Our client, a rapidly growing retail company with online and brick-and-mortar stores, wanted to determine if and how a motivated attacker could compromise its networks and systems. While the client had taken significant steps to reduce the risks associated with storing and processing credit card information and other sensitive data, the company’s leadership was concerned that the business was still vulnerable to attacks that could compromise or disable its systems. The client wanted to mimic a realistic attack of its networks and specific high-value systems without disrupting business functions or alerting its operations team.
The assessment was structured so that Experis would rely entirely on open-source intelligence (OSINT) and physical surveillance of company facilities. The attack would be performed under the auspices of only a few of the client’s executives. The client’s operational team was intentionally kept unaware of test planning and activity throughout the engagement.
Experis’ highly skilled security professionals worked with the client to ensure that rules of engagement, specific target locations, proper safeguards, reporting, status, and decision protocols were established. The attack team then collected OSINT and conducted physical surveillance to determine viable attack scenarios to cover multiple attack surfaces. Our threat analysis revealed that the client might be most vulnerable to unauthorized physical entry and attacks on the external network perimeter.
Experis then selected several corporate locations and stores for the initial attacks. Initial plans called for Experis to compromise the corporate headquarters by electronically cloning badges that could be stolen either by planting a recording device or being near someone wearing a badge. Both approaches were attempted, but only the retail store attempts were successful. Experis next attacked the network perimeter and discovered several potentially exploitable weaknesses, including the VPN access. Using brute-force password-cracking techniques and other analysis, Experis gained access to the browser-accessible email system and accessed the internal network while posing as a user. Experis also exploited a weakness in the VPN configuration to gain network access.
After gaining internal network access, Experis performed queries of the domain controller and enumerated systems, workstations, and password policies. After first discovering that the user it had compromised had local administration authority, the tester was then able to dump Security Account Manager (SAM) hash tables stored on the user’s computer. The tester then used a “pass the hash” technique to gain access to a server that stored a domain administrator account in plain text.
The Experis tester then accessed several sensitive data stores and video surveillance systems. This enabled the tester to successfully time physical entry attempts to avoid client detection. The results indicated he could have easily walked out with equipment or files and erased any video evidence of the entry. Overall, Experis gained physical and logical access to all systems and networks while avoiding detection.
Visits to store locations revealed multiple weaknesses in physical security and overall network architecture.
Experis exposed significant weaknesses in the client’s internal and external network security by simulating a realistic attack by a malicious outsider that avoided detection by the client’s operational staff.
Experis prioritized the issues and provided recommendations to guide the client’s remediation efforts. Experis also determined several root causes including:
- Inadequate account password policy, access controls for VPN, and intrusion detection and management
- Insecure system administration and configurations
- Inconsistent physical security controls
- Immature security awareness
With these findings, the client was able to start addressing issues that could damage its business performance and reputation.