectiveness of any present tamper protection.
  • Peripheral Security Assessment
    If the device communicates with peripheral devices, NetSPI will attempt to Man-in-the-Middle this communication and determine the level of damage an attacker could inflict on the device or backend network. In addition, advanced hardware-based attacks such as firmware extraction/firmware modification and side channel analysis can be performed to determine whether every peripheral device attached to the device is properly hardened.
  • Mobile, Thick, and Web Application Penetration Testing
    NetSPI understands that medical devices often exist within an ecosystem of other devices and applications that communicate with the device or run on the device itself. When applicable, NetSPI will pull from methodologies for testing mobile, thick, and web applications in addition to following the standard approach for a medical penetration test.
  • Default Failure
    Most safety-critical medical devices have a “known good” default implementation should any part of the firmware encounter issues during operation. NetSPI will attempt to bypass or prevent this fallback from properly activating to determine it’s possible for the “known good” image to fail in a circumstance where the patient’s safety could be put at risk by a malicious actor.
  • Sensor Data Tampering
    Medical devices are only as safe as the data that is fed into the device. NetSPI will attempt to tamper with or spoof the sensor data from peripheral devices to determine Client’s risk of malicious device imitation where expired or illegitimate peripheral devices are used with the medical device.
  • Privacy and Tracking Testing
    NetSPI will assess the device for distinct information leakage that would reveal sensitive patient information or allow the patient to be maliciously tracked.
  • Potential Security/Safety issues
    NetSPI will review any potential issues that may not have substantial security impacts but could adversely affect the safety of the patient or user. 

After identifying the strengths and weaknesses of the environment and Client’s security program processes, NetSPI will suggest strategies for improvement and assign priority to deficiencies based on potential business/security impact and likelihood of exploitation. NetSPI will also collaborate with Client stakeholders so that notable findings may then be analyzed and compared against program goals and compliance requirements.

Embedded Penetration Testing

NetSPI’s approach to identifying Embedded system vulnerabilities is a multitiered penetration test across multiple disciplines such as hardware, network, wireless, SDR, thick client, system hardening, and mobile. During the Embedded Penetration Test, NetSPI will look for security vulnerabilities that may affect each layer of the device.

NetSPI’s Embedded Penetration Test follows this process:

NetSPI will work with Client to gather information on the current device architecture, implemented security and encryption technologies, and planned security initiatives. 

NetSPI will evaluate Client’s embedded device for known security vulnerabilities from the perspective of an anonymous user (non-credentialed testing). During testing, NetSPI will follow manual and automated processes that use commercial, open source, and proprietary software. 

An overview of the test approach is as follows:

  • Hardware Survey
    NetSPI will review the hardware of the device, looking for any flaws in the design or configuration that could allow an attacker to access sensitive information or modify the expected device behavior. Depending on the device, NetSPI will identify exposed debugging interfaces, chips with known vulnerabilities/flaws, or exposed communication protocol lines that may allow access to sensitive data or operations. When destructive testing is in-scope, NetSPI may use techniques such as depopulation and repopulation of components for the same purpose.
  • Firmware Analysis
    NetSPI will use both manual review and automated scanning to identify libraries or binaries within the firmware that are outdated or have known security vulnerabilities. NetSPI will assess the likelihood and severity of the firmware being reverse engineered by an attacker. In addition, NetSPI will review the process for updating the system’s firmware provided to identify vulnerabilities within the update process and determine if any information contained in the update could impact the security of the device.
  • Authentication and Authorization Analysis
    NetSPI will attempt to bypass authentication methods to escalate privileges of various users. NetSPI will also assess the existing user roles and software running on the system to determine if they follow the principle of least privilege.
  • Wireless Configuration Analysis
    NetSPI will analyze the configuration of known wireless protocols (Bluetooth, Wi-Fi, ZigBee, etc.) to ensure they are configured correctly and securely. In addition, custom wireless or inductive protocols will be studied or reviewed to identify vulnerabilities that may exist within the custom protocol and determine the likelihood and impact of an attacker reverse-engineering the protocol.
  • Network Testing
    NetSPI will use manual and automated tests to survey the communication protocols used by the device as well as scan for any open ports. NetSPI will then attempt to identify and exploit any services with known vulnerabilities as well as identify service misconfigurations with a potential security impact. If applicable, NetSPI will also review the system’s Wi-Fi configuration.
  • Cryptographic Analysis
    NetSPI does a manual deep dive into the encryption methods used to protect the data stored on the device to ensure it maintains its integrity, confidentiality, and authenticity. NetSPI will work to identify weaknesses and vulnerabilities in the decryption phase of the system boot, alerting Client to potentials risks and aid in reducing risk to applications. NetSPI will also analyze encryption methods used to communicate sensitive data or operations, either externally to the device or within the device itself.
  • Operating System Hardening
    NetSPI will test the operating system hardening against industry best-practices. This may include testing for software security controls, user and group configurations, local access control configurations, local system configurations, and secure data storage.
  • Tamper Protection Survey
    Many embedded devices employ tamper protection systems to protect the device. These systems can range from the addition of potting epoxy to resistive foil security sensors. NetSPI will use a variety of techniques to attempt to bypass and evaluate the effectiveness of any present tamper protection.
  • Peripheral Security Assessment
    If the device communicates with peripheral devices, NetSPI will attempt to Man-in-the-Middle this communication and determine the level of damage an attacker could inflict on the device or backend network. In addition, advanced hardware-based attacks such as firmware extraction/firmware modification and side channel analysis can be performed to determine whether every peripheral device attached to the device is properly hardened.
  • Mobile, Thick, and Web Application Penetration Testing
    NetSPI understands that embedded devices often exist within an ecosystem of other devices and applications that communicate with the device or run on the device itself. When applicable, NetSPI will pull from methodologies for testing mobile, thick, and web applications in addition to following the standard approach for an embedded penetration test.

