Professional Documents
Culture Documents
STLID - Penetration Testing - 2022 - EN
STLID - Penetration Testing - 2022 - EN
STLID - Penetration Testing - 2022 - EN
Proposal
2022
STEALIEN Indonesia
01
Penetration Testing
Proposal
1. Proposal Overview
STEALIEN Indonesia
1.1 Proposal Background And Purpose Ⅰ. Proposal Outline
“ ”
Identification of vulnerabilities and how they affect services and
Stable service operation through improvement
Technical verification
1.2 Offer Features and Benefits Ⅰ. Proposal Outline
3rd Real World CTF 1st CCE Attack team 2nd place
HackIT qualified preliminary rounds
CODEGATE 4th place
TrendMicro CTF 7th place
DEFCON Finals
National cyber security contest 3rd
TCTF/0CTF Preliminary Championship / Finals 5th National cyber security contest 1st
2020 Line/KIISE block chain contest 2nd
Cyber Operation Contest 1st
Participation award at Openhack Hackathon
K-CSC 2020(K-Cyber Security Challenge) 2018
Participation award at ROK Hacker defense contest
AI Security Vulnerability Automatic Detection Track 1st
Participation award in 6th Software Development DEFCON CTF qualified preliminary rounds
Defcon CTF Finals
contest
CodeGate Junior qualified preliminary rounds KISA Hacker defense contest 2nd
White Hat Contest (Defense) Grand prize DEFCON CTF International hacker contest 3rd
White Hat Contest 2015 grand prize 2012 Korea White Hat Contest 1st
Information security Olympiad Bronze medal KISA Hacker defense contest 1st
1.2 Offer Features and Benefits Ⅰ. Proposal Outline
Year Contents
Year Contents
2012~Present Managing Reversing. Kr, reversing wargame website
2019 Defcamp CTF 2019 qualified preliminary rounds
2019 KISA Hall of Fame 5th place (30 total)
2019 Question setter for BISC Open CTF 2019
2018 BOB 6th graduate
2018 Soonchunhyang University Youth Hacker Security Contest question setting committee
2018 Participated in KITRI CVE analysis project
2018 BOB Grandfix 2nd place
2018 Microsoft`s Top 100 Security Researchers
2017 UBUNTU CTF question setter
2014 ~ 2016 Cyber security professional committee
2015 National Encryption Contest
2015 1st graduate of Daegu University Information Security Center for Gifted Education
2014 Managing and setting questions for Korea White Hat Contest
2014 Secu-inside International Hacker Defense contest
2013 Managing and setting questions for Korea White Hat Contest
2013 Presidential Award for Korea’s Talent
- Hacking Camp staff for security related events
- Manager for Christmas CTF
1.2 Offer Features and Benefits Ⅰ. Proposal outline
Company CEO
1. Mobile App Security Solution ( AppSuit Premium,, Appsuit AV, AppSuit Keypad, AppSuit WBC, AppSuit Module )
2. Security Consulting in perspective of attackers
3. Cyber Drill System (Cyber Hacking Training System)
4. R&D projects with government institutions
No of Employees
Address Phone.
Seoul Office: 12th Floor, The Prime Tower, 11, Wonhyo-ro 90-gil, Yongsan-gu, Seoul Seoul Office : +82 -2-2038 – 4792
Jakarta Office : +62 - 21 2783 8356
Jakarta Office: One Pacific Place Sudirman Central Business District 15th Floor, Jl.
