Our customized threat modeling identifies vulnerabilities within your security posture that puts your most valuable organizational and client data — the crown jewels — at risk.
Our security audits and vulnerability assessments are based on industry standards and best practices to assess weaknesses in your cloud environment and network, as well as mobile and web-based apps.
Our sophisticated testing services delve into your network, smart devices and other systems to expose critical security deficiencies.
With threat modeling, in just three steps, you can identify your exposure before you engage in a penetration testing project.
A customized threat model will give you a clear picture of the risk posed by attacks against your system or product so you can make effective decisions about the appropriate level of security to incorporate. Threat modeling is an important component of scoping your security project.
An effective threat model is one that follows these three key steps:
Step 1: Identifies the crown jewels you need to protect
Step 2: Identifies what could go wrong, leaving your key assets unprotected
Step 3: Identifies potential risk vectors
If a security company isn't already performing threat modeling for you before you engage them, how do they know what to recommend to you? Often there's a great divide between your organization's goals and the security industry. You want to make sure the business runs smoothly, while security companies want to ensure your risk is as low as possible. How do you strike a balance between these two extremes? Or, does your risk tolerance place you closer to one or the other? Threat modeling helps you define these important things before you get started with penetration testing.
A threat modeling session is a collaborative brainstorming exercise with you and your team. An effective session will help ensure you and your security partners are on the same page and may uncover potential attacks you never would have considered!
We begin the process by sitting down with your team. We listen to you describe your organization and your project and ask questions to get to the root of what it is you’d like to protect — your crown jewels.
Once we've identified your crown jewels, we work with you to map out what could go wrong in protecting these assets. We take an honest look at the impact a breach could have on the confidentiality, integrity and availability of these assets to your business.
Now that we know what's important to you and what could go wrong, we turn to what our security consultants do best: we think like hackers and plan how we would actually attack your products or systems. We don't think in terms of the intended use of your products or systems — we think about how we could exploit them to help us get to the crown jewels.
This process can be very enlightening and will help you decide which level of security engineering and testing is appropriate for your project. The final deliverable is a mind map showing you exactly where we think you’re most at risk. We use this to help guide our testers during security assessments and penetration tests and map any issues we find back to the threat model. This allows your organization to prioritize which weaknesses to address first.
Example threat model deliverable from Fracture Labs
Our background in engineering coupled with our expertise in hacking complex systems gives us unique insight into how your products or systems were built and where the weaknesses might be. Having been on the other end of security assessments for Fortune 500 companies in the past, our consultants know the importance of tailoring projects to meet your specific risk tolerance.
We do all this for free — before we even sign a contract — to make sure you are getting exactly the right level of testing for your risk tolerance levels!
We identified attack vectors and weaknesses in the proposed design for an aircraft network that otherwise would have made it to the final implementation. This was before any testing activities.
We cut the effort and budget for a proposed web application security assessment by 76% through an extensive pre-testing threat modeling session focused on potential attack vectors. The testing still revealed severe issues for which we had previously predicted, but limited funds were able to be moved from testing to remediation with budget to spare!
Check out our blog to get the latest infosec how-to articles, best practices and strategies written by our offensive security experts. Cyber crime isn't going anywhere, so stay informed and on top of it!
Are you wondering how to get started with embedded device security testing and what tools are needed for hardware hacking? Whether you are trying to reverse engineer and hack an embedded system or are looking to make modifications to an IoT device, part one of our Hardware Hacking Lab series will introduce you to some of the physical tools we rely on most to perform our smart device security assessments. Look for additional posts later that will walk through the hardware and software tools needed to get started.
The recent wave of WannaCry ransomware attacks has shed a lot of public light on the Windows SMB remote code execution vulnerability patched by MS17-010 and has fortunately resulted in organizations applying the security update to prevent further infections. While much of the focus has been on patching desktops and servers, it’s easy for many organizations to continue to neglect devices running the Windows Embedded 7 OS.
The level of knowledge sharing that takes place within infosec is amazing! Many security researchers take time to publish their scripts, tips, successes, and failures on Twitter for all to see, so as a security professional, it’s important to learn how to effectively use Twitter to hone your craft.
Red teamers can learn new tactics, techniques, and procedures (TTPs) by following other red teamers. Blue teamers can learn new detections or preventative controls published by other blue teamers.
You might not know how at-risk your security posture is until somebody breaks in . . . and the consequences of a break in could be big. Don't let small fractures in your security protocols lead to a breach. We'll act like a hacker and confirm where you're most vulnerable. As your adversarial allies, we'll work with you to proactively protect your assets. Schedule a consultation with our Principal Security Consultant to discuss your project goals today.
© 2020 FRACTURE LABS, LLC ALL RIGHTS RESERVED