Our ethical hacking services
-
Infrastructure testing
Assessment of the software and networks that enable custom business applications and everyday data processing
Learn more ... -
Application testing
Assessment of all the solutions that handle the client's business needs from public web applications to internally used thick clients
Learn more ... -
Consulting and training
Serving our clients before and after security assessments by complementing the expertise of developers and system administrators
Learn more ...
Infrastructure testing
-
External and internal network vulnerability testing
During external and internal network vulnerability tests, our experts assess which publicly known vulnerabilities or misconfigurations affect the remotely accessible services of an endpoint (IP, hostname). The goal is to discover the security problems affecting the services available on the selected infrastructure elements. Tests are carried out using a black-box approach and include the assessment of discovered web applications without user access. During infrastructure testing, the experts also elevate the level of privilege, if possible, given the vulnerabilities discovered.
Before testing can begin, it is necessary to provide the target IP addresses and/or hostnames.
The results of the assessment give the customer an idea of the patch level of the systems within the scope of the assessment, possible incorrect system operation practices, and even vulnerabilities affecting individual services.
-
Network scan
During network tests, our experts focus on enumerating the security vulnerabilities of active devices and network communications. The assessment of active devices can be seen as a kind of infrastructure test. Network communication testing reveals the implementation and design weaknesses of the network protocols used. The assessment may also include checking reachability (separation) between network zones. In this case, the experts identify misconfiguration with technical solutions or based on the firewall configuration. If the customer does not have a register that contains the expected firewall rules, the experts identify misconfigured entries based on best practices. During network tests, it is also recommended to check whether the network access control solution used could be bypassed, e.g., 802.1x, NAC.
Before testing can begin, it is necessary to provide the IP addresses of the active devices and the expected and configured firewall rules.
The test results provide up-to-date information about the security issues of active network devices and protocols used on the network, to identify outdated technologies and redundant settings.
-
Red Team exercise
During Red Team exercises, the experts of Silent Signal simulate real attack methods to demonstrate realistic business impact. During the exercise, usually every part of the Client's organization - from employees to critical technological systems - can be targeted to simulate attacks as realistically as possible.
The purpose of the Red Team exercises is not to enumerate specific vulnerabilities but to train the Client's defense capabilities and identify issues in related technology, expertise, and processes. For this reason, we recommend this service primarily to those of our customers who want to assess the effectiveness of their organization's "immune system" from incident detection through response to the recovery phase.
Before and during the exercises, Silent Signal works closely with the Client's experts to identify realistic threat profiles, secure project execution, and identify security improvements that can be implemented in real life.
Within the framework of our related Purple Team service, there is an opportunity to focus on managing individual elements of complex attack chains through the joint, guided exercises of Silent Signal's experts with specialized offensive expertise and the Blue Team's system-specific knowledge.
-
Domain privilege escalation
The starting point of domain privilege escalation is that Silent Signal's experts have valid but low-level employee credentials and internal network access to the Client's environment. The goal of the experts is to obtain as high privilege as possible within the network in a given time frame, demonstrating software vulnerabilities and misconfigurations that can be exploited in the target environment.
This service of ours effectively demonstrates the potential impact of attacks targeting employees and provides guidance on how to minimize the impact and develop defensive skills. It is the first step toward Red Teaming exercises but focuses purely on technological vulnerabilities instead of the operation of security teams.
-
Workstation assessment
Workstations are one of the main entry points of the organization's IT system not only for users but also for attackers, which physically push the boundaries of the system since home office has become widespread. When examining workstations, our experts focus on the data stored on it and the integrity of the device, and our methodology takes into account the user both as a possible victim and an attacker as well.
The result of the test reveals to what extent an attacker can elevate the local privilege level using the workstation as an entry point.
This includes, among other things, the investigation of attacks targeting employees, as well as preventive and reactive solutions to prevent malicious activity by users.
The assessment does not test physical integrity, workstations are not disassembled, and testing is carried out using standard peripherals and externally accessible ports (e.g. USB).
The examination requires physical access to the given workstation and login data of a standard (non-administrator) user. In the case of multiple workstations with the same configuration, it improves cost-effectiveness if only a minimal set of unique configurations gets examined.
-
Wi-Fi network assessment
During the assessment of wireless networks (Wi-Fi, WLAN), our experts check whether the settings of the devices used meet the level expected by the organization from a security point of view. The range of tested devices goes beyond the access points (AP) visible to the naked eye and includes controllers, authentication servers, firewalls, and the clients themselves.
By their very nature, these networks can be accessed from outside areas protected by the organization's physical security measures.
As a result of our tests, it is possible to learn what kind of attacker can gain unauthorized access to systems within the physical security boundaries, and how much effort is needed to carry out these attacks. If access is gained or examining public networks intended for guests, the hosts and networks an attacker can access are enumerated.
