Methodology
1. Planning & Reconnaissance
Beetles will kick off the engagement with a “Planning and Reconnaissance” meeting. We will plan and consult collaboratively with your team to assess your environment and technology stack used. We will also consult with you in formulating the Rules of Engagement as well as defining the Scope of the engagement. We will create a baseline by assessing whatever else is publicly discoverable and identifying possible attack vectors, for the engagement.
2. Discovery & Analysis
In the “Discovery and Analysis” stage, we will use a hybrid approach of manual testing techniques and automated scanning tools to look for possible vulnerabilities in your environment. Based on our findings, we will develop an action plan, considering the attack vectors, and start the engagement.
3. Exploitation & Verification
During “Exploitation and Verification” we employ our own “The Hacker’s Approach” and proceed to test your environment manually. Most automated scanners have a high percentage of “false positives” as well as “false negatives” and this is where we vet through them. We leverage the vulnerabilities, exploit them and chain them together until the target is fully compromised.
4. Reporting & Consultation
“Reporting and Consultation” is where we present our findings to you and your team and discuss the issues found so that you can start with implementing the recommended remediation steps, based on a priority of “Criticality” basis. We will also submit a draft report, detailing our findings. Our PenTesters will be in constant communication with your remediation engineering team to help make the process easier.
5. Implementation & Validation
In the last stage of the engagement “Implementation and Validation”, right before we close out the engagement, once your team has implemented the remediations to the findings, we will conduct a remediation-implementation-validation test cycle to make sure that they have been implemented correctly. At the end of the cycle, we will provide you with a “Patch Verification Report”, complete with evidence that your vulnerabilities have been patched.
Throughout the five stages, we want to make sure that this engagement gives your team the confidence and peace of mind that they are implementing secure codes effectively and in accordance with the security industries’ best practices. It is also important to treat a pentest as an on-going process.
The last phase of the testing cycle should lead into the preparation for the next pentest, whether it’s done in a week, month or year.