Advanced Security Test
Open source intelligence
Phishing
Red teaming
Client device audit
Denial of service simulation
Physical assessments
OSINT analysis
OSINT (Open Source Intelligence) is a method of analyzing publicly available data and information to identify potential threats and vulnerabilities. We analyze publicly available information to give you a better understanding of your digital presence and how it is perceived by attackers. The result of the analysis is an initial assessment of your company’s public attack surface.
An OSINT analysis for IT security aims to identify a company’s attack surface based on public information from the Internet. By checking social media profiles, forums, news sites and other publicly available information sources, such as searching for freely accessible remote maintenance access, outdated and unused resources (web servers, mail servers or domains), potential threats and vulnerabilities can be identified.
The procedure for an OSINT analysis consists of carefully collecting and evaluating publicly accessible information. SmartTECS Cyber Security has qualified personnel to ensure that all relevant information is collected during the analysis. Tools such as Maltego and Shodan are used to automate and accelerate data collection and analysis. These tools search publicly available databases and other information resources to collect relevant information that can then be used for analysis.
OSINT analysis offers the following three main functions in summary:
- Locating publicly available resources
- Finding relevant information outside the organization
- Processing the information found into a usable form
The result of an OSINT analysis is a comprehensive picture of the digital presence and perception of your company on the Internet from an attacker’s perspective. Some of the benefits of an OSINT analysis are summarized below:
- Increasing IT security: By analyzing publicly available information, potential threats and vulnerabilities can be identified and addressed, thereby increasing IT security.
- Preventing reputational damage: An OSINT analysis can help to uncover confidential information that has been published on the Internet in an unprotected context before it is discovered by others and misused for negative purposes.
- Understanding attacker perceptions: Analyzing publicly available information can lead to a better understanding of how an organization is perceived by attackers, which is important for assessing and managing potential threats.
- Digital presence monitoring: An OSINT analysis can help monitor an organization’s digital presence to ensure that the company can respond to potential threats or changes in perception.
- Overview of the public attack surface: An OSINT analysis provides an initial assessment of an organization’s public attack surface, which is important for evaluating and managing potential threats.
Overall, an OSINT analysis helps to increase a company’s digital security and reputation and to identify and manage potential threats at an early stage.
Phishing
Phishing attacks are one of the most common attack methods, for example to specifically exfiltrate sensitive data and information from a company or to extort a ransom after successful compromise using ransomware. The approach of an attacker in a phishing attack is quite simple: The attacker tries to send an email or message that looks like it comes from a trustworthy source, e.g. an internal system or an internal company campaign. According to the IT security report of the Federal Office for Information Security (BSI), a successful ransomware attack often begins with a malicious spam or phishing email [1].
We test your systems and employees with simulated phishing attacks to check the effectiveness of your current defense measures and the awareness of your employees.
Our phishing simulation is simple, fast and reliable. We simulate a phishing attack and send an email to your employees that looks like it comes from a trustworthy source. You can set the focus of the simulation yourself, e.g. handling passwords or data protection.
After the simulation, you will receive a detailed report on how your employees reacted to the phishing attack. You will get an overview of how many of your employees were affected by the realistic deception and where your defense measures need to be improved.
The goal of a phishing awareness campaign is to increase awareness and understanding of phishing attacks among individuals within organizations. This is to create an in-depth understanding of how phishing works, the forms it can take and the impact it might have. The campaign aims to strengthen participants’ ability to recognize phishing attempts and respond appropriately to them in order to protect themselves and their organization from potential security breaches and data leaks.
A phishing campaign is carried out in the following sequential steps:
- Kickoff: In this initial phase, the goal of the campaign is defined. A comprehensive strategy is developed that determines which target groups should be addressed and which specific phishing threats are relevant. Important aspects such as budget, time frame, required resources and communication channels are also determined in this phase.
- Implementation: Once all the general conditions have been clarified, the campaign is carried out within the agreed period. All essential data is recorded.
