Social engineering
During this social engineering engagement, it was possible to achieve persistent internal access, exfiltrate confidential and personal information, and compromise the internal segmented infrastructure.
Partners could outsource Tenendo tasks that require specific technical knowledge and are not directly related to PCI DSS audits, namely:
Penetration Testing. Our experienced engineers conduct application (Web/Mobile/API) penetration tests, infrastructure, segmentation, and network penetration tests of varying complexity.
Adversary Simulation (Red Team) engagements and social engineering. In addition to our experts’ vast portfolio of certifications (like OSCP, CRTE, or OSEP) and industry-accepted training, they have already proven themselves in a number of successful cases. In most real-world engagements, our experts were proven successful in defence evasion and obtaining access to the customer’s infrastructure.
Security Code Review. Per our methodology, two specialists work on each project to complete the code review successfully: a penetration testing specialist and a software developer. The teamwork in manual code audit and the use of the best static code analysers gives excellent results.
Secure Coding and ITOps training. We have conducted private training for a wide range of customers, from software development teams to infrastructure support, networking, and DevOps. Our training programs may include analysis of the most interesting trends in tactics, techniques and procedures utilized by threat actors, guides on secure development for specific technology stacks, hardening and monitoring advice, or implementation of secure SDLC in software development processes.
Technical audit. The goal of the technical audit is to analyse the current environment architecture, obtain data on system performance using load testing of systems, and develop proposals for improving the system architecture, namely: performance, security, integrity, and fault tolerance
Are you interested in a potential partnership? In the past, we had numerous projects delivered to customers working on their PCI DSS compliance, mostly medium and big financial institutions. We would love to see if we can work something out.
Do you have time in the next few days for a quick call to discuss this further?
During this social engineering engagement, it was possible to achieve persistent internal access, exfiltrate confidential and personal information, and compromise the internal segmented infrastructure.
The team created several hardware connect-back appliances and used it in a PCI DSS segmentation testing.
This case is a very good example why manual penetration tests are valuable – the team achieved compromise without administrator access to the application, not using any known exploits or discovering injection/deserialization/other RCE flaws.