We believe in the power of a story to drive change, and we help our clients tell that story through our work. When you prove the consequences of a breach (such as stealing money, intellectual property, or customer credit cards), it impacts stakeholders emotionally in a way that a list of vulnerabilities doesn’t.
We have seen this emotional impact change how people think about security, and it has led to dramatic improvements in the security posture of our clients.
To create that emotional impact, we must tell a flawless story that skeptics cannot dispute. Every organization has skeptics that instinctively want to downplay the results of a red team assessment or pen test. If the skeptics succeed in convincing the decision-makers, the impact of the assessment is dulled, and the resulting improvement is reduced. That is why it is so important to hire a team with the expertise and experience to accurately simulate the attacks of the most sophisticated threat actors. Icebreaker can obtain your organization’s crown jewels, and it can do so without tripping any alarms.
Icebreaker has advanced research and development capabilities. We have developed our own custom malware payloads, configurable command-and-control infrastructure, and custom lateral movement techniques. We maintain a lab full of third-party security products and constantly test and refine our tools to ensure our offensive capabilities stay a step ahead of the security vendors’ defenses. We understand the best security controls and their weaknesses and have an outstanding track record of proving the impact an adversary can make.
“Very, very, very good and helpful. I’m kicking myself; we should have done this a year ago. Thank you for helping my team get to the next level.” – CIO, Financial Services Company
“I’m really impressed with how thorough this was. Excellent job. I’m really, really happy.” – CIO, Gaming Company
“Thanks for this excellent, clear and well thought out input. The report was a gut punch but fair. We don’t even have any constructive criticism for you; this was great.” – CISO, Technology Company
THE RIDE SHARE
The situation: The new CISO of a ride-sharing company is concerned about past security practices while their product was in development. He wants the ground truth of how vulnerable their product is to hackers.
The support: Icebreaker conducts a comprehensive application penetration test and demonstrates that an unauthenticated attacker can create fraudulent payments, modify the application’s source code, and obtain all their customers’ personal information.
The solution: The CISO hired Icebreaker’s application security experts to advise them as they redesign the application to be more secure. Subsequent penetration tests have shown that the product is steadily becoming more and more resilient to attack.
THE CASINO HEIST
The Chief Audit Executive at a gaming company had used the same penetration testing company for many years and wanted a fresh perspective.
Icebreaker conducted a network penetration test, physical security assessment, and wireless security assessment at three casino/hotel properties. The team rented a hotel room at one property and found that the in-room phones were connected to the company’s internal corporate network. Due to significant patch management issues on the internal network, Icebreaker gained control of all systems within hours.
Icebreaker identified the enterprise vulnerabilities and provided prioritized recommendations for remediation. The gaming company is working quickly to implement the recommendations.
THE CASTLE WALL
The Chief Audit Executive of a financial services company doesn’t think the CIO is taking security threats seriously. The CIO has expressed a belief that no adversary could penetrate their hardened perimeter. The CIO finds commoditized penetration testing unrealistic because it does not prove to him that an adversary can reach the internal network.
Icebreaker executes a sophisticated, highly targeted spear phishing campaign, including custom malware in the guise of videoconferencing software. The malware evades the client’s entire security stack and allows Icebreaker a foothold on their internal network. Once inside, Icebreaker finds poor security practices on the internal network and gains control of the network in under an hour.
The CIO and his team are shocked into quick, decisive action. They realize they need to adopt a defense-in-depth approach to enterprise security and can no longer rely on their hardened perimeter. They rapidly address the most critical vulnerabilities and enlist the services of an MSSP for assistance with incident response and long-term improvements.