Red Team: Penetration Testing

Extensive Penetration Testing Services Delivered by Certified Professionals

Penetration Testing

CyberMaxx goes far beyond vulnerability scans. Our Offensive Security Team breaks into applications and networks.

The goal of penetration testing is to identify vulnerabilities in the system that an attacker could exploit and to evaluate the effectiveness of the organization’s security controls.

Our team members have discovered multiple public and private zero-day vulnerabilities affecting widely used products. Penetration testers use a variety of techniques to identify vulnerabilities, including manual testing, automated tools, and social engineering.

CyberMaxx engagement success is not measured by showing off Domain Admin screenshots but by leaving our fingerprint on customers’ environments by making them much harder to compromise. Repeat customers become more challenging to compromise with every test and this is the truest measurement of value.

Regardless of the scope, CyberMaxx always assigns a senior penetration tester to the project and devotes personal attention to the organization’s environment.

Types of Penetration Testing

A complete range of penetration testing customized to your exact requirements.

Network Testing - External and Internal
External penetration tests will be launched to find open services and vulnerabilities in the organization's internet-facing assets. Internal penetration tests are launched to find vulnerabilities that allow employees or internally connected parties to access unauthorized restricted information or networks.
Web Application Testing
Assessment that will review an organization's web applications and network to ensure they are secure and not accessible through the host site. Open Web Application Security Project guidelines are followed during the web application vulnerability assessment.
Wireless Assessment
On-premise assessment determines if the wireless security settings are adequate to safeguard the organization's internal network and data. The assessment team will attempt to gain access to available wireless networks with the goal of establishing access to the internal environment.
Mobile Application Testing
Proprietary hardware and mobile simulators are used to find vulnerabilities in iPhone and Android applications. Our tests will determine whether the application is already in production or if it’s a pre-production release.
Social Engineering and Spear Phishing Testing
Social Engineering tests include email campaigns based on past and current phishing attempts and will be launched to a specified list of employees in the organization. Spear phishing tests will use reconnaissance to create a list of high-value targets in the organization and use email phishing campaigns to obtain information.
Configuration Review
An audit of the operational on prem or cloud environment; key server, network, and security infrastructure to ensure best practices are in place and they are running efficiently.
Penetration Testing

When to have a Penetration Test

  • Technology and/or business owners want to know what a group of talented dedicated attackers can accomplish against their environment over a fixed period of time
  • Roll out of new networks, applications, or technologies
  • New CISO or IT executive wants to quickly learn the environment and related parties using a third-party
  • Determine if changes (new infrastructure, significant configuration changes, etc) introduce vulnerabilities
  • Satisfy PCI, NYDFS, HIPAA, Singapore ABS, or other compliance requirements

CyberMaxx’s aim is to reduce corporate risk and adversary dwell time through proactive, relevant, and reliable security tools and services.

Penetration Testing

CyberMaxx Penetration Test includes:

  • Experienced Staff: Each assigned engineer typically has 20+ years of experience and thousands of penetration tests beneath their belt. These are passionate hacking professionals.
  • Full Arsenal of Tools & Resources: Efficient attack stimulations are dependent on bleeding edge tools, experience using those tools, and efficient use of resources – we look at code repositories, password dump databases, social media, and dark web to gather intelligence about the target environment.
  • Manual Test Centric: Focus on manual testing and the gaps that automated tests overlook.
  • Remediation-Centric Support: CyberMaxx shines with strong support during and after testing, offering a retest up to six months after the initial report is delivered.
  • Schedule Commitment: CyberMaxx prides itself on maintaining schedule and managing customer expectations including a dedicated Senior Engineer lead, Project Manager, and dedicated reporting resource for each project.
  • Good-Faith Reporting: Thoughtful, context-specific, tailored reports on true risks without fillers (Client-facing engagement attestation documents are included). Engagement team skilled at addressing technical and executive audiences. Up to five versions of the report are included in all assessments.

Penetration Testing FAQs

Regarding pen tests, what is your opinion on how often a company should undergo them and what factors determine this?

Generally, organizations do an annual pentest when there is a major change to their environment.

The answer really depends on what’s motivating clients to do them.

Compliance/Regulatory requirements typically require an annual pen test.

PCI at a certain volume of transactions is now requiring bi-annual. Some clients, especially those who develop apps look to align them with product updates/releases, either with new versions or on a monthly or quarterly basis.

I know you mentioned that covid has caused a decline in red team engagements, but if security has become even more essential during these times why do you think companies would decrease spending there if it puts them at a higher risk?