- Documentation: At the end, the customer receives a comprehensive report. This reflects the awareness of the employees. In addition, customer-specific measures are suggested to increase security. Based on this information, the customer can determine the need for further awareness-raising measures.
- Consulting (optional): Further consulting can support the implementation of the measures and the elimination of the identified weaknesses. The next steps can also be discussed. If necessary, an additional campaign can be carried out in order to compare whether and in what form the awareness campaign has had an effect.
The goal of testing activities is generally to generate quantifiable metrics to evaluate employee awareness and the effectiveness of awareness training. These metrics enable an assessment of our customers’ resilience to actual phishing attacks and provide the basis for recommendations to increase employee vigilance and optimize training content.
As part of a phishing awareness campaign, the following data is collected:
- Number of people who opened phishing emails
- Number of people who clicked on the phishing link
- Number of people who entered data (e.g. user names and passwords)
Note: Due to the anonymous evaluation, no names or other data that could be used to identify individual employees can be mentioned.
In addition to the general objectives, it is possible, in consultation with the client, to individually define the specific test objectives and their prioritization in advance of the test execution and to adapt the investigation accordingly.
Red Teaming
Red teaming is a process in which realistic attacks are simulated using selected tactics, techniques and procedures. The Red Team pursues defined objectives within defined boundaries in order to confront the defenders (Blue Team) with a realistic attacker scenario.
The Red Team potentially has a wide range of means at its disposal to achieve its goals. Hidden attacks on the IT infrastructure are just as much a part of the repertoire as social engineering, right through to acting on the customer’s premises.
Traditional security tests are primarily used to reduce the attack surface of systems with the aim of identifying and eliminating vulnerabilities. Penetration tests and security analyses therefore make an important contribution to minimizing the risk of successful IT attacks.
Nevertheless, attackers can still succeed in penetrating the IT infrastructure, for example by using zero-day exploits or manipulating employees through social engineering.
It is therefore essential to be able to identify attackers in your own network promptly and take appropriate measures to prevent serious damage to the organization. Red Teaming picks up on this point by supporting defenders in successfully implementing modern approaches such as Assume-Breach and Zero-Trust [2]. The simulation of targeted attack scenarios offers defenders the opportunity to actively train their actions in the event of an attack and not just prepare them in theory.
Incident & response management processes can be improved, as can the configuration of individual security tools for detecting and defending against IT attacks.
The aim of a Red Team engagement is to strengthen an organization’s ability to detect realistic attacks on its network infrastructure and to initiate appropriate countermeasures in a timely manner.
The objectives are in particular:
- Measuring the effectiveness of employees, processes and technologies to defend a network
- Train defenders by understanding the approach of professional attackers
In contrast to other security tests, the focus of Red Teaming is not on identifying technical weaknesses. The focus is on training the defenders and improving their processes.
The implementation of a red team engagement by SmartTECS Cyber Security is based on the European framework TIBER-EU (Threat Intelligence-based Ethical Red Teaming)[3] and is divided into the following phases.
- Preparation
- Conducting a preliminary discussion
- Definition of responsibilities and contact persons
- Definition of the scope and limits (rules of engagement)
- Defining the goals of the Red Team
- Test execution
- Development of an attacker scenario based on public threat intelligence reports on current actors, tailored to the client organization
- Implementation of the attack simulation by the Red Team
- Final phase
- Documentation of actions carried out, observations and suggestions for improvement
- Provision of a final report
- Cleaning up systems
- Conducting a final meeting
Analysis of a client device
The security analysis of client devices is carried out with the aim of examining the client system from the perspective of a potential attacker. The analysis focuses on identifying vulnerabilities and misconfigurations that could lead to unauthorized access or compromise system integrity. The analysis covers various types of client devices, including workstations, laptops and mobile devices used within an organization.