After identifying the strengths and weaknesses of the device and Client’s security program processes, NetSPI will suggest strategies for improvement and assign priority to deficiencies based on potential business/security impact and likelihood of exploitation. NetSPI will also collaborate with Client stakeholders so that notable findings may then be analyzed and compared against program goals and compliance requirements.

Strategic Advisory Services

Cybersecurity Maturity Assessment

NetSPI will work collaboratively with Client to document Client’s current security program and develop the new information security strategy, the guiding principles that will enable Client to successfully conduct its business while meeting the challenges of detecting and defending against internal and external threats. Critical to the strategy will be consideration of stakeholders’ business needs and threats to the company. Client’s current security program will be integrated into the new information security program roadmap.

NetSPI and Client will then build the new information security program framework. The program will be based in part on the NIST Cybersecurity Framework (CSF) for security governance, and various control frameworks, primarily NIST SP 800-53, for technical security standards.

The outcome of this Cybersecurity Maturity Assessment will be the design for an information security program on which to build a business-aligned and threat-aware security strategy that supports and enables the company’s business objectives, focuses on relevant threats, and meets regulatory compliance requirements.

Approach

Align security requirements with Client business goals: Interview key stakeholders to gain insights into the product and services that generate revenue.

Map controls in place to protect the business and meet compliance requirements: Examine current security program structure and maturity and as a result, create a prioritized and actionable program roadmap.

Build a business-aligned information security program: Review key findings and results during a facilitated discussion and receive a management-ready report.

Security Focus Areas & Capabilities

Business-security Alignment

  • Executive Management
  • Human Resources
  • Finance
  • Legal
  • IT
  • Information Security
  • Compliance

Information Technology Management

  • Asset Management
  • IT Infrastructure
  • End-user Equipment
  • Business Applications

Information Security Management

  • Governance, Risk, & Compliance
  • Identity & Access Management
  • Network and System Security
  • Application Security
  • Endpoint Security
  • Mobile Security
  • Security Event Monitoring
  • Threat Intelligence
  • Vulnerability Management
  • Penetration Testing
  • Change Control
  • Incident Management
  • Business Continuity
  • Physical Security

Data Security, Privacy, & Compliance

  • Privacy Policy
  • Data Inventory
  • Data Security
  • Data Leakage Prevention
  • Communications
  • Secure Messaging
  • Secure File Transfer
  • Cloud Data Security
  • Travel Security
  • Regulatory Compliance

Security Threat Assessment

NetSPI will conduct a security threat assessment of Client’s IT and security operations to determine which threats Client is likely to encounter, the general impact to the business, and the risk to business operations. NetSPI will present correlated findings of deficiencies in the findings section in the report. Threat information will include:

  • List of Assets
  • Threat Actor
  • Threat Drivers
  • Attack Vector
  • Primary Attack Method
  • Impact
  • Likelihood
  • Risk

Deliverables

NetSPI will analyze all collected data and deliver a report detailing the following:

