Increasingly we are asked to do security testing that doesn't fit nicely within any of the traditional types of work. These tend to be for mature clients who have already done years of penetration testing, or those start ups that are doing something unusual.
We love these requests! They represent a challenge and an interesting piece of work that can really stretch our brains.
The following are exampes of some of the items we get asked for.
Some organisations want to understand what happens when a real attacker goes after them. These organisations should complete a Red Teaming Exercise. It is a demonstration of all the steps an attacker could take to gain access and then take advantage of the organistion. These engagements are longer and much more subtle than a penetration test and as a result really put your technology and cyber security capabilities through their paces.
When an organisation has adopted the "Assume Breached" mentality, how do they go about testing their capabilities to detect such a breach? THe answer is to create an incident. Such testing allows the defensive team to understand what they can detect and identify how their response plans performed.
When companies understand their general risks they often want to get a stronger level of assurance on key equipment or services. We get asked to help our clients dig deep into these core assets, how they are configured, what the code looks like, and how they are used by the administrators, developers, and users. Our approach tends to be a mix of code review, interview, penetration testing and configuration assessment but that depends on the job, and the system being tested.
Cyber Health Checks are designed to help management and non-technical stakeholders gather and analyse the relevant technical details to establish the organisation's overall cyber security stance. The service is based around interviewing staff members, screensharing to see technical details and vulnerability scanning.
Those organisations that have done multiple penetration tests should consider getting a build standard assessment completed against key types of machine such as the user's desktop, or the standard server build. A build standard assessment looks at the overall configuration of the machine and determines a number of factors including, how close the configuration is to industry recognised technical standards, and whther any unusual or ill-advised practices are in place that would otherwise go unnoticed.