Client devices are often the first target of attackers as they can serve as entry points into an organization’s network. A vulnerability in a single device can give an attacker access to the entire network. It is therefore crucial to regularly check and improve the security of these devices.
The analysts at SmartTECS Cyber Security take the perspective of a potential attacker in order to identify vulnerabilities in client devices and develop concrete measures to eliminate them.
The aim of the security analysis of client devices is to,
- identify existing weak points and misconfigurations of the devices,
- identify potential attack paths that could lead to unauthorized access or compromise of the devices,
- recommend suitable measures to safeguard the devices and
- determine the security level of the client devices at the time of analysis.
The specific objectives and scope of the analysis are defined in advance in consultation with the client.
Client devices are analyzed in four project phases:
- Kick-off: Definition of the analysis objectives and preparatory measures.
- Analysis: Technical examination of the devices, identification of weak points, documentation and evaluation of the results.
- Presentation: Presentation of the results, discussion and clarification of open questions.
- Consulting (optional): Support with the implementation of security measures.
The security analysis of client devices focuses on the following areas:
- Operating system: Checking the security configuration and updating security patches.
- Network connections: Evaluation of the security of WLAN, Bluetooth, etc.
- User accounts: Checking access rights and password policies.
- Applications: Checking for security gaps in installed software applications and updates.
- Data encryption: Evaluation of the encryption of stored and transmitted data.
- Anti-malware software: Check that the anti-virus software used is effective and up-to-date.
- Physical security: Assessment of the possibility of theft or physical access to the device.
- Security guidelines: Verify compliance with company policies and best practices.
- Remote access: Checking the security of remote connections and VPNs.
- Device configuration: Evaluation of the security settings and standard configurations.
- Device management: Checking the security of MDM (Mobile Device Management) and remote wipe functions.
- Web browser: Checking the security settings and protection against phishing and malware attacks.
- Device authentication: Evaluation of the security of biometric identification methods or two-factor authentication.
- Hashcat
- Crackmapexec
- Metasploit & Meterpreter
- Gmer
- PsExec
- winPEAS
- Mimikatz
- ProcDump
- SMB/RDP/netBIOS NSE Skripte
After completion of the analysis:
- Development of a plan to eliminate identified weaknesses.
- Conducting follow-up analyses to review the effectiveness of implemented measures.
- Regular checks and adjustments to the security strategy for client devices.
Denial of Service Simulation
DDoS (Distributed Denial of Service) load tests are a fundamental component in the security management of network infrastructures. They not only serve to evaluate resistance to overload attacks, but also enable a detailed analysis of system reactions under simulated extreme conditions. By mimicking different types of attacks in a controlled environment, organizations can test the effectiveness of their security measures, identify potential vulnerabilities and develop or optimize appropriate defensive strategies. The aim of these tests is to gain a comprehensive insight into the stability and resilience of the IT infrastructure under attack conditions in order to ensure high availability and security of critical services.
The aim of DDoS load testing is to verify the robustness and effectiveness of a network’s security measures and to ensure the availability of critical services even under attack conditions. Companies gain valuable insights into the behavior of their systems under attack conditions and can thus take targeted measures to improve their defense strategies in order to do
Performing DDoS load tests requires precise planning and execution:
- Planning phase: Definition of the objectives, selection of the systems to be tested and determination of the scope of the tests.
- Setting up a test environment: Establishing a controlled environment that replicates the production environment to create realistic test conditions without jeopardizing the actual network operation.
- Execution of the tests: Simulation of the defined attack scenarios with continuous monitoring of system reactions and performance indicators.
- Analysis and evaluation: Evaluation of the test results, identification of weaknesses and evaluation of the effectiveness of the existing defense mechanisms.
Performing DDoS load tests involves a carefully designed methodology that includes various scenarios and attack types to comprehensively assess a network’s defense capabilities, using our proprietary DDoS cloud infrastructure:
- HTTP-GET – GET Flood: Simulates flooding the server with HTTP-GET requests to test its ability to process legitimate requests under load.
