To uncover vulnerabilities that will allow an attacker to escalate their privileges in the network from an “assume breach” perspective. By uncovering potential vulnerabilities before a hacker manages to penetrate the network, the potential losses of a breach can be kept to a minimum.

Most intrusions follow the same pattern: First a user’s laptop is compromised. The attackers then escalate their privileges in the network until they have sufficient privileges to accomplish their goal, whether it is to encrypt the data with ransomware or steal classified information.

Our Security Assessment simulates the attacker’s behavior after an initial foothold is acquired. The intent is to build attack chains leading from a standard user to full domain compromise.

The assessment comprises the following phases:

• Laptop analysis – as most intrusions is initiated with the compromise of a user, the standard laptop will be the first target for our analysis. The test will uncover the potential for local privilege escalation, credentials that allow lateral movement, and other issues. This phase is performed offline at Danish Cyber Defence and can be performed for either Windows or Mac images.
• AD analysis – enterprise Active Directory installations are often complex and contain misconfigurations and unnecessarily privileged accounts that combine to allow attackers to traverse privilege boundaries. Part of the AD analysis involves AD-joined servers, as credential theft often occurs locally on these.
• Reporting – the output of the analysis will be presented to relevant stakeholders in a two-hour session. The discovered vulnerabilities will be explained in the context of their relevance during an intrusion, allowing the client to prioritize which issues should be addressed first. Furthermore, a deep-dive workshop with the IT department can be delivered based on the results.

A laptop configured for a standard user is delivered to Danish Cyber Defence. If possible, most data collection and analysis are performed via the VPN configured on the laptop. Alternatively, a few days can be needed on-site during the AD analysis phase.

That a Security Assessment is performed once or twice a year, as enterprise networks evolve at a rapid pace, thereby potentially introducing vulnerabilities at any time.