Our customized threat modeling identifies vulnerabilities within your security posture that puts your most valuable organizational and client data — the crown jewels — at risk.
Our security audits and vulnerability assessments are based on industry standards and best practices to assess weaknesses in your cloud environment and network, as well as mobile and web-based apps.
Our sophisticated testing services delve into your network, smart devices and other systems to expose critical security deficiencies.
A penetration test is a proven and reliable method for discovering potentially disastrous risks within your organization.
Our consultants use the same tools and techniques that hackers use to break into your company, steal your data and wreak havoc inside your network, except we do it in a safe and controlled manner while remaining in constant communication with you! We ensure complete transparency every step of the way. A penetration test assesses the vulnerability of your network to outside infiltration by simulating real-world threats. The network penetration test can mimic hackers trying to break into your network or expose an internal risk such as a workstation infected by phishing, malware, or even a user gone rogue! The results provide you with more concrete data about your organization's risk potential so you can make sound decisions regarding risk management, system configuration, environmental design and user policies.
You keep hearing about companies being hacked and losing customer data, intellectual property or being held ransom by malware. Could it happen to you? Maybe you feel like nobody would bother hacking you, but what if they do? Could you have done more to prevent the breach? It's one thing to ask your internal IT team if you are secure, but it's another to hire trained experts to help them prove it.
Our process begins with a threat modeling session to determine where the highest likelihood for attacks might be within your network. That will also help establish your unique project goals. Do you want to emulate external hackers, rogue employees or a malware outbreak? This will help us determine if you need an external, internal, physical or hybrid penetration test. Then, we begin to attack the system in a few well-defined stages:
The first step, and perhaps the most important one, is Recon. We perform reconnaissance — much like a burglar casing a house — looking for anything that will help us establish a foothold into your system. We dig through publicly available information about your organization, network information, DNS records, web archives, certificate transparency logs, brute-force files and directories, and more, to form a plan of attack. We run these findings through an extensive suite of customized scripts to help us identify which network services you're running.
Now that we have additional information from our recon phase, we'll launch another round of threat modeling to adjust our plan of attack. It's not unusual to discover forgotten and abandoned systems that could still be fair-game for hackers. For example, we've encountered VPN servers in long-lost data centers still connected to an internal network, but missing critical security controls and patches! We incorporate all this obsolescence into the threat model to ensure a comprehensive attack plan.
This is where the testing gets intense. We combine the intelligence gathered during the recon phase with the attack plan devised from threat modeling and begin to attack the system using the same techniques as hackers would. We analyze every service on your network, looking for areas of potential weakness and update our attack plan accordingly.
Once weaknesses in your network are discovered, we use custom-developed and off-the-shelf exploit code to pivot deeper. This often provides access to areas never intended for public use, which leads to the discovery of additional vulnerabilities.
Our well-organized and proven methodology leaves no stone unturned and delivers the results that you need. Our consultants add creativity to their expertise when it comes to staging and chaining attacks to get into your system. Many of our consultants have experience building and managing IT systems at Fortune 500 organizations, so we know where to find the weakest links!
The following are some examples of how Fracture Labs' network penetration tests have detected serious threats.
Each client had a false sense of security that their systems were protected. Luckily we're the good guys, hired to serve as their adversarial allies to expose their weaknesses before an attack could compromise their sensitive organization and customer data.
We gained complete administrative control over an organization by exploiting weaknesses in internal network and workstation configurations.
We gained access to sensitive file shares and corporate data by exploiting unsecured paths into an organization.
We gained access to protected internal systems by hijacking corporate user accounts.
We've compromised key corporate systems and PCI-regulated zones to exfiltrate sensitive payment data by developing custom exploit code.
Check out our blog to get the latest infosec how-to articles, best practices and strategies written by our offensive security experts. Cyber crime isn't going anywhere, so stay informed and on top of it!
Are you wondering how to get started with embedded device security testing and what tools are needed for hardware hacking? Whether you are trying to reverse engineer and hack an embedded system or are looking to make modifications to an IoT device, part one of our Hardware Hacking Lab series will introduce you to some of the physical tools we rely on most to perform our smart device security assessments. Look for additional posts later that will walk through the hardware and software tools needed to get started.
The recent wave of WannaCry ransomware attacks has shed a lot of public light on the Windows SMB remote code execution vulnerability patched by MS17-010 and has fortunately resulted in organizations applying the security update to prevent further infections. While much of the focus has been on patching desktops and servers, it’s easy for many organizations to continue to neglect devices running the Windows Embedded 7 OS.
The level of knowledge sharing that takes place within infosec is amazing! Many security researchers take time to publish their scripts, tips, successes, and failures on Twitter for all to see, so as a security professional, it’s important to learn how to effectively use Twitter to hone your craft.
Red teamers can learn new tactics, techniques, and procedures (TTPs) by following other red teamers. Blue teamers can learn new detections or preventative controls published by other blue teamers.
You might not know how at-risk your security posture is until somebody breaks in . . . and the consequences of a break in could be big. Don't let small fractures in your security protocols lead to a breach. We'll act like a hacker and confirm where you're most vulnerable. As your adversarial allies, we'll work with you to proactively protect your assets. Schedule a consultation with our Principal Security Consultant to discuss your project goals today.
© 2020 FRACTURE LABS, LLC ALL RIGHTS RESERVED