Jend. Sudirman Kav. 52-53 Jakarta 12190
20
2.1 Proposal Company Information Ⅱ. Proposal Company Information
Proposal History
2014.05 Company establishment
2015.04 Ajou University MOU
2015.05 MOU with Yeungnam University of Science and Technology
2015.06 Established corporate research institut
2015.09 Selected as a promising company in ICT field by the Ministry of Science, ICT and Future Planning (K-Global 300)
2016.11 Received SK Telecom Award at Mobile Technology Award
2016.11 Commendation from the Minister of Science, ICT and Future Planning
2016.12 Korea Information Security Industry Association Startup of the Year Award
2017.05 Selected as 2017 Excellent Venture Company (Sustainable Growth Sector) by Venture Business Association
2017.06 Ebiashara MOU (Supply of security solutions to Africa))
2018.02 Selected as Shinhan Futures Lab
2018.04 Selected as a small strong company by the Ministry of Employment and Labor
2018.12 Selected as a small and medium-sized company for talent development
2018.12 Korea Information and Communication Technology Association (TTA) SW Quality Grand Prize (AppSuit)
2018.12 Selected as a youth-friendly small business by the Ministry of Employment and Labor
2019.06 Selected as a technology innovative SME (Main - Biz
2019.06 Selected as a technology innovative SME (Inno-Biz)
2020.05 Selected as SW High Growth Club 200
2020.06 Won the Korea Startup Grand Prize
2.2 Proposal Business Performance Ⅱ. Proposal Company Information
Business Performance
Attack-based Security Consulting For Tablet Banking Apps Pentesting 2020.10 ~ 2020.12 KB Kookmin Bank Bank
Busan Bank Mobile App Penetration Testing Pentesting 2017.08 ~ 2017.09 NH Nonghyup Bank Bank
KB Star Banking App Vulnerability Check Pentesting 2017.07 ~ 2017.08 KEB Hana Bank Bank
NH Nonghyup Bank Vulnerability Check Pentesting 2016.05 ~ 2016.07 Yuanta Securities Bank
Yuanta Securities Application Vulnerability Check Pentesting 2019.02 ~ 2019.12 KB Securities Securities
External Penetration Training Project Pentesting 2018.11 ~ 2019.01 Hana Financial Investment Securities
Hana Financial Investment App Vulnerability Check (MTS) Pentesting 2016.11 ~ 2016.12 Woori Card Securities
Woori Card Service Vulnerability Check Pentesting 2020.05 ~ 2020.07 Woori Card Card
Woori Card Electronic Financial Infrastructure Vulnerability Check Pentesting 2020.03 ~ 2020.04 KB Kookmin Bank Card
Woori Card Electronic Financial Infrastructure Vulnerability Check Pentesting 2019.02 ~ 2019.04 Busan Bank Card
Woori Card Electronic Financial Infrastructure Vulnerability Check Pentesting 2018.02 ~ 2018.03 KB Kookmin Bank Card
2.2 Proposal Business Performance Ⅱ. Proposal Company Information
Business Performance
Woori Card App Penetration Testing Pentesting 2016.12 ~ 2016.12 Woori Card Card
Hana Members App Vulnerability Check Pentesting 2016.11 ~ 2016.11 Hana I&S Card
Samsung Life App Service Penetration Testing Pentesting 2016.10 ~ 2016.11 Korea Smart Card Card
Meritz Fire Safety Check 2 Pentesting 2019.12 ~ 2020.01 Samsung Life Life
Prudential Life Insurance Hacking Pentesting 2015.11 ~ 2015.12 Meritz Fire Insurance
Hana Capital Web Vulnerability Check Pentesting 2015.11 ~ 2015.12 Prudential Life Insurance
Meritz Fire & Marine Security Check 1 Pentesting 2015.06 ~ 2015.12 Hana Capital Insurance
Toss Mobile App Vulnerability Check Pentesting 2015.02 ~ 2015.03 Meritz Fire Insurance
Eosdaq Exchange Mock Hack Pentesting 2017.03 ~ 2017.03 Viva Republica Finance
Service Vulnerability Check Seoul City Hall ISMS-P Penetration Testing Pentesting 2018.07 ~ 2018.08 Min & G Exchange
Public
Pentesting 2019.10 ~ 2019.11
Woori Card App Penetration Testing Unity Lab institutions
Korea Hydro & Nuclear Public
Pentesting 2018.12 ~ 2018.12
Hana Members App Vulnerability Check
Power institutions
2.2 Proposal Business Performance Ⅱ. Proposal Company Information
Business Performance
First Half Web/App Vulnerability Check Pentesting 2020.04 ~ 2020.05 우아한형제들 Service
APC Product Vulnerability Diagnosis Consulting Pentesting 2019.09 ~ 2019.10 Ahn Lab Service
Document Management System Analysis Pentesting 2019.07 ~ 2019.08 Uwise One Service
Toss Service Vulnerability Check Pentesting 2019.04 ~ 2019.05 Viva Republica Service
NHN Enter Payco Vulnerability Check Pentesting 2018.11 ~ 2018.11 NHN Enter Service
