© 2015 , we45 1

we45 case files infrastructure security assessment

client profile

© 2015 , we45 2

  Client’s Business Environment - Leading Cloud Based Email Encryption Product company based in Sunnyvale, CA

  Security Expertise – Client’s Management team was lead by Security experts who were previously employed in Microsoft, Sun Microsystems and Stanford University

  Application Deployment Security Check – Client wanted to develop a specialized module that would identify bottlenecks in deployment of their Email Encryption service in the network

pre-engagement scenario

© 2015 , we45 3

  Client had leading security experts in the internal team

  Client, hosting infrastructure on Amazon AWS, wanted to validate Infrastructure security across its cloud infrastructure

  Client required additional assurance on cloud infrastructure security

  Client was specifically concerned about the CMS (content management system) for the registration of encryption service

testing approach

© 2015 , we45 4

• Identifying Key Security Risks to the enterprise infrastructure and prioritizing said risks.

•  Infrastructure Security Threat Modeling using world-class methodologies

• Review of High and Low level network diagrams

Network Architecture Review and

Threat Modeling

•  Performing Reconnaissance and Mapping against the infrastructure

•  Identifying Vulnerabilities in the scoped targets and related system components Vulnerability Assessment

•  Penetration Selected Vulnerabilities in scoped targets

•  Maintaining Persistent Access to exploited application for deeper analysis Penetration and Post Exploitation

•  Delivering presentation to key management stakeholders

•  Preparing and delivering Comprehensive Security Testing Reports

•  Designed Action Plan for Management Review Presentation and Reporting

threat modeling – the key to a successful test

© 2015 , we45 5

  overview – we45’s security analysts identified the client’s business process / platform and penetration

testing requirements. This is meant to identify key data security risks for information stored, processed

and transmitted by the infrastructure and system components. These risks are meant to unlock the

highest business value for the client.

  security profiles – we45’s security analysts then created security profiles for the key risks identified in the

overview process. For instance, Theft of customer data would be a key risk for a database. They also

assigned a score to the risk severity.

  threat models – Based on the security profiles, the testing team identified various attack scenarios that

were used to recreate the security profiles. This was done based on the STRIDE and DREAD

methodologies by Microsoft.

  SCRUM – The Threat Models were used as an attack plan. we45 used a SCRUM Model to prioritize and

test the application for maximum efficiency and effectiveness.

threat modeling - STRIDE

© 2015 , we45 6

Spoofing

Tampering

Repudiation

Information Disclosure

Denial-of-Service

Elevation of Privileges

• Masquerading

• Unauthorized Modification

• Deny Knowledge

• Data Exposure/Leakage

• Downtime / Service Denial

• Performing Privileged Actions

assessment and exploitation schema

© 2015 , we45 7

Reconnaissance IP Discovery WHOIS Lookups BGP Scanning DNS Lookups Search Engine Querying

IPS/WAF Identification

Scanning and Profiling Information

Disclosure

Mapping Port Scanning Banner Grabbing Linked Server Mapping Host Profiling OS and Version

Detection SNMP Mapping and

Scanning Web Services Enumeration

Directory Bruteforcing

Packet Captures and Analysis

Vulnerability Discovery

Automated Vulnerability

Scanning Fuzzing for multiple

attack vectors Linked Server Vulnerabilities

Identify insecure services and vendor

supplied default passwords

Identifying Web Flaws

Identifying potential Denial of Service

Vectors. Cryptographic

Attacks

Exploitation Custom Exploits – Apps

Publicly Available Exploits Exploit Pivoting Web Services

Exploits

Post Exploitation Clean-up (Post Exploit)

Identifying Impact of Exploits

Reporting Vulnerability

Management using Key Metrics

Analysis and Reporting - Key

Business Risks

Multiple Recommendations/

Solutions

we45’s – “leanbeast”

© 2015 , we45 8

  we45’s “Hybrid-Automation” Vulnerability Management appliance was used to conduct this assessment for the client

  Lean-beast leveraged tools and custom scripts to launch specific attack vectors defined by the security profiles of the scope

  The appliance was tweaked to facilitate an assisted Penetration Testing exercise thereby maximizing the advantages of manual and automated testing methods

  The “remote” mode of operation of the appliance enabled we45 to take advantage of production downtime slices to conduct the exercise

  Lean-beast is fully integrated with an automated vulnerability management and reporting engine (VME) that provided powerful analytics and integrated dashboards to the client stakeholders

leanbeast : operation model

© 2015 , we45 9

a few major findings

© 2015 , we45 10

ElasticSearch server vulnerable to Remote Code

Execution – thereby gaining access to the entire

application server infrastructure of client

  Vulnerabilities in Linux Kernel exploited using Shellshock

Vulnerability

  Gained access to their Secure FTP server using

Authentication Flaws, gaining access to customer

sensitive information

  Identified Remote File Inclusion in client’s CMS Platform

and compromised the web server and DB server.

modus operandi

© 2015 , we45 11

  Performed extensive reconnaissance on system

components. Identified running services across TCP and

UDP services

  Discovered vulnerabilities – through automated scanning

and custom vulnerability discovery scripts

  Performed Exploits using popular exploit frameworks and

custom-developed exploits.

  Performed pivot attacks – Ability to access different hosts

on the same network through compromised host

analysis & reporting

© 2015 , we45 12

  A detailed security testing report and custom client

access on leanbeast’s VME was provided to the client at

the end of the assessment

  The vulnerability findings were ranked based on severity

of business impact and were referenced with Industry

metrics like CWE and CVE.

  The client team were provided with relevant and multiple

remediation strategies per vulnerability

  The network and infrastructure teams were trained on

core concepts of network security and “business as

usual” security practices

  Executive Summary and Action Plan prepared for

Management Action

Detailed Report

Ranked by Findings

Risk Ranking for Efficient Prioritization of Remediation Efforts

Multiple Recommendations

Multiple recommendations

for quicker remediation

Industry Metrics and Action Plan

Cita%on  of  Standard  Industry  Metrics  Development  of  Execu%ve  Summary  and  Ac%on  Plans  

success factors

© 2015 , we45 13

  we45 was able to identify deep seated authentication issues

and platform issues that could have caused massive breaches

of confidentiality for the client. These issues were considered

Level 1 Security Issues for the client

  Through the lean-beast, we45 implemented a measurable,

frequent and scalable vulnerability assessment framework for

the client.

  we45 engaged with client’s security team to train them on

infrastructure security requirements. This has enabled the client

to independently manage certain aspects of their network

infrastructure security

thank you

14 © 2015 , we45