Code security audits are part of a set of security audits that evaluate the security level of one or more components of an information system. The review of the source code is a crucial step in identifying the implementations targeted by the analysis and assessing their compliance.
Synetis carries out so-called “Redteam” missions. This type of attack simulates the point of view of an external, motivated attacker, who wants to break into your organization’s network in order to carry sabotage operations, steal strategic data, install ransom software or even persistence software, etc. The Synetis methodology relies on three paths to access the organization’s IS: the computer path (logical intrusion), the cognitive path (social engineering) and the physical path (physical intrusion). These three paths can be used in parallel.
The Redteam approach aims to simulate realistic (non-destructive) attacks, to test in depth the security of a given perimeter. This approach makes for efficiency and means that we can run advanced attack scenarios (logical intrusion, social engineering, phishing,…).
The Redteam is focused on predefined trophies jointly defined between the auditors and the customer (access to the back office of an e-commerce site, to a customer database exfiltration of a CRM database, obtaining a Domain Admin access, AD compromise, detecting a use of a ghost account, access to the messaging system of a VIP, access to an ERP, etc.). These trophies, contextualized, concretely illustrate real risks that can impact the customer. Obtaining these trophies validates the visibility and exposure of the customer to said risks.
As a result, a Redteam approach is not intended to be the most exhaustive in terms of security testing against assets (as opposed to a “classic pentest”); rather, it is oriented towards a global, tactical and efficient compromise in order to get as close as possible to the real trophy attacks.
One of the objectives is to define, for an organization, the impact of a real attack and the cost of the associated measure.
- Logical intrusion tests: mainly remote, this approach aims to identify the external perimeter of the information system and to exploit potential vulnerabilities in order to obtain access to the organization’s internal network. There are three distinct phases:
- Open source intelligence phase; this focuses on gathering and analyzing information on the target organization in order to deduce a perimeter that will be validated and/or specified during the mission: physical sites, employees, partners, service providers, information leaks (internal reports, passwords, etc.), information system (public addressing plan)
- Discovery phase of the external surface of the information system, aimed at mapping the infrastructures accessible from the Internet: exposed services, technologies used, security equipment, etc.
- Offensive test phase on external services, aiming to penetrate the organization’s DMZ by compromising front-end servers, then bouncing back on the internal network
- Social engineering campaigns: this approach aims to exfiltrate authentication information or penetrate the organization’s internal network by using, for example, phishing techniques. There are three distinct phases:
- Profiling phase, to identify a list of people to target for the phishing campaign and collect as much information as possible to develop relevant scenarios.
- Define scenarios for the phishing campaign (e.g., sending an e-mail inviting the victim to visit a URL to enter his or her credentials or to download a malicious file containing a backdoor).
- Run the campaign, e.g.: send emails, collect indicators (statistics relating to the reception/reading of the email/opening of the malicious link) and obtain access (backdoor or identifiers)
- Physical intrusion tests: this approach aims to obtain access to the organization’s internal network via a proximity approach that can go as far as physical intrusion of the organization’s premises (head office or subsidiary, for example):
- Active recognition phase: perimeter discovery of premises/employees, identification of surrounding wireless networks and offensive tests against it, trashcan searches, malicious USB keys left lying about, etc.
- Physical intrusion and placing an implant on the internal network in order to obtain remote access (Wifi or 4G antenna)
- Offensive tests on the internal network