Penetration Testing

Proposal
2022
STEALIEN Indonesia
01
Penetration Testing
Proposal

1. Proposal Overview
STEALIEN Indonesia
1.1 Proposal Background And Purpose Ⅰ. Proposal Outline

Proposal Background And Purpose

“ ”
Identification of vulnerabilities and how they affect services and
Stable service operation through improvement

Discover security vulnerabilities Security Vulnerability Improvements SWIFT AUDIT Compliance

Determine how vulnerabilities

affect services
• Identifying customer service
vulnerabilities
• Identify the impact of identified
vulnerabilities
• Scenario creation and penetration
testing based on identified
vulnerabilities
Present specific solutions Compliance with legal obligations
• Review existing security policies and
provide advice
• OJK Mandatory Legal
• Suggest solutions for identified
Compliance
vulnerabilities
• Reduced liability in the event of a
• Prompt contact and support when new
security breach
vulnerabilities occur Confirmation of
• Stable business operation through legal
remaining
compliance
• vulnerabilities through continuous
vulnerability check
1.2 Offer Features and Benefits Ⅰ. Proposal Outline

Offer Features and Benefits

Winning the hacking contest and deploying zero-day

discovery manpower from global vendors

Proposal company blind penetration testing experience

Technical verification
1.2 Offer Features and Benefits Ⅰ. Proposal Outline

Expertise Of Manpower Performing Penetration Testing - Proposal Tech Blog

Security and hacking technology research

1.2 Offer Features and Benefits Ⅰ. Proposal Outline

Professionalism of Manpower Performing Simulated Hacking - Achievements in Domestic and

International Hacking Competitions

3rd Real World CTF 1st CCE Attack team 2nd place
HackIT qualified preliminary rounds
CODEGATE 4th place
TrendMicro CTF 7th place
DEFCON Finals
National cyber security contest 3rd
TCTF/0CTF Preliminary Championship / Finals 5th National cyber security contest 1st
2020 Line/KIISE block chain contest 2nd
Cyber Operation Contest 1st
Participation award at Openhack Hackathon
K-CSC 2020(K-Cyber Security Challenge) 2018
Participation award at ROK Hacker defense contest
AI Security Vulnerability Automatic Detection Track 1st

PCTF 4th place Participation award at Korea-China joint Hackathon

Award for 2019 Idea contest for online privacy White Hat Contest (Defense) Grad prize
protection policy
DEFCON CTF qualified preliminary rounds
CCE Defense team 1st place Defcon CTF Finals
CODEGATE hacker defense contest qualified preliminary CCE Defense general sector 2nd
Codegate Junior winner
rounds
CodeGate College student 1st
DVP 2nd place Poc Belluminar CTF 1st
Google CTF finals SECUINSIDE CTB Best talent award
2019
WCTF Beijing Final 11th
IoT Security threat scenario contest 2nd place
2017 Middle-high school information security Olympiad Gold
medal
NESECU Hacker defense contest 2nd place
Christmas hacker defense contest 1st
Nulcon HackIM Hacker defense contest 6th place Grand prize at white hacker league
National cyber security contest 1st place Heatcon finals

Participation award in 6th Software Development DEFCON CTF qualified preliminary rounds
Defcon CTF Finals
contest

Defcon CTF finals

1.2 Offer Features and Benefits Ⅰ. Proposal Outline

Professionalism of Manpower Performing Simulated Hacking - Achievements in Domestic and

International Hacking Competitions

CODEGATE 6th Christmas CTF 3rd

CodeGate Junior qualified preliminary rounds 2014

White Hat Contest junior qualified preliminary
rounds
Hacking Camp CTF 1st

HDCON 3rd White Hat Contest (Defense) qualified preliminary

rounds
TrendMicro CTF 5th
2016

CodeGate Junior qualified preliminary rounds KISA Hacker defense contest 2nd

Christmas CTF 4th Korea White Hat Contest 1st

Hacking Camp CTF winner 2013

CODEGATE International hacker defense contest 1st
White Hat Contest 2nd

White Hat Contest (Defense) Grand prize DEFCON CTF International hacker contest 3rd

CODEGATE 2015 teenager 6th SECUINSIDE International hacker defense contest

2nd
Inc0gnito 4th
2015 White Hat Contest teenager Grand prize
White Hat Contest excellence award

White Hat Contest 2015 grand prize 2012 Korea White Hat Contest 1st

Information security Olympiad Bronze medal KISA Hacker defense contest 1st
1.2 Offer Features and Benefits Ⅰ. Proposal Outline

Expertise of Manpower Performing Penetration Testing - Zero-day Vulnerability Research, Etc.

Year Contents

2020 Vulnerability report to Microsoft Windows

2020 Vulnerability report to Kyung Hee University
2019 2 zero-day vulnerabilities reported to Google Chrome
2018 2 vulnerabilities reported to Gnuboard
2018 Vulnerability report to CMS (gnuboard, KimsQ, Mybb)
2018 Vulnerability report to Pwnable. Kr wargame
2017 Vulnerability excellence reward by KISA
2017 Identified zero-day vulnerability for Adobe
2017 Identified zero-day vulnerability for Vmware
2016 Vulnerability grand reward by KISA
2016 Identified zero-day vulnerability for Window Kernel
2015 Vulnerability grand reward by KISA
- 43 vulnerabilities reported to KVE

