Case Studies

Vulnerability & Threat Response Management (VTRM) Case Study

Executive Summary

GRAMAX Cybersec helped one of its clients, who is one of the leading Indian conglomerates, to enhance its overall cyber security posture by bringing in proactive vulnerability detection capabilities. The client was looking to perform in-depth security assessment of its critical assets and entire infrastructure to see whether the organization is really secure from internal and external threats. Furthermore, the purpose was also to come up with framework, which would result in improved visibility into the vulnerabilities in the environment and multi-dimensional continuous monitoring ability.

Challenged Faced by the Client

  • Unable to manage shadow IPs
  • Incomplete visibility of the entire security posture
  • Undiscovered misconfigurations and loopholes in various applications
  • Unable to go beyond VAPT compliance requirements

How GRAMAX Cybersec Helped

The key expectation of our client was that the service provider should be willing to go the extra mile to uncover all possible hidden security flaws within the infrastructure. So, to get a full view of existing vulnerabilities and explore all possible cyberattack scenarios, GRAMAX Cybersec decided to go with Vulnerability & Threat Response Management (VTRM) solution, wherein we applied all five main approaches/services, which includes:

  1. Black Box Testing
  2. Vulnerability Assessment & Penetration Testing
  3. Red Teaming
  4. Continuous Attack Surface Monitoring
  5. Vulnerability Management

VTRM framework consisting of 5 defined approaches is bundled as one-service with defined execution cycle/frequency in alignment with the environment’s risk profile.

About Our Solution - Vulnerability & Threat Response Management (VTRM)

VTRM is the process of identifying, evaluating, treating and reporting of security vulnerabilities in systems and software that runs on them. This, implemented alongside with other security tactics, is vital for organizations to prioritize possible threats and minimize their attack surface.

VTRM Scope

This includes web applications, firewalls, switches, routers, databases, application servers, web servers, publicly accessible servers and cloud-based assets (if any). The Inventory of assets is supposed to be managed by the VTRM Team. However, it’s the responsibility of stakeholders to share the same on time timely basis.

VTRM Framework & Service Description

  • Service 1: Black Box Testing

    Adversary attack simulation service can be effective for organizations who have deployed adequate security measures and are looking to go further than regular VAPT assessments. This service delivers real-life cyber attacks that appears exactly similar to an APT group targeting an organization. It is not identical to a typical black box VAPT offered in the market by various vendors. This service yields multiple benefits, including:

    • Covers social engineering attacks via email, employee contact, BYOD device compromise
    • Advanced AD forest trust & privilege escalation attacks on Linux & Windows OS
    • Customized exploits/scripts written specifically for clients, helping them to understand the current security posture and fill any gap that regular security solutions may not fix
  • Service 2: Vulnerability Assessment and Penetration Testing

    Vulnerability Assessment and Penetration Testing (VAPT) are two types of security services that focus on the detection of vulnerabilities in web applications, mobile applications, networks and servers. Both of these services carry different energies and are often integrated together to work better. VAPT protects enterprises from cyberattacks and provides the necessary intelligence to allocate security resources efficiently. As part of the VAPT process, the following components (minimum) are covered:

    • Basic vulnerability testing
    • Web/mobile application vulnerability testing
    • Network vulnerability testing
    • Infrastructure implementation testing
    • Device configuration testing

    Vulnerability Assessment Phase:

    • Discovery
      • Identification of all hosts in the client’s network that are visible from the internet
    • Exploitation/Analysis
      • Each service and application discover a cross-reference to an extensive database to generate a list of potential vulnerabilities
    • Reporting
      • Detailed and easy-to-read reports containing High Risk, Medium Risk and Low Risk will be provided along with the remediation recommendations
      • For high-risk vulnerabilities identified by team, client may opt to install a comprehensive security solution or other services in areas of Policy and Implementation.

    Penetration Testing Phase:

    • Reconnaissance
    • Discovery
    • Public Domain Sources
    • Port Scanning
    • Identification of Services
    • Short Listing of Crucial IPs
    • Identification of Operating System
    • Identification of Vulnerabilities
    • Exploitation of Vulnerabilities
    • Other Attacks
  • Service 3: Attack Simulation & Defense Readiness Testing aka Red Teaming

    Red team is a defense readiness exercise where different attacks mapped to MITRE ATT&CK framework are executed and responses to which are recorded from the defense team. An undetected attack bypassing security solutions and defense team constitutes a successful effort from the red team. This exercise is designed to identify vulnerabilities and find detection & Response gaps in a company's security infrastructure. The goal of a red team exercise is not just to identify holes in security, but to train security personnel and management to better defend their infrastructure.

    Techniques utilized by the team to conduct red-teaming exercise:

    • Social Engineering
    • Phishing/Spear Phishing
    • Malicious Attachments
    • Internal Attacks
    • DLP Attacks
    • Physical Access

    Customer Engagement Steps:

    • Engagement Kickoff
      • Formal signing of documents
      • Assigning of SPOC
      • Walkthrough of the customer’s infrastructure
      • Mapping of relevant attacks on ATT&CK Framework
    • Vendor Attacks Preparation
      • Formulation of attacks
      • Creation of attack campaigns
      • Attack infrastructure readiness
    • Attack Simulation
      • Simulation of attacks
      • Correlation with defense teams
    • Analysis & Reporting
      • Analysis of the attacks performed
      • Report submission
  • Service 4: Continuous Attack Surface Monitoring

    The aim of this exercise is to continuously monitor the external facing assets of the organization. This activity ensures that possible threats on exposed assets are reported to the organization even before any adversary does. This activity can be performed using automated tools as well as manual methods. Below are the steps that were followed:

    • Identification of assets in each LOB via multiple inputs (procurement, usage, health, usability), usually as followed in ISO 27001 asset inventory procedures
    • Classification of assets based on functionality under each LOB
    • Patch management process review
    • Vulnerability & testing status
    • Business process review for critical assets
    • Security detection and response process review
  • Approach 5: Vulnerability Management
    • Vulnerability management is a cyclical process of identifying IT assets and correlating them with a continually updated vulnerability database to identify threats, misconfigurations, and vulnerabilities.

      VM Life Cycle:

      • Discover: Finding and onboarding assets to the scope.
      • Prioritize Assets: Prioritization between critical and non-critical assets.
      • Assesses: Run the vulnerability scan on the assets prioritized.
      • Report: Do a false positive analysis and prepare report.
      • Remediate: Remediate the vulnerabilities bases on SLA and severity.
      • Verify: Run a confirmatory/ new cycle scan for verification.