Red Team engagements are done by companies because they actually care to test real threat actor operations where activities are not limited to specific scope/networks/types of test, rather they are goal oriented. I.E. can you get to something I’m protecting that’s valuable by whatever means – social engineering, physical, and network intrusions. Red Team engagements done correctly last longer and cost more than a penetration test. They are also not required by compliance standards like pen tests. Therefore Red Team engagements are more likely to be cut if the organization is struggling financially due to covid.

Why is having too many certifications a bad thing?

Having certifications is not a bad thing but in the context of Red Team, pen testing, web apps, and hacking in general, they do not provide assurance someone is good at delivering those.

It’s really common for folks in offset to have a pile of certs but aren’t good at hacking whereas the best hackers known rarely (if ever) have certs because their skills alone earn them careers.

How do you harden your security without just purchasing better products?

The number one factor in having a secure environment is the configuration of the security product and managing change to maintain a secure configuration. Buying a product doesn’t automatically help make the environment secure, its configuration does. In any functional category, a well-configured inferior product would perform better than a poorly configured “top-rated” product.

What would cause someone to want to undergo a purple team engagement as opposed to utilizing red or blue on their own?

  • They might not have the skill set to do so.
  • They want an expert opinion from a team that focuses on offense/defense.
  • Internal teams typically do many things without focus on security or pen testing
  • They want outsiders’ opinions without the background or influence of group think internal teams may have. Outsiders may approach the engagement from different angles that internal teams never thought of before.
  • They want to test true-outsider operations to simulate real motivated attacker that does not have prior knowledge of the environment.
  • Some clients only have one of those teams (red or blue) internally so they ask us to participate as the other half to form a purple team.

You mentioned companies are either good or bad when it comes to AWS or other cloud security. What would be questions to ask a CISO about cloud services that could lead to a question about pen testing clouds?

  • Do you have visibility into what data is stored in your cloud and who it’s shared with?
  • Are your Identity Management and permission process well documented, tested, and monitored?
    Have you had external party test the security of your cloud environment?
  • It’s common for companies to have dozens, if not hundreds, of AWS accounts. What does centralized governance look like? Do you apply security individually to each of those or is it applied centrally?
  • We see clients struggle with writing and managing IAM (identity access management) in AWS. It’s tedious, complex, and hard to manage/audit. Have you solved this problem? How do you validate that the least privilege principle is applied to your IAM. It’s an area we excel in. We go after root problems and strategic improvements rather than just tactical changes.
  • Are your cloud environments entirely isolated from your other infrastructure (on-prem/data center)? We can assume breach exercises where you put us on an AWS/Azure/Google VM and we try to pivot into the data center or offices.

Since we have engineers with a deep knowledge in specific areas i.e., (web apps, AWS) how do we highlight their abilities in a conversation about AWS or Web App pen tests?

Speak with confidence, offer sample reports that show real engagement, and references, and that we find things that other teams do not.
Our AWS lead presents at AWS’ massive annual conference re: Invent and is an authority on all things AWS. Get him on the phone with any customer and he will impress them. Offer an hour brainstorming session with him – his skill will sell itself.

What makes our reports so thorough and how are the different from reports from other MSSP’s.

For Red Team (not MSSP), we document technical details, provide ways to replicate, and suggest technical solutions to fix the issues discovered. We also provide a summary of the findings for non-technical folks and attestation reports for customer’s clients

We tailor our executive summaries and consider their specific business/industry and try to put risks in context. We try to analyze the entire project and come up with strategic initiatives. Are there common problems that we can tackle? Is there an area they are stronger than others and what is the path to improve that?

We do not believe in flippantly throwing recommendations over the fence and it becomes the client’s problem. We have production operations experience so try to make our recommendations practical and detailed. We work hand in hand with many clients resolving these issues in production so have familiarity with nuances and can help avoid potential issues. Our pen-testers are available to the client during the entire remediation process.

What is a CISO looking to get out of a pen test and what are you delivering to them? What would a perfectly executed Pen test look like?

CISO is looking for assurance that the environment in the scope of a pen test cannot be used to break into their environment and subsequently data they are protecting is exposed or their operating environment disabled by ransomware.

Depending on the type of company and structure, they might translate security issues identified in Red Team engagements into operational risks. Identified risks then are analyzed for impact, the likelihood of occurrence, cost to remediate and cost if an event associated with a risk occurs and the decision is made on how to proceed.

This is an opinion and depends on CISO’s motivation. I think a CISO perfect pen test is one that in their eyes was done thoroughly by experienced engineers that could not compromise the network. At the same time pen test can sometimes be used as a way of documenting problems to get the budget to fix them or make strategic changes.
Sample report – CipherTechs Sample Report – External, Internal & Phish Penetration Test.pdf

We see CISOs use us in different ways but my favorite scenario is when they weaponize us. The CSO has an agenda and uses us as a tool to further their agenda (e.g. they want NAC so they have us come to own the internal network to highlight the point). Screenshots of the CEO inbox win the action. It is harder to turn down a project/budget when the pentest report shows dire consequences of the vulnerability.

