The Cobalt security assessment team of pentesters will carry out the testing without detailed network or infrastructure diagrams and without any accounts or additional user information of Office 365 (unless required as part of the scope). At Cobalt we follow a standard methodology based on OSSTMM and OWASP for penetration testing, according to the following steps:
O365 will be a focus point during this assessment where Cobalt pentesters will look into data security, data encryption, verify access controls, in addition to testing the network that is hosting the services that are within scope.
Much external information is available to a potential malicious user by default. Just connecting to the internet requires an initial amount of information disclosure. For example, to receive email, the organization’s mail server must be advertised on the Internet. Any web server’s location and details also require public advertising.
- Web locations and databases. Much information is available on other websites and databases, especially relating to publicly traded companies. It is important that organizations evaluate what information they make public over and above that prescribed by law. News articles and press releases can provide valuable additional clues as to the security policy of an organization.
- An organization’s presence on the Internet is indicated by the domain names that it holds. Once these have been discovered an attacker can begin the process of relating them to the organization’s network infrastructure. There are many “whois” databases available on the Internet that may be queried to yield a great deal of information about the organization’s network.
- Checking the public records of an organization will give information as to the name, address and telephone number of the person responsible for administering the domain. This gives potential for social engineering to glean extra information, for example, details of hardware and software purchases. It also gives vital clues as to where the best place to target an attack may be.
Once all available information is gathered, work will commence on probing the resources of the targeted organization. This takes several stages:
- Complete port scan will be carried out on the specific IP ranges provided. This would give a detailed breakdown of which machines and resources are facing the outside world and what functions they are performing. Firewalls, mail servers, O365 services, web and FTP servers all have to give access to the outside world in order to function and all leave tell-tale signatures to a port scan.
- Using the results from the initial port scan, further investigations will be carried out to obtain details such as the types of applications running on externally exposed machines, version numbers for identified software and operating systems that are carrying the software. In many instances an externally exposed machine may have open services that do not have functions associated with them. These would be identified and targeted.
- Considering that certain vulnerabilities and exploits are known to be able to paralyze, damage and alter the content of the network, these would not be performed but only noted. Examples are those exploits that may disable certain services, deny service from the outside and affect customers or disable the ability of the organization to function.
Once the external scan has taken place, we will seek to identify the most vulnerable points in the external face of the network. Naturally the ultimate goal is to penetrate the external endpoints and gain access to the internal LAN and the organization’s resources. Once a potential attacker achieves this goal, an organization could face:
- Sensitive or confidential information being leaked from the organization’s network, such as personnel, payments or other financial records.
- Mail gateway or web site being used as the source of spam email leading to the organization’s domain being blacklisted and many sites automatically rejecting an organization’s legitimate email correspondence.
- A defaced website. Many organizations have had the reputational losses of potential customers logging on to see an attacker’s version of their website.
- Disruption to services where one or more of the organization’s resources have been put out of action, either temporarily or permanently.
In this phase Cobalt pentesters will focus on the specific resources that have been identified. Usually we focus on visibly open web servers, FTP servers, email servers, firewalls, routers, DNS servers and any other services that are in place on the external IP address range including O365 services. During this phase pentesters manually examine the target application to map its business functions, workflows, and underlying processes. We build a matrix of the access controls within the app based on the types of roles and actions it supports. The assessment includes tests such as session management flaws that may allow user impersonation, attempts to bypass MFA, and flaws in access control that expose data or enable users to gain elevated privileges. Although any checks must always be specific to a given situation, a normal scenario would be along the lines of:
- DNS () Authentication
For organizations to make use of the Internet, their network users need to have the ability to query DNS servers. Many organizations have their own DNS server but many rely on external DNS servers. If an organization has an internal DNS server that fails, potentially their Internet connection could go down. An attacker can gain a great deal of knowledge from a DNS server, for example how a domain sends and receives its email and its Web Site location. An example of one of the most serious DNS configuration errors is if an organization allows unknown Internet users to perform a DNS zone transfer, allowing them access to a great deal of valuable information about the network.
All connections to the Internet generally go through a border router provided by the ISP and the ISP should always tightly configure this router. However, sometimes routers can remain unpatched or default user accounts can be left active. We will locate all visible routers, establish the manufacturer and operating system and check for potential vulnerabilities. This will include attempts to access the router using a whole set of different databases of well-known default passwords and settings.
Usually the main gateway to an organization is a firewall. Firewalls are very proficient at protecting an internal set of resources. However, all firewall technology is open to abuse and should not be treated as out of the box solutions. A lot of organizations feel reassured by the fact that they have a firewall in place. However, it needs to be configured specifically for the needs of the business and kept up to date through patching and maintenance. Our pentesters will look for configuration errors, as they will quite often leave an open door into the corporate LAN. Attacks such as buffer overflows, IP spoofing, corrupted IP packets and attacks on normally open services will be used on the firewall and its performance will be noted.
- Web Servers
Web servers are particularly vulnerable to attack for the purpose of defacement of websites or as a launching pad for further attacks upon machines based locally to the web server. All Web servers based on the client site would be scanned for thousands of potential exploits and vulnerabilities. For example a poor patching policy or a “vanilla” based installation, which can be an open door for a potential intruder.
Cobalt pentesters will check SMTP on the mail gateway for open relay. The mail server should only accept mail for the organization's own domains and should not relay mail on for other domains. The existence of an open relay can lead to the mail server being flooded with spam email and lead to the domain being blacklisted. The mail server would be tested using a variety of methods, such as sending emails to non-existent domains etc.
- Using OSINT tools to check leaked credentials
Using tools like Shodan and Censys can be used to find IP addresses, networks, open ports, webcams, printers, and other devices that are connected to the internet. Cobalt pentesters will use these tools to identify potential weaknesses which include: accidental leaks of sensitive information, open ports or unsecured internet-connected devices, unpatched software, leaked or exposed assets on pastebins.
- Verifying use of secure versions
SANS institute points out that the most common vulnerabilities lie within outdated versions of O365. Older versions have lower security threshold and leave data vulnerable.
- Ensuring Legacy protocols are secured
Legacy protocols such as POP3 , IMAP, and SMTP need to be secured to account for known vulnerabilities. Cobalt pentesters will check if the use of these protocols is secured.
Large sets of custom and publicly available tools will be utilised throughout the penetration test exercise including various port scanners, automated vulnerability scanners, HTTP proxies, exploits, custom scripts and security applications. These tools are continually evolving and Cobalt’s great advantage is that a lot of its pentesters around the world are contributing to the global information security community by developing these kinds of tools which brings the efficiency of this assessment to a completely different, more advanced level. Also, Cobalt pentesters will work additionally using manual testing processes which, combined with the relevant tools, will allow us to provide a bespoke testing service for each individual client.