Attack Simulation – Red Team –
Penetration Testing

MoD Supplier – Sometimes It’s The Unknown, Unknowns

We were requested to provide a Cyber Deep Dive test for a Military Contractor. The purpose of the activity was to understand where the current risks to the organisation were likely to be and to provide recommendation on how they should be addressed.

As is often the case with suppliers to Government, the organisation viewed security as a top priority, but sometimes a second independent team can bring a different perspective.

This review was a manual security assessment of the company’s attack surface area, review of open-source intelligence, corporate application functionality, business logic, and vulnerabilities, such as those catalogued in the Open Web Application Security Project (OWASP) Top 10. The assessment also included a review of security controls and requirements against the NCSC Cyber Assessment Framework.

As a result of this review an internet facing server was decommissioned within hours as it was highly vulnerable and could have been exploited by attackers.

Multi-staged Review
We utilise a modular approach for Attack Simulation. We recommend that prior to any penetration testing, an attack surface
area review and controls assessment is undertaken. This ensures that all testing focuses on the real risks to the business.

Cyber Deep Dive
By using our expertise derived from our consultants’ experience protecting defence and financial service institutions we can identify areas of concern and recommend steps to elevate risks.

Assessing Security Controls
By reviewing the security controls against the NCSC Cyber Assessment Framework and using the delivery expertise of FSP, pragmatic and cost-effective recommendations can be made. We use industry best practice methodologies for our testing, including but not limited to: OWASP, CIS Benchmarking, Common Vulnerability Scoring System (CVSS), Common Weakness Enumeration (CWE), ISO 27001, etc.

MOD Supplier