How infrastructure security is tested

The approach to testing depends on the goals of the information security department. There are five main directions.

Security analysis: detection of all possible risks in the use of a specific software or technological solution on the internal or external perimeter of the organization. Often the analysis is carried out by the “white box” method, when the source code of the application is available to researchers.

Penetration testing: gaining access to the internal network of the organization, in which the performer simulates the actions of a potential attacker and attacks the infrastructure from the external perimeter. The goal is to see how deep you can go.

This information is needed to build the architecture and effective application of intrusion detection systems, firewalls, domain policies, configurations on end devices and other solutions that ensure information security. Such tests can be scaled depending on the situation.

Cyber Studies (Red Teaming): The “reds” simulate the actual tactics of cybercriminals applicable to a specific organization, and the specialists of the SOC Response Center and the Blue Team prevent attacks.

Before cyber training, the customer sets specific goals for the red team: to read the mail of one of the directors, get access to certain files, accounting operations, withdraw money, and so on. With a certain frequency, the “reds” send a report with an hourly description of their actions to the customer’s representative. The client monitors the effectiveness of the blue team and, if necessary, makes adjustments to the process.

The exercises do not necessarily end with the victory of the “reds”.

On the contrary: the victory of the “blues” is a wonderful result. I’ve been watching it recently, and it’s really cool. You see that people are working well, constantly learning.

Sociotechnical testing, or classic phishing: you send messages about participation in the action, offer to register, download or click. The goal is to get the data.

A personal link is placed in each document to identify the user who opens it. If there is a form for entering a username and password, you can see what kind of person came, what data he entered. In my practice, there were cases when the customer’s employees redirected phishing emails to colleagues and expanded the coverage of my mailing list.

Based on the results of sociotechnical testing, you will understand which of the employees is poorly aware of information security. You don’t have to fire them โ€” you need to work with them, prepare a training course for them.

Penetration by social engineering methods: we send a phishing request and use it to secure ourselves on the machine. We are writing an application that allows you to remotely control the workstation of the employee who opened the document.

My advice: to counteract such attacks, read the message headers. You may be substituted for the sender. Most likely, the attackers will rush you in the letter โ€” they will play on fear. And you should not believe that you will be given a car, an apartment or even a “snickers”. You can interact with work mail only on work issues โ€” no contests and sweepstakes.