Infrastructure Penetration Testing

With multiple computer systems, devices, and users, your infrastructure has many points through which a malicious actor can gain entry and wreak havoc. Your company needs network security testing if you want to help ensure that your data and systems are secure.

Our infrastructure (or network) penetration testing gives you a head start by helping you plug gaps in your defences and ensure that your customer data, intellectual property, and financial information remains secure from both external and internal perspectives. Our certified ethical hackers are trained to help you turn your network into a virtual fortress.

Once our infrastructure penetration test has been completed, we will prepare a detailed report explaining what vulnerabilities we found, how they could be exploited, and recommendations your organisation could take to secure your business against attackers. We prepare these reports so that both technical and non-technical people can understand the implications and recommendations of our penetration tests.

The benefits of conducting an infrastructure penetration test include: 

  • Recommendations for preventing attackers from gaining entry into your network infrastructure;
  • Recommendations for mitigating deeper access and damage to the internal network;
  • Understanding of how to better compartmentalise your network;
  • Witnessing how robust your current security measures are to provide impetus to improve measures.
Infrastructure Penetration Testing icon

Delivery Methods

We can provide penetration testing services for your website or application via several delivery methods. You can add penetration testing to your Testing Services Subscription or you could request ad hoc testing for a situation where you don’t test very frequently.  Find out more by clicking each ‘More Info’ button. If you find these all confusing get in touch with us at info@spritecloud.com or via our contact page so we can help you figure out the best solution. 

Remote Testing

Our software testers are very experienced at testing client applications remotely. The COVID-19 virus has forced a lot of organisation to work remotely but fortunately, our testers already have the skills to help remote teams. spriteCloud has been providing testing both remotely and on-site for over ten years. All of our software testing services can be executed remotely.

Ad Hoc Testing

Projects are fixed scope engagements of a predetermined time frame. In other words, we test only what you ask for. Projects can be delivered locally at your office alongside your team or carried out in a remote testing format from our headquarters in Amsterdam and other offices.

Contracting

Contracting is a method engagement where a tester is contracted to join your organisation to deliver the required testing on a (near-)full-time basis. Contract-based work is typically delivered locally but can also be delivered remotely.

Software Testing Subscription

Our Software Testing Subscription is a monthly recurring package (a Test Stack) made up of a custom mixture of our software testing services. Here you can decide the exact software testing services you want, how much testing you need, and how long you want the subscription. Our Software Testing Subscription allows you to create the best quality products for the best customer experience because it facilitates consistent and high quality testing.

Reported with Calliope Pro

All test results are delivered to you via Calliope Pro, our proprietary test results dashboard. Calliope was designed to make it easy to share, compare, and monitor test results with all stakeholders in one central location. Create a company, upload results, and collaborate more effectively.

Calliope was created for testers, by testers. Give it a try today.

Calliope Pro report

Testing Approaches

We offer two approaches to infrastructure (or network) penetration testing. These methods are ‘black box’ external infrastructure testing, and internal infrastructure testing. For internal perspectives we use an “assume breach” engagement perspective using the MITRE ATT&CK framework.  This “assume breach” engagement perspective allows you to examine security from the perspective of a system that has been breached, allowing you to effectively address the gaps in your internal security practices.

External penetration testing

Exposures due to weak firewall configurations, flaws in application code, or patch issues can leave you open to attackers gaining entry to your system. An external infrastructure penetration test helps identify these possible points of entry, and provides an assessment as to how they can be secured. This ‘black box’ method of testing is meant to replicate how an attacker, with no knowledge of the system, would approach your infrastructure.

Testing Process

We use a methodology that consists of the following phases:

  1. Target identification and system mapping;
  2. Vulnerability analysis, where we scan the external perimeter for security exposures;
  3. Investigating the network security, and identifying any firewall misconfigurations;
  4. Service enumeration, and investigating each of them according to the following criteria:
    • Authentication and authorisation schemes;
    • Service-specific misconfigurations;
    • Information leakage;
    • Unauthorised access opportunities;
    • Unsupported or end-of-life software versions;
    • Missing security updates.
  5. Exploitation phase, where we investigate the possibility of obtaining access to your internal network using the vulnerabilities uncovered in the previous phases.

Internal penetration testing “assume breach”

An internal penetration test looks for security issues within your network. A compartmentalised network ensures that disgruntled employees or attackers that have gained access to your internal network, are mitigated. These internal network attacks can be extremely costly and disastrous for businesses and their reputations. Therefore protecting yourself from internal threats (and mitigating movement in breached system) is as important as protecting yourself from external threats. These engagements typically follow the ‘assume breach’ mindset, and aim at plugging gaps in both the security, as well as, the blue team (SOC) detection capabilities. For that, we utilise the MITRE ATT&CK framework.

Please note that during an ‘assume breach’ engagement, the focus is on determining what an attacker can accomplish in a given time, not on finding as many vulnerabilities as possible. We aim to map the relevant systems, vulnerabilities, and misconfigurations that are most applicable for escalating an attacker’s privileges on the target network.

Testing Process

We use a methodology that consists of the following phases:

  1. Network access control (NAC) circumvention, if implemented;
  2. Obtaining a foothold within the target network;
  3. Local privilege escalation on the compromised systems;
  4. Lateral movement across the network using a combination of credential theft, security misconfigurations, and pivoting techniques;
  5. Network-wide privilege escalation;
  6. Data exfiltration.

Contact Us

For more information about how penetration testing can help you secure your applications and networks, contact us using the contact form below or call Baruch Annink at +31 20 615 9155.

We’re spriteCloud, a leader in software and cybersecurity testing.

Aside from interesting articles, we also have a team of software testers that can help your organisation.

Have a look at our testing solutions.