  • Executive Summary
  • Methodology
  • Business-Information Security Alignment
  • Threat Posture and Model
  • Observations and Capability Maturity Scoring
  • Targeted Roadmap & Recommendations
  • High-level Information Security Staffing Guidance
  • High-level Information Security Documentation Guidance
  • Presentation of our findings to Client audience of Client’s choosing

Pre-assessment Request List

Please have the following information available for reference at the first day of the assessment:

  • Description of business services, interactions with customers, interactions with third parties
  • Description of any information security events and incidents Client has experienced in the prior 2 years.
  • Existing information security documentation (policies, standards, etc.)
  • Existing information security controls in place that are not documented in policy
  • HR and/or IT policies governing employee use of company resources and technologies

Application Security Benchmark

NetSPI will conduct a benchmarking assessment to get an independent third-party view of the current state of theapplication security program. Data from BSIMM 10 will be leveraged to perform the assessment and look at the overall benchmarking scorecard against the data from 122 firms that are available in the data pool, also compare against the Financial Services Firms (57 of 122 firms) or the Technology Firms (20 of 122 firms) vertical for maturity (per client’s request). The framework at a high level consists of a total of 119 activities that are organized into 4 domains, which are sub-categorized into 12 practices in the following manner:

Governance – Practices that help organize, manage, and measure a software security initiative. Staff development is also a central governance practice.

  1. Strategy & Metrics (SM)
  2. Compliance & Policy (CP)
  3. Training (T)

Intelligence – Practices that result in collections of corporate knowledge used in carrying out software security activities throughout the organization. Collections include both proactive security guidance and organizational threat modeling. 

  1. Attack Models (AM)
  2. Security Features & Design (SFD)
  3. Standards & Requirements (SR)

SSDL Touchpoints – Practices associated with analysis and assurance of particular software development artifacts and processes. All software security methodologies include these practices.

  1. Architecture Analysis (AA)
  2. Code Review (CR)
  3. Security Testing (ST)

Deployment – Practices that interface with traditional network security and software maintenance organizations. Software configuration, maintenance, and other environment issues have direct impact on software security.

  1. Penetration Testing (PT)
  2. Software Environment (SE)
  3. Configuration Management & Vulnerability Management (CMVM)

Example high-watermark comparison against data from all technology firms:

Example high-watermark comparison against data from all technology firms

Example equalizer diagram (horizontal view) of all activities observed during the benchmarking activity:

Example equalizer diagram (horizontal view) of all activities observed during the benchmarking activity

Example scorecard:

Example scorecard

Application Security Roadmap

NetSPI will gather data by interviewing key stakeholders of the Application Security Program and the SDLC to determine the appropriate actions for client to take from an application security perspective. Some key stakeholders that would be needed for the discussions and interviews would be (but aren’t limited to):

  • Software Security Group Leadership (e.g. CISO, Dir. Application Security, etc.)
  • Development Leadership (e.g. Dev. Manager, SVP of Engineering, etc.)
  • SDLC Owner (e.g. Head of PMO, Project Manager, etc.)
  • Legal / Governance and Compliance teams
  • Software Testing & QA

After meeting with the above key stakeholders, and determining the business goals and objectives of the client, NetSPI will put together a high level roadmap deliverable with recommended quarterly milestones over the duration of 8 quarters (2 years) for evolving and improving the application security program at the client. 

An example of a recommendation could look like the following:

GOVERNANCE
ENFORCE APPLICATION SECURITY POLICIES ON VENDORS

Vendors should be required to adhere to the same policies used internally and must submit evidence that their application security practices are in par with Fake Firm’s polices. Vendors may comprise of cloud providers, middleware providers, virtualization providers, container and orchestration providers, bespoke software creators, contractors, etc., and each may be held to different policy requirements. Evidence of their compliance could include results from code reviews or penetration tests, or from tests built directly into automation of infrastructure. Vendors might attest to the fact that they perform certain SSDL processes.

Fake firm needs to work with legal to create boilerplate SLA templates for all vendor contracts. Once the boilerplate has been approved, the vendor management team’s processes and documentations need to be updated to ensure that the SLA is included in all vendor contracts going forward.