The assessment can be performed using a black-box approach, in which case the experts use special Wi-Fi devices to try to bypass the protection measures while staying within the range of the network. A more comprehensive examination can be performed with configuration analysis, in which case the settings of all affected components are analyzed.
Information required for the test: physical location, SSID, and MAC address of the networks within the scope. In the case of several networks with the same configuration, it improves cost-effectiveness if only a minimal set of unique configurations gets examined.
Application testing
-
Web Application testing
When testing web applications, the experts at Silent Signal check the security of client-server applications that can be accessed via a browser.
The testing also covers the identification of vulnerabilities that allow the compromise of server-side components and the impersonation or deception of the application's users.
Due to the widespread support, web applications are among the most popular implementation solutions today, which are also present in large numbers on the open Internet and in private networks. Therefore, security tests are not only suitable for uncovering the vulnerabilities of public services intended for customers but also for exploring opportunities for lateral movement and reconnaissance regarding a potential attacker on the internal network.
According to the typical ways of use, tests can be performed starting from different user roles, so that the vertical authorization between different roles can also be tested.
In the case of multiple roles, it improves cost-effectiveness if a minimal set that completely covers the functionality of the application is identified.
In addition to supporting the discovery of complex (e.g., cryptographic) vulnerabilities, assessments carried out with the source code of the application can also increase the efficiency of the tests and the accuracy of our remediation proposals.
-
Mobile Application testing
In the case of mobile applications (iOS, Android, Huawei HMS), our experts examine their executable code and behavior to determine the level of protection of the data they process.
These include apps that run on the personal devices of the client's customers, for which the examination of the device is not relevant. If the application runs on the client's own, private fleet of devices, the security and central management of the device can also be examined.
The results of the test show whether the app stores and transmits the processed data securely, and whether these data are properly protected against other, untrusted applications.
Although these tests can be carried out using a black-box approach - in which case only the application packages are available - in practice, the best turnaround time can be achieved with a gray-box approach, with user access. Coverage can be improved with access to the source code, thus root causes of individual errors can be demonstrated at this level as well.
Before testing can begin, the application package and user access credentials are required, along with access to the complete source code (if applicable).
-
Thick client testing
Applications that run as first-class native programs on a workstation or terminal server are called thick clients. EXE programs and Java Applets typically fall into this category. Testing follows Silent Signal's unique methodology to identify security issues that arise from questionable decisions during the development of the application.
During the assessments, our experts reveal potential vulnerabilities with a systematic approach. The tests are carried out using a gray-box approach, with user access.
Before testing can begin, the installation package and documentation for the thick client must be provided, along with user access credentials.
In addition to simple implementation issues, thick client tests often demonstrate mistakes made in the design phase as well. In addition to the data managed by the program, the latter also affect the infrastructure they depend on, and thus can lead to unexpectedly high exposure, even in the case of intranet-only deployments.
-
API testing
Testing web-based interfaces intended for programmatic use, as opposed to direct user interactions, e.g. REST, SOAP, WCF. Our experts perform the assessment based on the relevant subset of the OWASP methodology to identify vulnerabilities affecting the server components.
Similar to web applications (or as part of them), APIs are among today's most popular implementation strategies, available in large numbers on the open Internet and in private networks.
Therefore, security tests are not only suitable for uncovering the vulnerabilities of public services intended for customers but also for exploring opportunities for lateral movement and reconnaissance regarding a potential attacker on the internal network.
Although APIs may be seen as being harder to access compared to web applications, in fact, these interfaces are easily accessible and thus carry the same risk.
Before testing can begin, API descriptions that ensure the completeness of the tests must be provided, along with a set of messages that are syntactically and semantically valid for the server and can be properly processed.
Consulting and training
-
IBM i training
Our IBM i security trainings are the ultimate resource for proactively securing IBM i systems. Led by experienced instructors with extensive knowledge of IBM i penetration testing, security research, and industry best practices, our trainings are designed to help IT professionals of all levels stay ahead of the curve when it comes to securing critical systems and data.
Our trainings enable security professionals to get up to speed with IBM i and its security features. We introduce the platform through hands-on exercises, and show how exploits are connected to well-known attacker techniques, allowing quick adoption of defensive concepts.
For IBM i gurus, we deliver the experience of numerous penetration testing exercises to show how real-world IBM i systems can be hacked, and how these hacks fit into the advanced attack campaigns of today. Demonstrations of vulnerabilities and countermeasure that could have prevented them enable security-focused development and operations through the recognition and avoidance of dangerous patterns.
The training is regularly updated with the latest security research conducted by Silent Signal on the IBM i platform, ensuring that participants receive up-to-date and relevant information on current threats and best practices for securing IBM i systems.
