Vulnerability Assessment

NaviSec’s Vulnerability Assessment services provide several benefits to an organization’s security posture.  NaviSec believes the single biggest thing a company can do to assess it’s IT Security risk is to perform a vulnerability assessment.  A vulnerability assessment is a snapshot in time of the vulnerabilities that exist in a client’s environment.  Many high profile hacks, such as the Equifax breach, was the result of unpatched software and could have been prevented if the vulnerability was identified and patched before a remote attacker was able to exploit it.

• A vulnerability scan is conducted that identifies the unpatched or misconfigured network services that exist in an organization.

• NaviSec analyzes the results of the security scan and provides an executive report that easily identifies the biggest risks to the organization’s IT infrastructure.

• Our executive report exists to fix the underlying problem, not simply treat the symptom.

• Vulnerability Assessments are part of our comprehensive Vulnerability Management service that consists of 4 Vulnerability Assessments (quarterly) and an annual Penetration Test.

Sample Vulnerability Assessment

Download our sample Vulnerability Assessment and see for yourself how we make our reports easily digestible for any roles in your organization.  We also include a technical report that details all vulnerabilities discovered, hosts affected and resources to remediate identified issues.  View our sample report here.

What sets our Vulnerability Assessment services apart?

After seeing how other vendors conduct their vulnerability assessment, NaviSec wanted to take a different approach.  We noticed other vendors were running vulnerability scanning software and simply putting their logo on the report that was generated fully by the scanner software. NaviSec understands our clients are more than capable of learning how to run scans themselves.

Our value comes in interpreting the results, applying the result’s to the client’s risk in its industry and to its business operations, putting the results into a much easier digested report, assisting our clients with remediation and finally treating the underlying IT Security problems instead of only identifying single vulnerabilities and offering resources to fix each vulnerability.  This is evident in our sample Vulnerability Assessment included on our website.

Penetration Testing

NaviSec’s Penetration Testing services stand out from the crowd by delivering a wide surface area assessment with lots of depth unmatched by competitors. Lead by our Delta team, you’re in safe hands as our engineers set themselves apart in the industry by developing widely used tools, sharing knowledge through technical blog posts and publishing references that remain the go-to for many professionals.

NaviSec utilizes methods, TTPs (Tactics, Techniques and Procedures) that emulate real attackers as well as follow the Mitre Attack Framework and the PTES Standard.

A Penetration Test delivered by NaviSec is an adversary simulation engagement, consisting of different durations depending on the goal of the engagement.

Black Box Penetration Testing

NaviSec regularly performs entirely blackbox penetration tests, typically lasting anywhere from one week to two weeks (timeframe is subject to modification on a per engagement basis).

A black box penetration test from NaviSec begins with a full asset discovery reconnaissance stage, scope is then compared with supplied scope, enumeration is then performed on discovered and supplied assets to assess against publicly known vulnerabilities. Target company employees are also discovered and enumerated as part of a comprehensive OSINT (Open Source Intelligence) gathering campaign.

A key part of a black box penetration test is that NaviSec is provided with very little information about the infrastructure of your corporation and will attempt to discover as much as possible from external sources, no destructively, like an external attacker.

• Common techniques such as the following are regularly performed with a high level of efficacy:

• OSINT & Passive Information Gathering (What you can find without interacting with client assets – Public information gathering)

• Asset Discovery

• Customer Employee Enumeration & Reconnaissance

• Password Spraying

• Phishing Campaigns

• Spearphishing Campaigns (targeted social engineering)

• Full asset discovery and enumeration (eye-witness)

• Vulnerability Assessment (for large amounts of external assets)

• Active Directory auditing and testing

White Box Penetration Testing

A white box penetration test is where NaviSec will be provided with information about the infrastructure, disclosure of code samples, controls and an insiders-view of the infrastructure or application. The goal of a good white box penetration test is to review known controls and validate whether or not they have been implemented correctly.

Controls such as disabling LLMNR in an internal environment can be validated in a white box very quickly and if well documented and supplied, can be tested very quickly. A white box is a very efficient way to validate your network if you already have a very mature security program and you regularly find little on black box penetration testing.

Gray Box Penetration Tests

NaviSec also performs gray box penetration tests. Gray Box sits somewhere between Black and White box penetration tests, it’s a gray area.

Typically, a gray box will involve some level of assumed breach, perhaps a web application with multiple accounts with varying levels of access (to identify vulnerabilities such as IDOR’s and privilege escalation), assumed breach on an endpoint (manually & intentionally loaded payload).

Sample Penetration Test Report

Download our sample Penetration Test Report and see for yourself how we make our reports easily digestible for any roles in your organization.

View our sample report here.

Schedule your next penetration test with NaviSec

Like what you hear? Use the contact form below and get in touch! We believe in using a tailored approach to delivering penetration tests and assessments as no two tests are the same. At NaviSec, we understand that every organization has different needs and goals.

Red Team

NaviSec Red Team replicates the stealth of an attacker, silently moving system to system avoiding detection while executing malicious intent. There are several milestones of an effective Red Team engagement, beginning with mapping the controls of the blue team. Effective Red Teams understand the limitations of the blue team’s incident handling and response along with the operational defense workload. They are able to utilize weakness in endpoint detection systems, as well as understand how a security operations center (SOC) might view or a Security Information and Event Management (SIEM) might log their activity. After NaviSec Red Team understands the defense environment they are able to penetrate utilizing all ascertained information to remain undetected.

Once successfully penetrated, next steps a dependent on the primary objective; NaviSec Red team can maintain a persistent presence indefinitely once a blue team is alerted, allowing a simulated virtual cat and mouse exercise. NaviSec Red Team can attempt to remain undetected indefinitely while maintaining a foothold or dropping a malicious payload and waiting for an opportune time to strike or for blue team to discover the malicious entities and assets. NaviSec Red Team can access sensitive data and attempt to encrypt or to exfiltrate data without detection of operation defenses.

Other primary objectives include, NaviSec Red Team maliciously attempting to modify source code to interrupt business operations. Lastly, a common goal of a Red Team is to access financial assets and create fake accounts payable or simulate wire transfer of funds. All of the Red team activities are highly customizable to the organization’s targets and can be fully incorporated into a Purple Team exercise.

Purple Team

NaviSec Purple Team encapsulates all of the Red Team offerings with learning objectives and training along the way for an organization’s Blue Team. At NaviSec our Purple Team operations sharpen the abilities of both Blue Team and Red Team through continuous feedback and knowledge transfer. The overall goal is to improve organization security posture and educate both sides.

The Blue Team should understand attack types and prevention techniques and the Red Team should develop the ability to adapt to incident response and defensive controls. Red Team goals are clearly mapped out against Blue Team objectives

Red Team Goals

• Map security controls

• Penetrate

• Persist

• Remain undetected

• Access sensitive data

• Exfiltrate data

• Modify source code and/or Access financial assets/ Simulate Wire Transfer

Blue Team training goals

• Prevent

• Stop

• Slow

• Contain

• Detect

• Remediate

Each objective comes with its own unique learning applications.

Prevent: Blue Team Defenders work with Red Team Attackers to prevent the entirety of the attack or prevent specific goals of the Red Team.

Stop: Blue Team Defenders work with Red Team Attackers to understand each of the steps in the attack framework and how to stop the attack when happening and how to stop each individual goal of the Red Team.

Slow: Blue Team Defenders work with Red Team Attackers to slow the speed of execution of malicious events and thus the attackers by implementing effective defense roadblocks to sensitive data.