External and Internal Penetration Testing
Challenge
Orro was engaged by a large Financial institution for penetration testing services against their external and internal IT infrastructure. These services were required as part of their annual security assessment program.
The key components for this work included Blackbox type testing of the Customers externally accessible services, with the objective to get to the internal network. The Internal network penetration testing was carried out with provided login credentials of an internal user (low privileges), with the main objective to elevate privileges on the network to a Domain Administrator and/or root user in the Customers core systems.
Solution
Orro identified and documented any discovered technical vulnerabilities in the external and internal infrastructure, and outlined the resulting risks to the customer, posed by the following sample attack scenarios:
- A threat actor on the Internet, who:
- Discovers vulnerabilities in externally facing hosts, services or applications, and then attempts to bypass authentication mechanisms and/or other restrictions deployed to block anonymous access to services, and thus to corporate and/or customers’ data;
- Guesses or steals (e.g. via phishing) authorised user’s login credentials for externally facing systems and then uses these credentials to obtain unauthorised access to corporate systems and customers’ data.
- A threat actor connected to internal network, who:
- Connects their device to internal network, discovers vulnerabilities within internally accessible hosts, services or applications, and then attempts to exploit these to gain unauthorised access to corporate systems and customers’ data;
- Guesses or steals (e.g. via phishing or internal network traffic sniffing) authorised user’s login credentials for systems accessible to low privilege type user accounts, and then attempts to elevate their privileges to obtain higher level access, including full administrative privileges (Domain Administrator and/or root user) to core systems.
- A malicious insider, with authorised low-level privilege account, connected to internal network, who:
- Misuses their authorised low-level access to probe the internal systems for vulnerabilities that can be exploited in order to elevate their privileges to obtain higher level access, including full administrative privileges (Domain Administrator and/or root user) to core systems.
Outcome
The resulting security assessment report provided the Customer with a prioritised list of recommended risk remediation actions that, once implemented, ensured that all relevant security controls deployed within the external and internal ICT networks are configured in an efficient manner to provide robust defence against threat actors targeting the Customers ICT systems.
Two reports (one per each testing phase listed above) were provided, including the identified findings and risk mitigation recommendations.
An onsite debrief and presentation to key stakeholders was also carried out along with the retesting of ‘high risk’ issues as reported.
The customer name has been withheld due to confidentiality. More information can be provided by contacting the Orro team directly.