Internal Hybrid Penetration Test

A Hybrid Penetration Test combines the collaborative elements of Vulnerability Assessment, with the exploitation phase of a Penetration Test. This streamlines the discovery and enumeration phases of the project, giving a broader view of total vulnerability, while still demonstrating how the organization might react to the tactics and methods of a real-world cyberattack. A Hybrid PT is not an exhaustive exercise but aims to form a baseline understanding of vulnerability management, critical technical security controls, and organizational visibility/response capabilities for organizations that may not yet be mature in any of those areas. 

During the Penetration Test, DeepSeas will attempt to partially or entirely exploit Client’s externally accessible critical assets, including:

• Privileged system accounts, including administrators;
• Bank accounts and other financial accounts;
• Regulated data, including PII, PHI and credit card information;
• Intellectual property, including corporate secrets, plans, reports, blueprints and other valuable assets.

The objectives of this initiative are as follows:

• Assess how Client’s security controls and protective measures will withstand a real-world attack
• Identify exploitable vulnerabilities in Client’s environment
• Assess Client’s incident detection, reporting and response capabilities
• Support the protection of critical assets
• Support compliance with regulatory requirements
• Develop a prioritized, actionable plan for risk mitigation

This Penetration Test is based on the following regulations and standards:

• NIST SP 800-115 Guide to Information Security Testing and Assessment
• The Penetration Testing Execution Standard (PTES)
• Payment Card Industry Data Security Standards (PCI-DSS) 4.0
• ISO 27002:2022
• Open Web Application Security Project (OWASP)

This Penetration Test consists of the following phases:

• INITIALIZATION MEETING – DeepSeas will host an initialization meeting to conduct introductions and familiarize Client with the initiative. This meeting will be no longer than sixty (60) minutes and it is intended to review the objectives, methodology, scope and deliverables in the Statement of Work.
• PLANNING – Preparation necessary to conduct an effective test, including:
  • Scope Definition – Identifying the assets that will be the focus of the test, including people, process and technology.
  • Schedule Development – Scheduling, project plan creation and resource identification.
  • Rules of Engagement Definition – Determination of primary contacts, data handling requirements, and mandatory communications for events that may arise during testing.
• TESTING – Active discovery and exploitation of Client assets
• DOCUMENTATION – Documentation of all deliverables, including summary and detailed findings.
• REPORTING – Presentation of findings to Client.
• TRANSITION MEETING – DeepSeas will host a transition meeting to assist Client with next steps.

The service described in this Statement of Work will be delivered by DeepSeas according to the following assumptions, which will govern all work, deliverables, and interactions:

• Hybrid Penetration Test – Internal - Includes predefined testing parameters:
  • Internal Vulnerability Assessment (not to exceed number of hosts listed in the Scope section)
  • Exploitation of identified vulnerabilities

Client responsibilities for successful project delivery include:

• Completing the Rules of Engagement document prior to any testing.
• Providing remote internal network access via VPN or similar means.
• Provisioning a virtual machine to test team specifications.