The document summarizes a security assessment conducted by we45 for a cloud-based email encryption company. we45 used their "Leanbeast" appliance to conduct reconnaissance, vulnerability scanning, and penetration testing of the client's AWS infrastructure. Several major vulnerabilities were found, including remote code execution on an ElasticSearch server and authentication flaws exposing customer data. we45 provided a detailed report of findings prioritized by risk level and recommended remediation strategies to improve the client's security posture.

1. © 2015 , we45 1
we45 case files
infrastructure security assessment

2. client profile
© 2015 , we45 2
Client’s Business Environment - Leading Cloud Based Email Encryption Product
company based in Sunnyvale, CA
Security Expertise – Client’s Management team was lead by Security experts who
were previously employed in Microsoft, Sun Microsystems and Stanford University
Application Deployment Security Check – Client wanted to develop a specialized
module that would identify bottlenecks in deployment of their Email Encryption service
in the network

3. pre-engagement scenario
© 2015 , we45 3
Client had leading security experts in the internal team
Client, hosting infrastructure on Amazon AWS, wanted to validate Infrastructure
security across its cloud infrastructure
Client required additional assurance on cloud infrastructure security
Client was specifically concerned about the CMS (content management system) for
the registration of encryption service

4. testing approach
© 2015 , we45 4
• Identifying Key Security Risks to the enterprise infrastructure and prioritizing said risks.
• Infrastructure Security Threat Modeling using world-class methodologies
• Review of High and Low level network diagrams
Network Architecture Review and
Threat Modeling
• Performing Reconnaissance and Mapping against the infrastructure
• Identifying Vulnerabilities in the scoped targets and related system componentsVulnerability Assessment
• Penetration Selected Vulnerabilities in scoped targets
• Maintaining Persistent Access to exploited application for deeper analysisPenetration and Post Exploitation
• Delivering presentation to key management stakeholders
• Preparing and delivering Comprehensive Security Testing Reports
• Designed Action Plan for Management Review
Presentation and Reporting

5. threat modeling – the key to a successful test
© 2015 , we45 5
overview – we45’s security analysts identified the client’s business process / platform and penetration
testing requirements. This is meant to identify key data security risks for information stored, processed
and transmitted by the infrastructure and system components. These risks are meant to unlock the
highest business value for the client.
security profiles – we45’s security analysts then created security profiles for the key risks identified in the
overview process. For instance, Theft of customer data would be a key risk for a database. They also
assigned a score to the risk severity.
threat models – Based on the security profiles, the testing team identified various attack scenarios that
were used to recreate the security profiles. This was done based on the STRIDE and DREAD
methodologies by Microsoft.
SCRUM – The Threat Models were used as an attack plan. we45 used a SCRUM Model to prioritize and
test the application for maximum efficiency and effectiveness.

6. threat modeling - STRIDE
© 2015 , we45 6
Spoofing
Tampering
Repudiation
Information Disclosure
Denial-of-Service
Elevation of Privileges
• Masquerading
• Unauthorized
Modification
• Deny Knowledge
• Data Exposure/Leakage
• Downtime / Service
Denial
• Performing Privileged
Actions

7. assessment and exploitation schema
© 2015 , we45 7
Reconnaissance IP Discovery WHOIS Lookups BGP Scanning DNS Lookups
Search Engine
Querying
IPS/WAF
Identification
Scanning and
Profiling Information
Disclosure
Mapping Port Scanning Banner Grabbing
Linked Server
Mapping Host Profiling
OS and Version
Detection
SNMP Mapping and
Scanning
Web Services
Enumeration
Directory
Bruteforcing
Packet Captures
and Analysis
Vulnerability
Discovery
Automated
Vulnerability
Scanning
Fuzzing for multiple
attack vectors
Linked Server
Vulnerabilities
Identify insecure
services and vendor
supplied default
passwords
Identifying Web
Flaws
Identifying potential
Denial of Service
Vectors.
Cryptographic
Attacks
Exploitation Custom Exploits –
Apps
Publicly Available
Exploits Exploit Pivoting
Web Services
Exploits
Post Exploitation Clean-up (Post
Exploit)
Identifying Impact of
Exploits
Reporting
Vulnerability
Management using
Key Metrics
Analysis and
Reporting - Key
Business Risks
Multiple
Recommendations/
Solutions

8. we45’s – “leanbeast”
© 2015 , we45 8
we45’s “Hybrid-Automation” Vulnerability Management appliance
was used to conduct this assessment for the client
Lean-beast leveraged tools and custom scripts to launch specific
attack vectors defined by the security profiles of the scope
The appliance was tweaked to facilitate an assisted Penetration
Testing exercise thereby maximizing the advantages of manual and
automated testing methods
The “remote” mode of operation of the appliance enabled we45 to
take advantage of production downtime slices to conduct the
exercise
Lean-beast is fully integrated with an automated vulnerability
management and reporting engine (VME) that provided powerful
analytics and integrated dashboards to the client stakeholders

9. leanbeast : operation model
© 2015 , we45 9

10. a few major findings
© 2015 , we45 10
ElasticSearch server vulnerable to Remote Code
Execution – thereby gaining access to the entire
application server infrastructure of client
Vulnerabilities in Linux Kernel exploited using Shellshock
Vulnerability
Gained access to their Secure FTP server using
Authentication Flaws, gaining access to customer
sensitive information
Identified Remote File Inclusion in client’s CMS Platform
and compromised the web server and DB server.

11. modus operandi
© 2015 , we45 11
Performed extensive reconnaissance on system
components. Identified running services across TCP and
UDP services
Discovered vulnerabilities – through automated scanning
and custom vulnerability discovery scripts
Performed Exploits using popular exploit frameworks and
custom-developed exploits.
Performed pivot attacks – Ability to access different hosts
on the same network through compromised host

12. analysis & reporting
© 2015 , we45 12
A detailed security testing report and custom client
access on leanbeast’s VME was provided to the client at
the end of the assessment
The vulnerability findings were ranked based on severity
of business impact and were referenced with Industry
metrics like CWE and CVE.
The client team were provided with relevant and multiple
remediation strategies per vulnerability
The network and infrastructure teams were trained on
core concepts of network security and “business as
usual” security practices
Executive Summary and Action Plan prepared for
Management Action
Detailed
Report
Ranked by
Findings
Risk Ranking for
Efficient
Prioritization of
Remediation
Efforts
Multiple
Recomme
ndations
Multiple
recommendations
for quicker
remediation
Industry
Metrics and
Action Plan
Cita%on
of
Standard
Industry
Metrics
Development
of
Execu%ve
Summary
and
Ac%on
Plans

13. success factors
© 2015 , we45 13
we45 was able to identify deep seated authentication issues
and platform issues that could have caused massive breaches
of confidentiality for the client. These issues were considered
Level 1 Security Issues for the client
Through the lean-beast, we45 implemented a measurable,
frequent and scalable vulnerability assessment framework for
the client.
we45 engaged with client’s security team to train them on
infrastructure security requirements. This has enabled the client
to independently manage certain aspects of their network
infrastructure security

14. thank you
14© 2015 , we45