Send e-mail to ACROS SecurityACROS Security's public PGP key  
Home . Services . References . Advisories . Research . News . Company . Blog
     

ACROS Penetration Test

ACROS Penetration Test is a realistic "friendly" simulation of an "Advanced Persistent Threat" attack on an IT system - corporate IT infrastructure, electronic bank, power plant network, stock trading system etc. Our highly skilled team of security experts assumes the role of a motivated group of professional hackers and attempts to accomplish a variety of agreed-upon mission objectives (also called goals or flags), such as getting access to target network, executing unauthorized transactions, obtaining secret corporate information, demonstratively damaging production capabilities or disabling networks. Although we're using numerous commercial and in-house tools, our success is mainly a product of our resourcefulness, ability to quickly understand how unknown systems work, to hide our actions from all sorts of intrusion/anomaly detection systems by "flying below the radar", ability to quickly find and exploit previously unknown vulnerabilities in systems and applications, to penetrate security mechanisms such as firewalls or content filters, to propagate covertly through the target network, to gather intelligence data and elevate privileges - and mostly, to use these skills efficiently while steering the attack towards the specified mission objectives.

ACROS Penetration Test is not a vulnerability scan. It is also not a hypothetical exercise about expoitability of some particular vulnerability in your system. ACROS Penetration Test is as close as it gets to a real "Advanced Persistent Threat" attack without the actual damage. A customer gives us a set of very specific catastrophic events that could be devastating to their business - and these then become our mission objectives, which we try to accomplish (and not just theoretically). Our only limitations compared to a real attack are: we must not break the law (or contracts), and we must not cause damage or expose customers to undue risk.

. Reference Projects
. Customer Quotes
. Services

. ACROS Penetration Test
  Frequently Asked Questions
  






On average, we accomplish
9 out of 10 "catastrophic" mission objectives

Some typical mission objectives are:

  • Accessing sensitive information in the main database
  • Obtaining confidential documents from high-level executives' computers
  • Acquiring control over SCADA devices or machines
  • Gaining administrative access to a Windows NT domain or a SAN system
  • Disabling network connectivity
  • Obtaining unauthorized access to personal data
  • Unauthorized withdrawal of funds from a bank account
  • Accessing the list of corporate customers or vendors
  • Gaining remote access to a critical internal network
  • Disabling the main database
  • Obtaining sensitive e-mail
  • Accessing accounting data
  • Destruction of backup data
  • Disablement or defacement of the corporate web site
  • Accessing confidential product documentation or source code
  • Identity theft

Naturally, we skip the last step in the "denial of service" mission objectives; for instance, we obtainin required access and credentials that would allow us to actually disable a database, but don't actually do it - or, upon customer's explicit request, do it when they want it and on their own terms.

. Customer Quotes

"We've been leveraging ACROS to perform pentests on most of our acquisitions and we've been very happy with their services."

(Project contact at a leading global online company with hundreds of millions of registered users)

A test like this is the only way to see how well
you're really prepared for a targeted attack

There are good chances that your system will become a target in a digital attack some day. By your competitor, an intelligence agency, a disgruntled employee, or maybe just a bored kid who got lucky and found a hole in your mail server. In any event, the damage to your business can be very serious. Undoubtedly you've invested significant effort and money in various security measures from policies to technology, and periodically employ security auditing and scanning to test for existing vulnerabilities. But how do you ultimately test whether you're really prepared for a motivated, targeted attacker? Will your access control stop him or will he find a trick for bypassing it? Will your firewalls keep him out of your network or will they let him walk by? Will he be able to obtain your most critical passwords and silently make a copy of your highly confidential documents? Is he going to be able to steal money from your corporate accounts and take away business data from your main database? And will he be detected by your people or technology that is set up to watch for suspicious activity?

Only ACROS Penetration Test can give you the answer to these questions.

Find more information about ACROS Penetration Test in Frequently Asked Questions.

To order an ACROS Penetration Test, contact security@acrossecurity.com or call +386 2 3000 280.

 
Copyright & Disclaimer ACROS, d.o.o. All Rights Reserved.