Detailed Methodology

The IPT assessment methodology is a unique, focused form of a penetration assessment with allocations for investigative and forensic exercises. The Emerging Defense IPT methodology is designed to allow a mass team of IPT practitioners to assess an environment with an exclusive breach focus, determining and prioritizing high-value targets only and rating the susceptibility of breach on a per-asset basis for future forensic analysis.

The following is our detailed methodology overview. If you would like specific details of tasks performed in each particular phase, please contact us.

Phase I: Breach Profiling

Breach Intelligence:
Perform public enumeration of breach details and ensure that investigative testing activities accurately reflect real-life threats to the organization with consideration of a client’s particular business, industry, business partners, infrastructure/location, size, and current attack trends

Known Vectors: Acquire black box knowledge concerning the affected environment to guide the testing team down likely attacker paths through readily discoverable assets

Known Actors:
Perform exhaustive searches across known “hacker hangouts” for potential actors; profile initial incident data to identify a mode of operation used during the attack, which may or may not correlate to a known group

Phase II: Environment Exploration

Black Box Reconnaissance:
Enumerate target footprint through black box attacker techniques with no prior knowledge of the environment

Asset Prioritization:
Leverage historical breach experience and penetration testing techniques to categorize high-value targets as determined by the potential for vulnerability possession, suspected data contained within, or relation to internal network as a pivot point

Phase III: Exposure Identification

Manual Analysis:
Perform manual testing to uncover high-impact vulnerabilities with consideration of forensic evidence preservation in the event of positive vulnerability identification

Indicator Analysis:
Assess each vulnerability for breach indicators and ease of exploitation

Phase IV: Susceptibility Testing

Exploitability Testing (optional): Leverage vulnerability identification data to test exploitation; if exploitable, survey the data or access for historical breach indicators (e.g., hacker tools left behind, availability of privilege escalation, potential for unauthorized system level access)

Susceptibility Testing:
All priority exploitable and high-risk vulnerabilities will be assigned susceptibility ratings for forensic analysis despite exploitation; this rating is generated through a combination of exploitability, relevant breach indicators, and potential for use by suspected actors due to alignment with a corresponding mode of operation (e.g., a suspected actor group is known for seeking and attacking using the Pangolin SQL injection tool)

Phase V: Data Points & Reporting

Asset Susceptibility Ratings:
Categorize assessment findings and assign each finding and corresponding assets a comprehensive susceptibility rating for prioritized forensic review

Forensic Recommendations:
Provide data points concerning areas of interest for use during forensic analysis of susceptible hosts

Recovery Solutions (optional):
Provide quick-fix technical solutions for IT remediation of point-in-time breach vulnerabilities identified during the assessment

Strategic Solutions (optional):
Provide theme-based organization analysis with recommendations for enterprise-wide issue resolution



Breach Investigation (IPT)

latest tweets @EmergingDefense

2 days ago Shadowbrokers released passphrase to decrypt equation group files

5 days ago Solaris rpc.cmsd remote root exploit (TAO's EASYSTREET) #0day #zeroday

9 days ago This particular feature is also done within Office VBA and no external WMI, PowerShell, or Win32 API calls.

Follow Us >

newsletter signup

Sign up for our newsletter