Laneden's assessment methodology can be broken into six phases;
Pre-engagement
Laneden will work with you and your organisation to understand your drivers and build a statement of works that meets your requirements.
Intelligence Gathering
Utilising similar techniques as those used by threat actors, Laneden uses OSINT (open-source intelligence) to collect as much information pertaining to your organisation as possible from publicly available sources. This information could be very valuable to would-be attackers.
Vulnerability Analysis
A vulnerability assessment is undertaken on your organisation's external infrastructure; this would equate to any corporate systems that are publicly accessible. The information is collated then analysed to build potential attack vectors.
Exploitation
Valid targets are selected, and exploitation paths derived, pretexts are created, and the true attack is engaged.
Post Exploitation
If access is gained to any corporate systems, it is potentially possible for the engineer to gather more information and look for security concerns that could lead to further compromise within your network. The lead engineer assigned to the engagement would contact the organisation before the exploitation phase moving any further (if not already agreed as part of the Pre-engagement).
Reporting
A comprehensive report is crafted, containing an executive summary which is consumable by anyone in the organisation regardless of the technical background. Clear and concise information describing each issue to hand along with enough technical information to remediate any issues identified.
Technical references are provided when relevant, allowing you to gather more information if required. Each vulnerability is put into context and given a risk-based score. Utilising CVSS 3 scoring and relevant context you can get a real picture for each risk and what they mean to your business and customers.
Our consultants engage with the client to discuss the scope and make certain all is in order before the assessment beginning
Communications at the beginning and end of each day of the engagement, confirming the plan of action for the day or if the engagement has paused for the evening
On-going communications from the engagement consultant, highlighting any major concerns as they come across them
A comprehensive report is crafted containing an executive summary which is consumable by anyone in the organisation regardless of their technical background
Clear and concise information describing each issue to hand
Technical references are provided when relevant, allowing your team to gather more information on the vulnerability if required
Each vulnerability is put into context and given a risk-based score, utilising CVSS 3 scoring and relevant context you can get a real picture for each associated risk
Simple remediation advice, advising what is required to remediate the relevant vulnerability