External Penetration Test

Service Overview ⫘

The objective of an External Penetration Test is to discover and demonstrate weaknesses present on the perimeter that would allow a threat actor to breach and gain access to the internal network or internal resources. The test includes exploitation of vulnerabilities, username and password discovery.

The test exposes security flaws that vulnerability assessments do not usually detect, and is more aligned with how modern threat actors attack and breach network perimeters or gain access to restricted resources.

Service Methodology ⫘

The Secureworks approach to advanced network security testing is based on an internally developed methodology, derived from industry best practices and extensive security testing experience. Secureworks works closely with you to determine in-scope and out-of-scope targets. Prior to the test, Secureworks will schedule a kickoff call to establish rules of engagement, level of effort, scope, risk acceptance, remote testing appliance (RTA) requirements, reporting requirements, test timelines, and schedules.

Listed below are components of the test:

Network Discovery ⫘

Secureworks performs port-scans of IP ranges you provide to identify live hosts. This test includes activities such as scanning a range of IP addresses to identify top transmission control protocol (TCP) ports in use and identifying specific applications and potential version information through banner grabbing. For external tests, scan data is delivered after the test is complete, detailing live hosts and top open ports. Port-scan data is not included with internal test reports.

Open Network Services Enumeration ⫘

Secureworks interrogates network services to determine additional information about Customer network that could lead to compromise. Examples include the following:

• DNS host name lookups, brute force zone transfers and DNS relays
• SNMP operating system, software, and network and user enumeration
• SMTP open mail relays and user enumeration
• NetBIOS/SMB domain policy disclosure, including password policy
• LDAP domain policy disclosure and enumeration
• Network service banners for exploitable software
• Web servers for default usernames and passwords and file upload vulnerabilities
• Unknown services to locate potential backdoors
• Identification of unprotected cloud storage or services

Note: Any Intrusion Prevention Systems, Web Application Firewalls, or other active security control devices may filter or obstruct testing traffic. Secureworks requests that the testers source IP's be allow-listed (or set to alert-only) for the duration of testing.

Open Network Services Exploitation ⫘

Secureworks will use information from "Open Network Services Enumeration" to attempt compromise of network services. Examples of techniques used include the following:

• Brute-forcing of password protected, network-based services (Secureworks will request a password lockout policy in order to avoid account lockouts)
• Authentication bypass of vulnerable network services
• Exploiting outdated vulnerable services using public exploits
• Identifying and exploiting network backdoors

Note: Use of captured credentials, while not a software vulnerability, is a common vector of attack. Use of captured credentials and publicly disclosed breach data are considered in-scope. The use of any exploits with high risk of Customer service impact will be discussed prior to use.

Post Exploitation and Lateral Movement ⫘

Secureworks will attempt to identify compromise vectors for the wider network and domain infrastructure. The following techniques may be used to show the impact of compromise from earlier phases:

• Elevating privileges on compromised systems
• Using gathered credentials and access tokens to compromise additional systems
• Searching for business-critical data

Note about Web Applications: Web applications are characteristically the most vulnerable applications. Secureworks provides services that assess web application security. If web applications are detected within the range of Customer's in-scope IP addresses that will be assessed for this Service, then Secureworks will perform generic (also known as black box) testing of those web applications; however, this testing is not considered a comprehensive test of Customer's web application. If in-depth web application testing is needed, see our Web Application Security Assessment service.

Remote Retest ⫘

Secureworks will conduct one (1) remediation validation ("RV") for only the high- and critical-severity findings listed in the final report. After primary test completion, Customer has ninety (90) days in which to remediate issues, schedule the RV, and have Secureworks perform the RV. Customer must submit the RV request through email to the Secureworks point of contact for the assessment within thirty (30) days of delivery of the final report or the RV is forfeited.

For external penetration tests, findings discovered after pivoting and post-exploitation can be difficult to validate and are therefore not included in RV. For internal penetration tests, RV can only be performed if the original test used the Secureworks RTA. Secureworks will issue a brief report summarizing the results of the RV, which will include information about whether Customer successfully remediated the issues.

Note: Secureworks only conducts RVs remotely, regardless of whether the assessment was conducted on-site.

Outcome ⫘

Presentation of findings and deliverables compiled by Secureworks will be provided to you in the form of a report. The report will include the following:

• Executive summary
• Methods, detailed findings, narratives, and recommendations if any
• Attachments as needed for relevant details and supporting data

Customer shall have one (1) week from delivery of the report to provide comments to be included in the final report. If there are no comments received from Customer before the expiration of the review period, the report will be deemed final.

Upon completion of the Services, the Customer-designated contact will receive a secure/encrypted email confirmation from Secureworks. Unless otherwise notified in writing to the contrary by the Customer designated contact, within five (5) business days of such email confirmation, the Services and this SOW shall be deemed complete.

Scoping information ⫘

External testing will be limited to pre-defined target systems or network ranges. For the purposes of scoping, a target system refers to a live system exposing at least one port/service to the Internet.

While we do perform some OSINT to find undocumented assets associated with the customer, no live testing of those systems will be performed without written approval. Any modifications to scope will be discussed and documented with Customer before proceeding, and may incur additional fees through a Change Order.

External penetration testing typically relies on a blackbox methodology adhering to an artificially compressed timeline. Supplying additional information allows for efficient testing which can remain focused on impactful results. Providing a set of valid credentials for a specified test account allows Secureworks to perform more accurate password spraying, and to configure tooling for the most efficient testing possible.

Scope	Description
External Penetration Test - Small	Up to 50 external IP addresses IP addresses for the test must be all external; otherwise, separate work effort is required.
External Penetration Test - Medium	Up to 250 external IP addresses IP addresses for the test must be all external; otherwise, separate work effort is required.
External Penetration Test - Large	Up to 500 external IP addresses IP addresses for the test must be all external; otherwise, separate work effort is required.

Work is conducted during business hours of the Secureworks consultant. After-hours feature is available for an additional cost.

The complete Service Description for this service can be found here: Penetration Testing