Our reports provide data to help set their priorities and objectives for the next 1-2 years. Most CISOs are sitting on risk management databases, and large quantities of known vulnerabilities within the company, but the pentest report helps them measure which issues can cause the most damage and should be prioritized.

The perfect pentest is one that demonstrates the practical risks of critical vulnerabilities, earns time/effort for remediation, and leads to those vulnerabilities being closed. When we walk away we have left a mark on the network and the client is measurably more difficult to breach.”

What does the relationship between our offensive security team and the client’s defensive security look like? How do you work together after the test?

Typically they do not interact. At times client project sponsors want to use external offensive teams to test the ability of the defense to detect and respond. Collaboration may happen post-engagement as a purple team-type exercise, to tighten up defensive capabilities.

Do vulnerabilities differ by industry? What are the weak points of specific industries?

“There are some differences in industry verticals. Some of it depends on regulations and some of the core business of the company.
Financial services and Healthcare are heavily regulated and typically have a well-defined program to manage important aspects of cyber security – configuration standards, testing, patching, identity management, etc.

Education clients tend to be much more open, often there are not well-defined programs or controls in place to manage the environment from a security perspective.

Clients with industrial systems – power plants or manufacturing – rely heavily on segmentation to protect network systems that operate the industrial systems. However, the systems within these environments tend not to be updated frequently leaving them vulnerable.”

How many people are looking for Web App pen tests, vs, Cloud, vs Mainframe, vs mobile vs hardware?

Since January 2019 we have performed 218 engagements.

  • 44% – Web application Assessments
  • 25% – External Penetration Tests
  • 11% – Internal Penetration Tests
  • 4% – Social Engineering
  • 16% – Other -Wireless, standalone mobile, physical security etc.

Red team engagements are more rare than pen tests, but who would be a good candidate for one? What are some indicators they might want one?

Someone who is interested in testing real-life motivated third parties looking to target an organization scenario. Pen tests test specific scopes (network, office, cloud) they attempt to identify all security issues in that scope. Even if successful they typically stop at the perimeter without moving inside. They do not test users or physical locations, cloud services, or wireless.

Red Team engagement is goal-oriented engagement, that doesn’t test everything, just aims to find “a way in” and then move on. Those could be network-based, social engineering, physical access, etc.

Those goals could be:

  • Can you get to source code for the app we sell?
  • Can you hack into my financial system to move money
  • Can you get to the PII data we store and process for our business
  • If a low-privileged user’s computer got hacked, can that be used to gain access to other sensitive systems.

Indicators would be:

  • A client has something valuable they care about that their business would suffer greatly if it was taken/revealed/owned etc.
  • Maturity – a client has a well-defined and executed cyber security program. Can you take it to next level to see if it actually works well.

In your words, what is the differentiator and what is the value

The CyberMaxx Offensive Security Team Difference:

  • Team of skilled and experienced hackers passionate about offensive security. Strict hiring requirements to maintain this identity.
  • We do not depend on vulnerability scanners. We start where vulnerability scanners stop.
  • Active exploitation. We compromise networks and applications.
  • Tailored reporting and thoughtful context. Specific executive summaries.
  • No ” filler” reports. We report true risks and don’t include junk.
  • Relationship oriented. When a new high-risk vulnerability comes out, we contact customers from previous engagements to warn them.
  • We can talk to your board and to your graybeard. Skilled in addressing technical and executive audiences.

Client runs a pen test once a year and they are “good”. What are some of the questions you would ask to find more out about their process?

  • Does your environment change? do you run tests after major changes?
    Do you feel your pen test firm provides you with good findings that go beyond a scan?
  • Do they see what information is available about your org on the web – password dumps, git repositories, “gray web” etc, that can aid the third party in network intrusion.
  • Do you rotate your pen test vendors to get a fresh set of eyes? We commonly find things others missed.
  • Do you have web applications, do those get tested?
  • Is there anything that lacks details in the report?”

What are some of the other services products that a pen test can open up?

Active Directory and host hardening. AWS hardening. Office 365 (now Microsoft 365) hardening. Purple teaming to improve visibility/detections. EDR. WAF.

Do other pen testing companies run manual testing?

  • Good ones do – Bad ones run vulnerability scanners and show a report.

Would some companies qualify as too small to receive a pen test?

A small budget may be the only limiting factor. If an organization has sensitive data they want to make sure it’s protected, or make sure it would not be easy for them to be hit with ransomware, they will benefit from a pentest. It would probably be a very short (2-3 days) engagement.