Vulnerability assessment

Even the most sophisticated IT or ICS/SCADA system, with carefully selected and implemented measures and controls can have security gaps, undetected vulnerabilities or unmanaged risks. Moreover, even these systems are susceptible to carelessness and lack of updates, resulting in weakening security during their operational life. Therefore, it is recommended to carry out regular and independent checks (penetration testing and vulnerability assessment) to assure the adequacy of controls and the protection provided by security measures.

Our professionals can provide these checks by

  • carrying out evaluation of IT infrastructure security controls (black-box testing);
  • performing security tests from the perspective of an authorized user (grey-box testing method); and
  • analyzing configuration of infrastructure components (white or crystal-box testing method).

Our black-box testing method focuses on gaining access and privileges without any prior knowledge or authorization on the system under investigation. The method contains external, web-based and internal vulnerability assessment, gaining access to the wireless and mobile communication networks, any other remote connections, and in some cases social engineering.

In case of grey-box testing, we only have limited knowledge on the affected system. This method helps us focusing our main efforts on those areas of the system that we know the most about and exploit the weaknesses or vulnerabilities. This method can enable the discovery of otherwise ”hard to find” gaps with reasonable probability.

The white or crystal-box approach is based on full knowledge and access to the system under investigation. Configuration analysis can provide a list of current asset configurations including mission-critical servers and security hardware and software, which can be compared to the required or recommended settings.

During the preparation phase, the scope, level, direction and the nature of the vulnerability assessment should be defined based on customer needs and governing requirements. The scope and level of the examination designates the systems, networks, infrastructure elements, applications, and processes involved. In addition, the examination does not only focus on a system component, but it is expanded also to the whole system and typically to its environment. The direction of the examination determines the direction of a possible attack (attack vector), that can be external (e.g., from the direction of the Internet, DMZ or external parties), or internal, initiated from wired or wireless networks, internal network segments and workstations.

As the result of the vulnerability analysis, the revealed, potentional risk factors, including residual risks, the detected flaws, errors and also informal level problems are summarized, and categorized based on their criticality level in a report document. The report also contains possible countermeasures, recommendations, and detailed description of the proposed corrective actions for the identified problems.

Our staff has assessed numerous systems, websites, mobile applications, IoT devices, smart meters and industrial control systems. We carry out our investigations based on international methodologies and standards tailored to the task, with a high degree of manuality. Mobile applications are tested in a native environment, while we test PLCs using a research testbed in the CrySyS Lab. We are using commercially available software (automatic vulnerability analysis), underground “hacker” tools and internally developed applications to carry out these security assessments.

Dissecting malware

Cyber security incidents might involve malware attacks and various different hacking techniques used in computer networks. Forensics evidence should be carefully collected, and to understand the big picture behind the attack and to uncover actionable intelligence, deep technical analysis of the collected data should be done.

Technical analysis might include reverse engineering of computer programs, e.g. malware samples. During this work, the goal is to understand the capabilities of the malware (attack methods, replication, remote access, goals, deception and hiding techniques, persistency, etc.), as based on this information, we can better understand the situation (who are the attacker?, what is their goal?, did they reach the goal?, how to get rid of the attackers, how to extend security measures to avoid future attacks, etc.).

Our team is capable to provide malware and forensics technical analysis services. As a demonstration of our capabilities, some malware related technical analysis documents created by our team is public (e.g., report on the Duqu malware, report on Skywiper (Flame), report on TeamSpy, and a comparison of Duqu 2.0 to Duqu).

Evaluating security posture

We have a firm belief in security by design. Security can only be achieved through well-designed systems, resources and processes.

Nowadays, companies use various security solutions to detect attacks like IDS, SIEM, log analysis tools, etc. Most of these systems are capable to be configured in details, detection rules, scenarios can be defined by the company to extend the default detection rules and techniques. We can provide services to review the settings of these systems. In addition, we can help to add new, innovative detection logic based on our experience and based on the latest news on the field of cyber security.

Our colleagues have deep experience with various cyber threats including targeted attacks (APTs). We also track the evaluation of the security landscape and learn new TTPs (tools, tactics, procedures) used by the attackers and of course we are constantly trying to be updated on the possible countermeasures and protection possibilities.