Back to Service Library
Service Catalog / Penetration Testing & Attack Surface Management / Penetration Testing / External Hybrid Penetration Test
136EHPT Base

External Hybrid Penetration Test

On this page

    Service Overview

    A Hybrid Penetration Test combines the collaborative elements of Vulnerability Assessment, with the exploitation phase of a Penetration Test. This streamlines the discovery and enumeration phases of the project, giving a broader view of total vulnerability, while still demonstrating how the organization might react to the tactics and methods of a real-world cyberattack. A Hybrid PT is not an exhaustive exercise but aims to form a baseline understanding of vulnerability management, critical technical security controls, and organizational visibility/response capabilities for organizations that may not yet be mature in any of those areas. 

    During the Penetration Test, DeepSeas will attempt to partially or entirely exploit Client’s externally accessible critical assets, including:

    • Privileged system accounts, including administrators;
    • Bank accounts and other financial accounts;
    • Regulated data, including PII, PHI and credit card information;
    • Intellectual property, including corporate secrets, plans, reports, blueprints and other valuable assets;

    DeepSeas will test externally facing application assets to identify weaknesses, vulnerabilities and exploits, based on the globally recognized Open Web Application Security Project (OWASP) Testing Guide, but only from a non-credentialed perspective. For internal, authenticated testing, a dedicated Application Penetration test must be scoped.

    Objectives

    The objectives of this initiative are as follows:

    • Assess how Client’s security controls and protective measures will withstand a real-world attack
    • Identify exploitable vulnerabilities in Client’s environment
    • Assess Client’s incident detection, reporting and response capabilities
    • Support the protection of critical assets
    • Support compliance with regulatory requirements
    • Develop a prioritized, actionable plan for risk mitigation

    Methodology

    This Penetration Test is based on the following regulations and standards:

    • NIST SP 800-115 Guide to Information Security Testing and Assessment
    • The Penetration Testing Execution Standard (PTES)
    • Payment Card Industry Data Security Standards (PCI-DSS) 4.0
    • ISO 27002:2022
    • Open Web Application Security Project (OWASP)

    This Penetration Test consists of the following phases:

    • INITIALIZATION MEETING – DeepSeas will host an initialization meeting to conduct introductions and familiarize Client with the initiative. This meeting will be no longer than sixty (60) minutes and it is intended to review the objectives, methodology, scope and deliverables in the Statement of Work.
    • PLANNING – Preparation necessary to conduct an effective test, including:
      • Scope Definition – Identifying the assets that will be the focus of the test, including people, process and technology.
      • Schedule Development – Scheduling, project plan creation and resource identification.
      • Rules of Engagement Definition – Determination of primary contacts, data handling requirements, and mandatory communications for events that may arise during testing.
    • ASSESSMENT – Identification, analysis and prioritization of technical vulnerabilities by performing the following:
      • Vulnerability Scanning – Scanning of assets for known vulnerabilities. External Vulnerability Assessments are always performed remotely over the public Internet.
      • Analysis – Identification of technical vulnerabilities accessible via the Internet, including:
        • Port and service identification
        • Configuration-related security vulnerabilities
        • Outdated services and software
        • Web, application and device vulnerabilities
        • Root-level exploits
      • Exploitation - Attempted compromise of assets through vulnerabilities identified in the prior phases, as well as any additional available means.
    • DOCUMENTATION – Documentation of all deliverables, including summary and detailed findings.
    • REPORTING – Presentation of findings to Client.
    • TRANSITION MEETING – DeepSeas will host a transition meeting to assist Client with next steps.

    Service Assumptions

     PROJECT-SPECIFIC ASSUMPTIONS

    1. DeepSeas will conduct all testing remotely.
    2. DeepSeas will conduct all penetration testing activities during normal business hours. Exceptions can be made for exploits that are known to have a higher chance for disruption, and will be arranged for after-hours execution with Client.
    3. Assessment will be limited to the number of systems and devices as per the specified scope. Deviation from this number will require a change order to the project.

    Client Responsibilities

    Client responsibilities for successful project delivery include:

    • Completing the Rules of Engagement document prior to any testing
    • The initial phase of the Hybrid Penetration Test requires whitelisting of scanning IPs in active defenses such as Intrusion Prevention Systems, this change should be reverted prior to exploitation attempts.
    • Modification of firewall ACLs/rule sets is NOT required.