Penetration Testing

Full, Manual Exploitation Mirroring a Real-World Attack

Lares Penetration (Pen) Security Testing (image)Penetration testing (or Pen Testing), is an authorized, simulated attack on an organization’s electronic assets to determine the likelihood of compromise and the level of impact a successful attack would have on the organization.

Penetration Testing

Penetration Testing (pentesting), is conducted to confirm the valid attack vectors of your organization. This process goes beyond simply identifying and validating vulnerabilities to full manual exploitation, mirroring a real-world attack. The Lares® engineers will gain initial access, attempt to elevate privileges, execute lateral movement, and leverage the access to perform post-exploitation activities. During this process, advanced tools and custom utilities will be used to maintain availability of the servers while showing the true impact and risk to your organization. A comprehensive report of findings and resolutions will then be delivered. Collaboration on how to leverage this report to improve support and security within the company is the top concern.

Continuous Testing

Constant threats require a constant measure of security. Lares sets up a custom monitoring system for internal and external resources to identify any changes in the environment and assess them for vulnerabilities. When any change is identified, analysis from our team of expert testers is conducted. These vulnerabilities are mapped for resolution and reported to you within 24 hours of our identification. This constant testing model replaces unreliable bug-bounty programs with verified professional testers working continuously to find and validate risks before criminals do.

Insider Threats

With more than 80% of all attacks originating from inside a network, this type of an assessment takes in to account this reality. The definition of an insider threat is one of a malicious threat to your organization originating with people inside the organization—employees, former employees, contractors, vendors, suppliers, or business associates—who have inside information concerning your organization’s security practices, data, and computer systems. Lares will perform various activities from a standard internal position whether from an internal address or a standard corporate desktop or laptop. Our engineers will emulate a real-world insider threat and map out the true risk to your organization, as well as remediation and mitigation paths to improve the overall resistance to this common attack path.

OSINT Services

Open Source Intelligence Gathering (OSINT) is the foundation of all good testing exercises. What you know often dictates what you can do and how you can do it. Lares’s team members are trained in advanced intelligence collection, analysis, and exploitation techniques. We will become the adversary and work to identify all publicly accessible information posing a threat to the security of your organization. Following the collection and analysis phases, our consultants will prepare a detailed report containing our methodology, the information identified, why the information was targeted for collection, and a full analysis of the risk the information poses to your organization. Our reports also contain recommendations aimed at improving your organization’s security posture and techniques to help improve company—and employee—data-privacy practices.

Hardware

With more network devices shipping as embedded and IoT, you have less visibility into the security posture of these devices than traditional operating systems. Our hardware practice focuses on approaching hardware as part of an overall penetration test or Red Team engagement, and in most cases is built upon attack vectors or other identified areas of exploitation we are already discussing with you. The Lares team has been engaged by some clients to solely assess, analyze, deconstruct, reverse engineer, and decompile individual, specific devices for organizations.

The main focus areas of a hardware hacking engagement is as follows:

  • Reconnaissance and overall passive analysis of the devices and connected environment
  • Systems analysis and overall threat modeling
  • Firmware vulnerability analysis, modeling, and exploitation
  • Hardware vulnerability analysis, modeling, and exploitation

RF Spectrum

Lares provides advanced visibility and threat identification into the radio spectrum. Lares goes beyond industry-standard, radio-testing protocols such as WiFi, Bluetooth, and RFID by targeting the entire spectrum from 1 MHz to 6 GHz. This allows unprecedented insight into communications systems for common systems such as GPS, cellular communications, process control networks, computer peripherals, custom protocols, and more.

Vulnerability Research & Development

Lares’s vulnerability research and development team focuses on identifying previously undiscovered security flaws in a wide range of technologies. Our team has a wealth of knowledge and experience with the discovery and exploitation of vulnerabilities affecting closed-source applications, custom networking protocols, hardware devices, autonomous or smart vehicles, and physical-access security controls. This service can be custom tailored to satisfy your unique requirements.

Supply Chain Testing

Security programs are only as strong as their weakest link. Whether it is a new acquisition or a third-party provider, even the most advanced program will have weakness in the supply chain. Lares has created a unique service to replicate the connection and integration into your organization’s supply chain, in order to identify vulnerabilities in its exposure. Increased threat surfaces combined with non-inspected interdependence can create a blind spot only found after exploitation has happened. Lares helps identify these exposures and threats before loss can occur and helps maintain the integrity and security of your brand.

Where There is Unity, There is Victory

[Ubi concordia, ibi victoria]

– Publius Syrus

Contact Lares Consulting logo (image)

Continuous defensive improvement through adversarial simulation and collaboration.

©2019 Lares, LLC | All rights reserved.