In 2017 in the U.S., the head of the Institute of Information Security Oleg V. Maltsev met with his American forensic colleagues. The topic of the round table with forensic experts in New York was to exchange schemes of countermeasures against various break-ins and intrusions in the USA and Europe over the past 10 years. The meeting resulted in an exhaustive classification of effective hacking techniques. The degree of effectiveness was determined by the speed of hacking, and the financial and reputational damage caused. This classification became the basis for the development of effective protection, which was developed by the experts of the Criminology Research Center. In 2017, a research result was presented to the expert community: the Information Security Institute’s service, Proactive Defense, which is an advanced penetration testing with elements of social engineering. Since 2018, this product has been validated and applauded by various expert organizations. The analytical database contains more than 200 cases of test hacks in the U.S. and Europe.
The Institute’s method of advanced testing uses a comprehensive and realistic simulation of a real attack on an organization. By combining testing of social engineering tactics with traditional penetration testing methods, organizations can gain a better understanding of their vulnerabilities and take the necessary steps to protect themselves.
As threats evolve, so do the methods used by attackers to gain unauthorized access to an organization’s systems. In recent years, Information Security Institute experts have observed a significant increase in the use of social engineering tactics by attackers to successfully bypass even the most robust technical defenses. This suggests a need for organizations to adopt new tools to combat emerging threats. The Institute offers a white-hat simulated threat product available to clients seeking to test their level of vulnerability. By combining social engineering with traditional penetration testing techniques, we can realistically simulate the most advanced types of attacks observed today. This allows us to provide organizations with a better understanding of their vulnerabilities, enabling them to take the necessary steps to protect themselves.
The Information Security Institute’s advanced penetration testing methodology includes the following elements:
1. Definition of the task: The first step in the penetration testing process is to clearly define the scope and objectives of the testing. Our experts consult with clients on the specific operating systems, networks, and applications that will be tested, as well as any specific vulnerabilities or attack scenarios that will be simulated.
2. External perimeter analysis: This phase involves identifying potentially vulnerable targets among key individuals, such as company employees and vendors. This phase also involves identifying any vulnerabilities in user access control and authentication systems.
3. Security perimeter analysis: This step involves identifying key elements of an organization’s internal network and infrastructure such as communication nodes, servers and other critical systems that could be targeted by attackers.
4. Attack design: In this phase, our testers use the information gathered in the previous phases to design a high-order information attack that mimics a realistic and advanced attack scenario. This test attack uses the most likely attack vector as identified in steps 2 and 3 above, and might include phishing emails, social engineering, and/or exploitation of technical vulnerabilities.
5. Starting the attack: Using the information and tactics gathered in the previous stages, testers will conduct a simulated attack in an attempt to gain unauthorized access to the system.
6. Gaining unauthorized access: Using social engineering techniques, testers will attempt to gain unauthorized access to target systems. This phase may include tactics such as phishing emails, pretexting, and other manipulation techniques, aiming at vulnerabilities identified in the previous steps.
7. Gaining access using technical means: In this phase, testers use technical means such as malware, exploit kits, and other hacking tools to attempt to gain access to target systems.
8. Fulfillment of the assigned task: If they are able to gain unauthorized access to the target systems, testers will attempt to use such access to obtain confidential information, disrupt system functionality, or perform other tasks defined in the original task statement.
9. Preparation of the final report: The final step in the penetration testing process is the preparation of a detailed test report. This report will include a description of the vulnerabilities identified, the methods used to exploit them, and recommendations for improving the organization’s information security protection.
Running an entire advanced penetration test takes our testers two to four weeks. The results of the test hack will provide valuable insights into the strengths and weaknesses of your organization’s information security protections.
The actual process may vary depending on the specific requirements of the client and the organization on which testing is performed. The testing process is performed by experienced and certified experts in the field who are familiar with the latest methods and tools. The testing team consists of ethical hackers, information security experts, social engineering experts, network and infrastructure specialists, lawyers, and forensic experts. The team complies with all laws and regulations of the country in which the testing will take place to ensure compliance and resolve possible legal issues.