-
Tailored to Your Needs
Silent Signal trainings are always tailored to the specific requirements of our customers. We compile the training materials to match the skill level of the audience and cover topics most relevant to them.
-
Interactive Lab Environment
Participants can access Silent Signal’s IBM i environment to try demonstrated techniques themselves.
-
Flexible trainings, Anywhere, Anytime
Trainings can be held on-site or online. Optimal duration and schedule is determined based on detailed customer requirements.
-
-
Architecture review
Architecture review consists of Silent Signal's experts evaluating the security controls resulting from the system's structure, based on the documentation of the target system.
The review can also be applied to monolithic or distributed software systems. The assessment is based on a threat model developed by/with the Client, later used by the experts to determine the relevant attack surface, then to identify components of the system that can be used to cover the various attack paths, and how to use them appropriately.
The review results in security-focused documentation regarding the existing or planned system, including improvements, risk reduction measures, and hardenings to apply.
The architecture review provides an opportunity for catching design issues that are difficult to correct later much earlier and developing defense in depth.
-
General technical consulting
In addition to their decades of experience in IT security, Silent Signal's experts also have relevant knowledge in corporate development and operations, and they constantly practice these skills to always provide our customers with up-to-date insight.
Regardless of whether one-off or recurring consultations, we assist in specifying the details of upcoming software deployments, developing defensive infrastructure, and above all designing high-security, complex systems.
-
Supporting vulnerability patching
To guarantee adequate patching and to maintain the software quality in the long term, we offer to support the patching process and represent the Client's interests to the developer. As part of the service, the experts offer:
To minimize project risks arising from security issues, Silent Signal experts offer the following in the design phase of development projects:
Featured assessments
-
IBM i (AS/400) penetration testing
The experts of Silent Signal have unique competence for security testing of IBM i (formerly AS/400) systems. Although these systems process critical business data, their security testing is typically skipped, or only superficial, due to their unusual operation. This trend is further strengthened by myths about “bulletproof” midrange systems.
Silent Signal's comprehensive IBM i audit service is based on its own lab environment, where our experts have developed audit methodology and testing tools that significantly go beyond publicly documented methods. With this unique approach, we have demonstrated critical vulnerabilities resulting from incorrect operation practices or bugs in the manufacturer's software (including “0-day” vulnerabilities).
Since real-world attacks often rely on compromised user workstations, penetration tests are best executed in the possession of low-privilege user credentials. From this “assumed breach” position, testers find ways to gain full control over the IBM i system. Based on the results of the penetration test, vulnerability fixes and mitigation measures can be applied to multiple layers of the system, providing robust protection against the assumed types of attackers.
-
Hands-on experience
Silent Signal’s team of skilled professionals has in-depth knowledge of IBM i systems, enabling them to identify and remediate vulnerabilities that pose a risk to an organization’s critical assets.
-
Unique methodology
Building on our experience and a comprehensive approach, we have developed an enhanced (tools, methods) penetration testing methodology for IBM i systems that provides a thorough evaluation of the system’s security posture.
-
In-house security research lab
Silent Signal’s in-house security research on IBM i environments uncovers new attack vectors and identifies solutions to mitigate the risks they pose.
-
All our IBM i services on a single page
-
Cloud security assessments
Our approach to testing cloud-based systems follows the complex service portfolio of large service providers to ensure that each component is tested using the best fit.
In the case of virtual machine-based solutions (e.g., Amazon EC2), our network vulnerability assessments can be employed, with prior notification of the service provider as required. To achieve in-depth protection, we recommend providing such a way of access for tests that affects only one layer at a time (e.g., API vs. WAF), lowering the timing constraints and avoiding masked errors.
In most other cases, we recommend configuration analysis, where the settings of individual cloud services are analyzed. This approach is also beneficial because the goal is not to test the cloud provider itself but to check the parameters that can be configured by the client.
Access to selected services and the availability of technical personnel to assist the experts in understanding high-level design decisions are required for the test. When using Infrastructure as Code, it can also be beneficial to directly analyze the code provisioning those resources.
-
IoT security assessments
When it comes to IoT systems, many people think of the endpoint devices that the last letter of the abbreviation refers to but the experts of Silent Signal test the complete ecosystem to completely enumerate vulnerabilities.
Since an IoT solution can be deployed in many different contexts, choosing the attack model is even more important than with other tests, since hardware attacks can be relevant here, and not all trust boundaries are obvious. Of course, we do not reinvent the wheel, e.g., in the case of embedded Linux OSes, we use a common methodology with infrastructure assessments, extended with environment-specific attacks.
As a result of the test, the client gets a full picture of what attacks to expect from which directions and how to harden the security of their system either on the device and/or backend side.