Pyeongchang Winter Olympics App Penetration Testing Pentesting 2018.01 ~ 2018.02 Pyeongchang Winter Olympics Service
TCI Security Library Vulnerability Check Pentesting 2017.11 ~ 2017.12 titan platform Service
DLP PC Security Solution Vulnerability Check Pentesting 2017.10 ~ 2017.12 Nickstech Service
17 Years Of Melon Service Penetration Testing Pentesting 2017.04 ~ 2017.12 Loen Entertainment Service
2.2 Proposal Business Performance Ⅱ. Proposal company information
Business performance
Cloud Penetration Testing Pentesting 2016.08 ~ 2016.08 Korea IT Evaluation Institute Service
Perform Annual Mock Hacks Pentesting 2019.12 ~ 2020.12 Law & Company Legal Service
2020 Website Penetration Testing Using External Experts Pentesting 2020.10 ~ 2020.12 Skt New Agency
2020 Mobile Service E2E Penetration Testing Pentesting 2020.10 ~ 2020.12 Skt New Agency
Website Penetration Testing Using External Experts Pentesting 2020.11 ~2020.12 Lotte E&C Construction
Webzen Game App Vulnerability Check Pentesting 2018.09 ~ 2018.10 Webzen Manufacture
Mobile Game Security Service Diagnosis Consulting Pentesting 2019.01 ~ 2019.03 Nexon Game
※ Other Penetration Testing and Implementation of Many Private Projects with Government Agencies
03
Penetration Testing
Proposal
3. Business plan
STEALIEN Indonesia
3.1 Business Implementation Methodology Ⅲ. Business Plan
Performance Strategy
Requirements Professionalism
Analysis • Hacking
• Identify customer Competition
needs through Winners manpower
multiple • Global vulnerability Know your needs
penetration testing discovery manpower
experiences • Accurate understanding of customer requirements
• Present various vulnerabilities and scenarios
• Support for establishing technical protection
measures
Strategy
Ready performance
Implementation Plans
Analysis Support
- Proposal PM creates a scenario through a meeting before establishing scenario penetration through organic communication with
PL and attendants
- In order not to affect the system failure, the operating environment of the system is also identified in advance.
- If an inspection that may affect the system failure is required, proceed through consultation with the person in charge of the
ordering organization
Proposal PM
Promotion Strategies
- Attack techniques of all means that hackers can perform and vulnerability analysis in the same way that external attackers actually attack
- Linking each vulnerability to derive scenarios that can actually occur
- Proposing a scenario specific to the customer by collecting sufficient prior information on the target of the attack rather than a formal attack
scenario
External System
Internal System
3.2 Detailed Business Plan Ⅲ. Business Plan
Detailed Technology
101.000.000.1 5. (System)
101.000.000.2 6. (Groupware) Extracting employee information
101.000.000.2 7. (Mail System) after accessing the DB
101.000.000.4
Detailed Technology
- If the internal system is successfully accessed through an external vulnerability, the SQL – Injection vulnerability is attempted in the
password recovery page, etc
- DB information extraction and account information extraction or internal penetration scenario establishment through SQL injection
SQL - Injection
Internal penetration
Admin information
3.2 Detailed Business Plan Ⅲ. Business Plan
Detailed Technology
- After logging in to the homepage service, request to view personal information of the homepage service using the attacker session
- When responding to other people's information and personal information, subscriber information can be extracted
Malware distribution
Detailed Technology
- Data extraction and analysis of extracted data from internal systems accessible through the shell
- Attempt to check customer / employee / other information from the extracted file
Shell Upload
Internal
server
File Download
Internal
PC
3.2 Detailed Business Plan Ⅲ. Business Plan
Detailed Technology
- Analyze accessible web services and attempt to penetrate all attackable services
- If the penetration is successful, it behaves in a pattern similar to that of general employees of the customer company, checks the
accessibility of the business PC or customer information management DB, etc. Attempts to obtain information
Web server
Hacker
Internet Router Web firewall Internal router Switch Privacy server Privacy DB