BrokenArrow penetration testing methodology has been developed for the purpose of identifying, assessing and evaluating potential threats to organizations more critical business assets. The objective of our Penetration Testing service offering is to provide clients with the necessary intelligence to make calculated decisions with regards to securing their business. These engagement also test the efficacy of existing security controls and are designed to to gain access to company systems to present the client with an actualized real life assessment in how effective they would fair against a motivated Threat Actor. These activities simulate the actions employed by threat actors and represent a real world simulation to a targeted attack.
Type of Tests
BrokenArrow employs three service offerings with regards to Penetration Testing
Network Penetration Test
Network Penetration Testing (NPT) is designed to simulate a threat actors’ actions on the client’s internal network. The objective of these types of tests are to identify potential weaknesses on the client network that could potentially provide a threat actor with an opportunity exploit potential weaknesses and disrupt business operations.
Through the identification of real-world threats against a client’s systems and networks, BrokenArrow can deliver value to the client through suggested remediations, controls and processed to protect client critical assets.
Web Application Penetration Test
BrokenArrow will test your web application regardless of how it is hosted — internally or in the cloud. Our testing methodology is a culmination manual and automated testing leveraging commercial, open source, and custom developed tooling to evaluate your web application from the perspective of anonymous and authenticated users. We test for the OWASP Top 10 and much more.
Our approach is very human driven and tool supported to ensure the highest quality deliverable.
Mobile Application Penetration Test
BrokenArrow will test your mobile application on Android and/or iOS for vulnerabilities. We manually test for security controls in four essential areas: file system, memory, network communications, and GUI. We test for the OWASP Top 10 and much more.
Anonymous Testing
- Non-credentialed user
- Application client binary
- Application server & web components
- Mobile device, network & server layers
- Automated scanners
- Manual verification
Authenticated Testing
- Credentialed users by type
- Automated & manual processes
- Elevate privileges
- Gain access to restricted functionality
- Manual verification
Methodology
- Intelligence Gathering — Conduct intelligence gathering and discovery operations against the client’s targets obtaining information about the target to establish documented attack profiles
- Threat Modeling — identifying vulnerabilities within the client’s infrastructure/application and mapping weaknesses based on their difficulty to exploit, but their potential impact to client’s risk.
- Vulnerability Analysis — documenting and analyzing vulnerabilities to develop the plan of attack.
- Action on Objectives — Exploiting identified vulnerability
- Reporting — Delivering, ranking, and prioritizing findings for the purpose of generating an actionable report, complete with evidence, for the project stakeholders.
Approaches
BrokenArrow employs three different approaches to the above tests to perform the desired action on objectives.
Whitebox
Whitebox testing is a completely Intelligence driven exercise, where the client provides BrokenArrow full access to source code, architecture documentation and so forth. During Whitebox testing BrokenArrow may perform static or dynamic code analysis, A/B systems testing, Vulnerability Scanning or client measured exploitation.
White-box penetration testing offers an inclusive assessment of system weaknesses the most economical in terms of identifying the largest risks to the client’s organization. The success criteria for a the Whitebox assessment is based on the openness of the client with BrokenArrow to ensure the greatest risks to the clients organization are identified and tested.
Graybox
Minimal company and network infrastructure information is provided to
During a Graybox assessment BrokenArrow examines a client specified target from a threat actor perspective but has predetermined levels of access and knowledge in the manner of a user with specified privileges. BrokenArrow will most often have some intelligence of network or applications inner workings, to potentially include application and/or infrastructure design and architecture documentation, as well as a testing account.
The intent of the Graybox approach is to gain efficiency in a more targeted and economical assessment of the client’s target. Leveraging client provided documentation, BrokenArrow is able to focus their efforts on the areas presenting the greatest risk and value to the customer.
Blackbox
BrokenArrow is positioned in the role of a threat actor, without any predetermined knowledge the client’s infrastructure or specific details with regards to target. As such, architecture diagrams or source code would not be provided and it is the responsibility of BrokenArrow to identify what they can or cannot assert from Open-Source Intelligence Systems, such as the public internet. This approach identifies the weaknesses in the client systems in a manner that would be exploitable by someone without privileged access and knowledge.
The objective of the Blackbox approach is to simulate the approach of the threat actor based on a set amount of time. Given that threat actors have an unlimited amount of time these assessments, although time-boxed, tend to take longer due to the intelligence gathering requirements necessary to be successful.
Deliverables
BrokenArrow presents a comprehensive report at the close of each engagement. All of BrokenArrow’s final deliverables can be customized based on client needs. Our standard reports often include:
- Executive summary,
- Detailed technical findings
- Recommendations
- A guided walk through of our action on objectives