Due to its significant interaction with external stakeholders, constituents, and other federal agencies, a large federal agency had a broad threat surface it had to secure. The agency needed support for its comprehensive cybersecurity strategy aimed at meeting regulatory requirements, preventing data breaches, and proactively identifying and mitigating cybersecurity vulnerabilities.
These compliance requirements included adherence to Federal mandates such as the Federal Information Security Modernization Act (FISMA), National Institute of Standards and Technology (NIST) Special Publications (SP) 800 -53 and 800-115, and the Federal Risk and Authorization Management Program (FedRAMP).
The agency customer also faced recurring medium-level security vulnerabilities in their legacy web applications, particularly related to the “Missing Secure Attribute in Encrypted Session (SSL) Cookie” issue. This vulnerability affected a significant portion of their application portfolio, necessitating a scalable solution to mitigate the risk.
Makpar offers the following services that support the mission of this federal agency:
For this project, the solution strategy for penetration testing included a repeatable five-step approach that included:
Before any testing begins, it is crucial to establish clear communication with the client to understand their specific goals, objectives, and requirements. This phase involves scoping the engagement, defining rules of engagement, and setting boundaries to ensure that the testing aligns with the client’s needs. Detailed planning is conducted to determine which systems, networks, and applications will be in scope, as well as the specific testing methodologies to be used. This step also includes obtaining necessary permissions and access credentials, ensuring that all legal and compliance requirements are met.
With the information gathered during the discovery phase, the team moves on to the exploitation phase, where they attempt to gain unauthorized access to the target systems and networks. This involves using various techniques, such as exploiting known vulnerabilities, conducting phishing attacks, and leveraging social engineering tactics. The objective is to simulate real-world attack scenarios and understand how an adversary might penetrate the target environment. Once access is gained, the team works to escalate privileges, move laterally within the network, and identify critical assets and data that could be compromised. Vulnerabilities are evaluated for a realistic assessment of risk and how they apply within the context of the organization.
After successfully gaining access and exploiting vulnerabilities, the team conducts a thorough analysis of the findings. This involves documenting the vulnerabilities discovered, the methods used to exploit them, and the potential impact on the organization. Detailed reports are generated, providing actionable insights and recommendations for remediation. The reports are tailored to different audiences, including technical teams who need to implement fixes, as well as executive stakeholders who require a high-level overview of the risks and proposed mitigation strategies. The goal is to ensure that the organization fully understands the findings and can take appropriate steps to strengthen its security posture.
The final step in the penetration testing process is retesting to verify that the identified vulnerabilities have been effectively remediated. This involves re-running the tests and attack scenarios to ensure that the fixes implemented by the client have successfully addressed the issues. Retesting provides assurance that the security gaps have been closed and that the organization is now better protected against potential threats. It also helps to identify any new vulnerabilities that may have been introduced during the remediation process, ensuring continuous improvement and resilience.
The solution strategy also involved implementing a Scalable Threat Modeling approach, utilizing a pattern-based methodology to identify common architectural patterns across the client’s applications. This approach allowed for the development of targeted mitigation strategies to address identified vulnerabilities, align with industry best practices and integrate seamlessly into the client’s existing AppSec testing framework.
From a code security and analysis perspective, Makpar’s code reviewers and security engineers conducted thorough assessments, providing vulnerability reports with detailed insights into likelihood, impact, and severity.
We identified a critical level privilege escalation vulnerability that existed across all workstations in an organization, representing how nation state actors maintain high-privileged access inside computer networks. This vulnerability had been present for at least 2 years before discovery.
We actively exploited the identified vulnerability to observe how the system and alerts responded. We collaborated directly with the network security monitoring team to validate the alerts and assist them in understanding how to detect similar attacks in the future.
We located complex attack paths within Active Directory, requiring detailed exploitation scenarios leveraging Kerberos. By forging Kerberos tickets for a specific service as any administrative user account in the domain, we proved a risk that had been previously unknown to the organization for years.
We provided thorough and detailed information about web application and API vulnerabilities before they were released into production, ensuring the confidentiality, integrity, and availability of their systems to make them resilient to attack.
In today’s rising threat environment, PTCS is vital for any agency to understand and mitigate any cyber vulnerability.
A pattern-based approach to threat modeling effectively scales security efforts across multiple applications.
Government agencies now have a method for understanding threats from external actors and how to best mitigate these threats.
OWASP's Threat Modeling tools
HCL AppScan Enterprise (ASE) for Dynamic Application Security Testing (DAST)
Custom scripts developed to automate aspects of the threat modeling process
Adhering to the Makpar repeatable five-step approach to penetration testing highlighted above.
Integrating threat modeling into the CI/CD pipeline, ensuring continuous updates to the threat model based on new findings and adopting a pattern-based approach for rapid scaling across multiple applications.
Supporting secure code reviews and integrating SAST and DAST into DevOps processes.