- HTTP-POST – POST flood: Similar to the GET flood, but with HTTP-POST requests to check the resilience of applications that process user input.
- KILLER Thread Bomb: A method that fires many threads at a target to overload its processing capacity and put it out of action.
- CFB – Bypass CloudFlare-protected resources: Tests the ability to bypass protection measures of services such as CloudFlare and attack the underlying infrastructure.
- DDoS-Guard-Bypass: Specialized tests to bypass the protection provided by DDoS-Guard and similar services.
- Slowloris: Slowloris attack aimed at keeping connections to the server open for as long as possible and tying up resources.
After completing the DDoS load tests, companies should take the following steps:
- Detailed analysis of the results: In-depth analysis of collected data to gain insights into performance bottlenecks, vulnerabilities and overall resistance to DDoS attacks.
- Optimization of the defense strategies: Adaptation and refinement of security measures based on the findings of the tests.
- Continuous monitoring and adaptation: Establishment of a process for the regular review and adaptation of security strategies in order to be able to react to the dynamic threat landscape.
Physical Assessments
Our experts provide physical security assessments to test, evaluate and improve organizations’ physical security measures. Our physical security assessments simulate real-world threat scenarios to uncover obvious vulnerabilities in physical security infrastructure and human weaknesses, because the fact is: attackers always look for the weakest link in the chain and know no physical boundaries.
Despite advanced IT security measures, physical security remains a critical aspect that is often overlooked. Physical security assessments are crucial to:
- Identify potential physical threats and vulnerabilities that could lead to unauthorized access or loss of sensitive information.
- Evaluate and improve the effectiveness of existing physical security measures.
- test security protocols and evaluate the responsiveness of security personnel in real-time scenarios.
- Ensure compliance with legal and industry-specific safety standards.
The main objective of our physical security assessments is to gain a comprehensive understanding of an organization’s physical security posture and provide practical recommendations for improvement. This includes:
- The assessment of strengths and weaknesses in the physical security infrastructure.
- Identifying gaps in physical access control and surveillance.
- The improvement of emergency and evacuation plans.
- Training and sensitization of security personnel and employees.
The performance of physical security assessments follows a structured process:
- Preparation: Definition of the objectives, scope and framework conditions of the assessment in close cooperation with the client.
- Reconnaissance: Collection of advance information about the customer’s physical environment and security measures.
- On-site assessment: Systematic review of access controls, surveillance systems, physical barriers and security protocols.
- Penetration tests: Simulation of unauthorized access attempts to test the effectiveness of physical security measures.
- Reporting: Preparation of a detailed report with the assessment results, identified weaknesses and recommendations for improvement measures.
- Debriefing: Discussion of the results and recommendations with the client and planning of the next steps.
Our physical security assessments focus on key areas such as:
- Access control systems: Evaluating the effectiveness of key card, biometric and other access control mechanisms.
- Surveillance and alarms: Checking the functionality and coverage of surveillance cameras, motion detectors and alarm systems.
- Physical barriers: Analyzing the effectiveness of fences, gates, barriers and other physical obstacles.
- Security personnel: Assessment of the presence, training and responsiveness of security personnel.
- Emergency and evacuation plans: Checking the completeness and effectiveness of emergency preparations and evacuation plans.
After carrying out the physical security assessment, SmartTECS Cyber Security supports customers with:
- The prioritization and implementation of recommendations to improve physical security.
- The development and implementation of improved security protocols and procedures.
- Planning and conducting regular follow-up assessments to review progress and adapt to new threats.
Sources
[1] The state of IT security in Germany in 2022, BSI: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2022.pdf
[2] Microsoft: Zero-Trust Paradigma, https://www.microsoft.com/en-us/security/business/zero-trust
[3] TIBER-EU: European framework for threat intelligence-based ethical red-teaming, https://www.ecb.europa.eu/paym/cyber-resilience/tiber-eu/html/index.en.html