August 2020Ongoing Activity
Level of EffortResources Needed/ImpactedBudget EstimateRecommended Tools
LowVendor Management Team$10,000 – $50,000N/A

Application Security Metrics

NetSPI will work with the client to develop AppSec Metrics that allows the client to measure and observe progress in their AppSec efforts over time. The following are the three phases that will be used for metrics development:

  1. Plan Definition
    • Identify most business appropriate measurements
    • Map to application security goals
    • Leverage benchmarking data
    • Define KPIs and KRIs
  2. Data Source & Automation
    • Determine appropriate data sources
    • Automate data collection from existing processes and tools
    • Monitor progress/improvements
  3. Contextualization
    • Create visualizations from raw data
    • Build business context around available data
    • Make informed, actionable and measurable business decisions.

Blockchain/Distributed Ledger Technology Services

Smart Contract Audit (SCA)

As the utilization of blockchain technologies increases, it is essential for an organization to identify and address the security issues that exist within smart contracts to prevent significant financial or reputational damages. During the Smart Contract engagement, NetSPI will evaluate the contract source code utilizing both static and dynamic techniques to identify security vulnerabilities and provide verified findings and actionable recommendations to assist in reducing risk and recommendations for implementing strong secure development practices.

Chain Specialization: Ethereum, Cosmos, NEAR, Solana, StarkNet, HyperLedger Fabric.

Assessment Approach

The following is an overview of the Smart Contract Audit service:

  • NetSPI will work with an organization or development team to define assessment requirements and goals, identify project use-case, identify areas of risk, and plan a timeline for all phases of the assessment. Additionally, NetSPI will work with the team to identify any key attack surface within the project.
  • Once access to the source code is provided, either through a public code repository or over a secure channel, NetSPI will perform a secure code review with a combination of open source, and proprietary tools against the contract’s source code in scope. 
  • Alongside this, NetSPI will perform a line-by-line deep-dive review of the in-scope codebase, highlighting any vulnerabilities or key areas of concern not detected with standard tooling. Examples include complex business logic attacks, financial manipulations (flashloan etc.), insecure development techniques, misuse of insecure low-level functions, and commonly exploited attack vectors (Re-Entrancy etc.).
  • NetSPI will perform exhaustive dynamic testing within a controlled test environment to accurately identify security vulnerabilities and potential financial manipulation vectors by directly interacting with the deployed contracts.

The Smart Contract Audit engagement findings and recommendations will be presented in a report that includes detailed descriptions of the identified vulnerabilities, including the location of each instance of the vulnerability (file path & line number), issue severity, remediation recommendations, as well as summary information that will provide insight to senior management on weaknesses in the projects business logic or code.

DLT Infrastructure Penetration Test

During the DLT Infrastructure Penetration Test, NetSPI will identify security issues on infrastructure supporting Client’s DLT/Blockchain environment spanning classical self-hosted, cloud and containerization-based deployments. NetSPI will provide actionable recommendations for improving Client‘s security posture.

Assessment Approach

The following is an overview of the DLT Infrastructure Penetration Test service:

  • NetSPI will work with an organization or development team to define assessment requirements and goals, identify project use-case, identify areas of risk, and plan a timeline for all phases of the assessment. Additionally, NetSPI will work with the team to identify any key attack surface within the project.
  • NetSPI will evaluate Client’s networks, systems, and deployments for known security vulnerabilities from the perspective of either an anonymous internet-facing user or privileged position within the network.
  • NetSPI will complete configuration reviews of relevant cloud hosted and containerized services from the perspective of an authenticated cloud platform user. 

During the testing, NetSPI will follow manual and automated processes that use commercial, open source, and proprietary software. NetSPI will be assessing both internal, external and publicly distributed services. 

The DLT Infrastructure Penetration Test findings and recommendations will be presented in a report that includes detailed descriptions of the identified vulnerabilities, including the location of each instance of the vulnerability, issue severity, remediation recommendations, as well as summary information that will provide insight to senior management on weaknesses in the projects business logic or code.

DLT Web Application Penetration Test (Web3)

During the DLT Web Application Penetration Test, NetSPI will evaluate Client‘s web applications for both classical Web2 security vulnerabilities and issues relating to the integration between the application and any on-chain components (Web3). NetSPI will provide actionable recommendations for improving the organization’s security posture.

