Anitian’s Ring.Zero team uses this methodology for all our testing services. It is a variation on widely used methodologies, such as the OWASP methodology. Anitian adapts our approach for each service offering. when appropriate.
The steps in our methodology include four phases:
PHASE 1 – Reconnaissance: In this phase, we prepare for the testing.
- Scope Validation: Ensure that both parties know exactly what is being tested and when.
- Information Gathering: Our testers review the target assets and gather crucial information about their function, purpose, and usage. This may involve reviewing architecture diagrams or network data flows.
- Enumeration: Light scanning that may include system fingering printing, share enumeration, site spidering, and/or web application API schema validation.
- Research: Investigate any dimension of the target environment for possible attack vectors. Sometimes this involves searching hacking sites and “dark web” boards for the latest techniques, tactics, and vulnerabilities.
PHASE 2 – Scanning: In this phase we conduct a series of automated scans from our Ring.Zero testing platform.
- Vulnerability Identification: Automated scans using commercial and open-source scanning tools. This gives us a reliable baseline for analysis.
- Attack Planning: Based on the results of the vulnerability scans, we formulate an plan for executing the test. This is the “hypothesis” stage of our scientific methodology. Our people theorize the best possible ways to exploit the targets.
- Vulnerability Validation: Using automated tools, we validate key vulnerabilities or information exposure, to ensure our attack plan will work.
PHASE 3 – Testing: In this phase, the Ring.Zero team uses the vulnerability and reconnaissance data to run a series of manual exploit tests. This phase may iterate many times as the tester gains access to additional systems or applications.
- Exploit testing: We attempt to exploit vulnerabilities discovered and gain access to systems, data, or networks.
- Credential testing: If we obtain credentials, we test those on target systems to validate their rights and access levels.
- Infiltration: Once we are inside a protected system or application, we assess the level of access we have.
- Privilege Escalation: The tester attempts to gain additional access to other systems, applications, or data. This is also called pivoting.
- Exfiltraton: If we can gain access to sensitive data, we determine if that data can be removed from the environment.
PHASE 4 – Analysis: The final stage, the Ring.Zero team analyzes the results.
- Data Normalization: security testing generates a lot of disparate data. Using our exclusive Ring.Zero testing platform, we normalize all the data into a consistent format, to ensure every detail is considered.
- Risk Assessment: Using our exclusive RiskNow approach, our team analyzes the vulnerabilities in context to the threat they pose your business. This ensures our results focus on tangible, likely, and credible threats.
- Reporting: The final stage is to document our findings, recommendations, and insights. This is where Anitian’s Ring.Zero team departs significantly from your typical penetration testing firm. Our reports our concise, business-oriented briefings that focus you on the most serious issues your business faces. While we include complete technical details as an appendix, our reports are something a CIO or CEO could read, understand, and use to make data-driven, rational decisions.