Assessment Approach

The following is an overview of the DLT Web Application (Web3) service:

  • NetSPI will work with an organization or development team to define assessment requirements and goals, identify project use-case, identify areas of risk, and plan a timeline for all phases of the assessment. Additionally, NetSPI will work with the team to identify any key attack surface within the project.
  • NetSPI will evaluate Client‘s application for security vulnerabilities from the perspective of both an anonymous user (non-credentialed testing) and authenticated users (credentialed testing). During the testing, NetSPI will follow a manual deep-dive approach assisted with automated processes that focuses on identifying vulnerabilities and impacts specific to any on-chain attack surface exposed by the application. An outline of the test approach is as follows:
    • Unauthenticated Testing: NetSPI will conduct a comprehensive review of target systems and web applications targeting common and web3 specific attack vectors. This test includes the network and system layer supporting the application in addition to the application itself. When in approved by Client, NetSPI will conduct manual verification of exploitable and high severity vulnerabilities.
    • Authenticated Testing: The primary effort and greatest value of web application penetration testing comes during credentialed (authenticated) testing. This is when NetSPI applies business logic and sophisticated manual techniques to manipulate the application in undesired or unexpected ways: elevate user privilege, manipulate data, gain access to restricted functionality or data, etc. If multiple user types (e.g., user, power user, admin) exist, then NetSPI will perform testing for each type.

The DLT Web Application Penetration Test findings and recommendations will be presented in a report that includes detailed descriptions of the identified vulnerabilities, including the location of each instance of the vulnerability, issue severity, remediation recommendations, as well as summary information that will provide insight to senior management on weaknesses in the projects business logic or code.

Artificial Intelligence/Machine Learning

AI/ML Large Language Model Security Assessment

During the assessment, NetSPI follows a systematic approach to identify vulnerabilities and assess the security posture of the deployed model or interface to the model. This includes analyzing the model’s interactions, addressing concerns related to recent research, published papers, and emerging attack methodologies in both hardware and software domains. The assessment aims to ensure the overall safety of the model, its components, and their interactions with each other and the external environment.

NetSPI works closely with the client to gather information about the current model, training methodology (imported vs generated), data set, and security architecture. This helps determine an effective strategy for discovering shortcomings in the security posture of the deployed model or interface.

NetSPI employs a combination of manual and automated approaches using open-source, proprietary software, and internally developed research tools. The testing methodologies include:

  • Adversarial Robustness Toolbox: NetSPI leverages this popular toolkit to deploy tools and techniques aimed at directly attacking the model.
  • Node Activation Analysis: NetSPI examines node activations within hidden layers of the model to identify potential issues such as biases or vulnerabilities that may impact its behavior during adversarial attacks.
  • Imported Software and Dataset Analyses: The assessment includes a review of source code used in constructing the framework, guarding against domain squatting attacks, as well as analyzing potential issues with data sources.
  • Bias Detection and Attacks: NetSPI conducts comprehensive bias assessments using manual and automated processes to detect biases that may exist in the models and evaluate their impact on fairness and security.
  • Hardware Considerations: When applicable, NetSPI evaluates hardware components such as GPUs, CPUs, and accelerators to ensure they are properly configured, secured, and capable of handling computational demands securely.
  • Prompt Hijacking and Evasion: NetSPI inspects prompt generation processes to identify vulnerabilities related to prompt hijacking or evasion attacks.
  • Dataset Security, Extraction, Inference/Inversion: The assessment includes reviewing dataset security measures, testing defenses against extraction attacks, evaluating resilience against inference/inversion attacks, and identifying potential data leakage points.
  • AI/ML Model Best Practices: NetSPI identifies strengths and weaknesses in your environment and security program processes. Strategies for improvement are suggested based on potential business impact and likelihood of exploitation. Collaboration with your stakeholders ensures findings are aligned with program goals and compliance requirements.

This model assessment provides organizations with an in-depth evaluation of their machine learning models’ security posture against adversarial attacks. By identifying vulnerabilities and providing actionable recommendations for improvement, NetSPI helps clients enhance their overall security posture while ensuring reliable and trustworthy machine learning systems across various domains.

AI/ML Infrastructure Security Assessment

The AI/ML Infrastructure Security Assessment by NetSPI aims to evaluate the security of all infrastructure components involved in the deployment of machine learning models. This assessment takes a comprehensive and holistic approach, considering network security, cloud security, API security, and other relevant aspects to provide a thorough evaluation and actionable recommendations.

The following is an overview of the Infrastructure Security Assessment service:

  • Requirement Gathering and Scoping: NetSPI’s experts will collaborate closely with your team to understand your ML model deployment infrastructure, goals, and specific requirements. This information enables us to tailor the assessment to your unique needs and ensure a comprehensive evaluation.
  • Network Security Assessment: Our team will assess the security of your network infrastructure, including segmentation, configuration, logging mechanisms, deployment practices, and DevOps workflows. By examining these aspects, we identify potential vulnerabilities or weaknesses that could impact the overall security of ML model deployments.
  • API Security Assessment: NetSPI will thoroughly evaluate the security of APIs used in your ML model deployment infrastructure. This assessment includes assessing API integrations, ensuring proper API limits are in place, evaluating key storage mechanisms for APIs, and verifying secure communication channels. By focusing on API security, we help mitigate risks associated with unauthorized access or misuse of APIs.
  • Cloud Security Assessment: We will conduct a comprehensive evaluation of cloud security practices related to ML model deployments. Our experts will assess how your ML models are integrated into cloud platforms such as Azure, AWS, GCP, or others. This assessment ensures that best practice security policies are followed for cloud environments hosting ML models.
  • Additional Considerations: In addition to the above areas of focus, our assessment encompasses other relevant components that may impact the security of ML model deployments. These may include but are not limited to:
    • Data storage mechanisms and configurationsPrivilege escalation opportunities within container orchestrators (e.g., Kubernetes)Reviewing third-party components for potential security risks or vulnerabilitiesVerification of data encryption during transit and storage
    • Evaluation of incident response readiness and monitoring/logging systems implementation

After identifying strengths and weaknesses in your ML model deployment infrastructure and assessing your organization’s security program processes, NetSPI will provide strategies for improvement along with prioritized recommendations based on potential business impact and likelihood of exploitation or process failure. We also collaborate with stakeholders to analyze findings against program goals and compliance requirements.

In summary, this assessment takes a holistic approach to evaluate the robustness and defense-in-depth of all infrastructure supporting ML model deployments. By identifying vulnerabilities and providing actionable recommendations for improvement, we help enhance the overall security posture of your ML model infrastructure.

AI/ML Web Application Penetration Test

NetSPI’s AI/ML Web Application Penetration Test service is designed to assess the security, reliability, and efficiency of web applications that leverage large language models (LLMs) and other machine learning models. Our team of experts employs a holistic approach that combines traditional web application testing methodologies with specialized knowledge in AI/ML security concerns.

The following is an overview of the service methodology:

  • Requirement Gathering and Scoping: We collaborate closely with your organization to understand your LLM-integrated web applications, goals, and requirements. This information enables us to tailor the assessment to your specific needs, ensuring a comprehensive evaluation.
  • Unauthenticated Testing: Our team conducts comprehensive vulnerability scanning of your target applications and APIs, complemented by manual testing and verification of exploitable and high-severity vulnerabilities. This test encompasses the network, system layers, and application tier.
  • Authenticated Testing: We apply sophisticated manual testing techniques to manipulate the applications in undesired or unexpected ways, such as elevating user privilege, insecurely manipulating or exfiltrating data, and gaining unauthorized access to restricted or privileged functionality. If multiple user roles exist, we perform horizontal and vertical privilege escalation testing between each role. The testing primarily focuses on business logic vulnerabilities specific to LLM integration, as well as standard high-impact web application vulnerabilities listed in the OWASP Top Ten.
  • Source Code Assisted Testing: If available, we utilize application source code to guide testing and uncover risks that may not be apparent from closed-box testing alone. It’s important to note that this is not a substitute for a dedicated source code audit. We highly recommend conducting separate assessments for all source code and machine learning models.
  • API Assessment: In addition to user-facing components, NetSPI examines relevant APIs supporting the web application for non-obvious and novel vulnerabilities. This includes attacking API authentication mechanisms, identifying access control weaknesses, testing API server security configurations, analyzing exposed information for excessive data exposure, fuzzing API endpoints for injection vulnerabilities, identifying server-side request forgery (SSRF) issues, and testing rate limiting functionality.
  • Risk Assessment and Remediation Guidance: After identifying the strengths and weaknesses of your LLM-integrated web application development processes, our team suggests strategies for improvement and assigns priority to deficiencies based on potential business impact and likelihood of process failure or exploitation. We collaborate with your stakeholders to analyze notable findings against program goals and compliance requirements.

NetSPI’s AI/ML Web Application Penetration Test service aims to help organizations ensure the security, reliability, and efficiency of their web applications utilizing large language models (LLMs) and other machine learning models. By combining expertise in web application security with AI/ML security concerns, we provide valuable insights into vulnerabilities specific to LLM integration while adhering to industry best practices for securing web applications. Our goal is to foster trust in your LLM-driven solutions while safeguarding sensitive data from potential threats.