- Multiple vulnerabilities identified for Microsoft, Hancom

1.2 Offer Features and Benefits Ⅰ. Proposal Outline

Expertise of Personnel Performing Penetration Testing - Other Experience

Year Contents
2012~Present Managing Reversing. Kr, reversing wargame website
2019 Defcamp CTF 2019 qualified preliminary rounds
2019 KISA Hall of Fame 5th place (30 total)
2019 Question setter for BISC Open CTF 2019
2018 BOB 6th graduate
2018 Soonchunhyang University Youth Hacker Security Contest question setting committee
2018 Participated in KITRI CVE analysis project
2018 BOB Grandfix 2nd place
2018 Microsoft`s Top 100 Security Researchers
2017 UBUNTU CTF question setter
2014 ~ 2016 Cyber security professional committee
2015 National Encryption Contest
2015 1st graduate of Daegu University Information Security Center for Gifted Education

2014 Managing and setting questions for Korea White Hat Contest
2014 Secu-inside International Hacker Defense contest
2013 Managing and setting questions for Korea White Hat Contest
2013 Presidential Award for Korea’s Talent
- Hacking Camp staff for security related events
- Manager for Christmas CTF
1.2 Offer Features and Benefits Ⅰ. Proposal outline

Penetration Testing Experience

Possess experience of penetration testing for various services

02
Penetration Testing
Proposal

2. Proposal company information

STEALIEN Indonesia
2.1 Proposal Company Information Ⅱ. Proposal Company Information

Proposal Company Information

Company CEO

STEALIEN Inc Chanam Park

STEALIEN Indonesia (PT Steal Alien Indonesia) Hyukjae Hong
Core Business

1. Mobile App Security Solution ( AppSuit Premium,, Appsuit AV, AppSuit Keypad, AppSuit WBC, AppSuit Module )
2. Security Consulting in perspective of attackers
3. Cyber Drill System (Cyber Hacking Training System)
4. R&D projects with government institutions

No of Employees

50 Employees (more than 80% is R&D employees)

Address Phone.

Seoul Office: 12th Floor, The Prime Tower, 11, Wonhyo-ro 90-gil, Yongsan-gu, Seoul Seoul Office : +82 -2-2038 – 4792
Jakarta Office : +62 - 21 2783 8356
Jakarta Office: One Pacific Place Sudirman Central Business District 15th Floor, Jl.
Jend. Sudirman Kav. 52-53 Jakarta 12190

Year of Establishment Business Period

May 2014 February 2015 s/d Auguts 2021 (6 Years)

20
2.1 Proposal Company Information Ⅱ. Proposal Company Information

Proposal History
2014.05 Company establishment
2015.04 Ajou University MOU
2015.05 MOU with Yeungnam University of Science and Technology
2015.06 Established corporate research institut
2015.09 Selected as a promising company in ICT field by the Ministry of Science, ICT and Future Planning (K-Global 300)
2016.11 Received SK Telecom Award at Mobile Technology Award
2016.11 Commendation from the Minister of Science, ICT and Future Planning
2016.12 Korea Information Security Industry Association Startup of the Year Award
2017.05 Selected as 2017 Excellent Venture Company (Sustainable Growth Sector) by Venture Business Association
2017.06 Ebiashara MOU (Supply of security solutions to Africa))
2018.02 Selected as Shinhan Futures Lab
2018.04 Selected as a small strong company by the Ministry of Employment and Labor
2018.12 Selected as a small and medium-sized company for talent development
2018.12 Korea Information and Communication Technology Association (TTA) SW Quality Grand Prize (AppSuit)
2018.12 Selected as a youth-friendly small business by the Ministry of Employment and Labor
2019.06 Selected as a technology innovative SME (Main - Biz
2019.06 Selected as a technology innovative SME (Inno-Biz)
2020.05 Selected as SW High Growth Club 200
2020.06 Won the Korea Startup Grand Prize
2.2 Proposal Business Performance Ⅱ. Proposal Company Information

Business Performance

Business Business Type Business Period Clients Sector

Attack-based Security Consulting For Tablet Banking Apps Pentesting 2020.10 ~ 2020.12 KB Kookmin Bank Bank

VPN Vulnerability Check Pentesting 2020.07 ~ 2020.08 Busan Bank Bank

IT Security Audit Service Pentesting 2018.05 ~ 2018.09 KB Kookmin Bank Bank

Busan Bank Mobile App Penetration Testing Pentesting 2017.08 ~ 2017.09 NH Nonghyup Bank Bank

KB Star Banking App Vulnerability Check Pentesting 2017.07 ~ 2017.08 KEB Hana Bank Bank

NH Nonghyup Bank Vulnerability Check Pentesting 2016.05 ~ 2016.07 Yuanta Securities Bank

2015 KEB Vulnerability Check Pentesting 2015.03 ~ 2015.05 KB Securities Bank

Yuanta Securities Application Vulnerability Check Pentesting 2019.02 ~ 2019.12 KB Securities Securities

External Penetration Training Project Pentesting 2018.11 ~ 2019.01 Hana Financial Investment Securities

Cyber Mock Penetration Pentesting 2017.08 ~ 2017.10 Woori Card Securities

Hana Financial Investment App Vulnerability Check (MTS) Pentesting 2016.11 ~ 2016.12 Woori Card Securities

Woori Card Service Vulnerability Check Pentesting 2020.05 ~ 2020.07 Woori Card Card

Woori Card Electronic Financial Infrastructure Vulnerability Check Pentesting 2020.03 ~ 2020.04 KB Kookmin Bank Card

Woori Card Electronic Financial Infrastructure Vulnerability Check Pentesting 2019.02 ~ 2019.04 Busan Bank Card

Woori Card Electronic Financial Infrastructure Vulnerability Check Pentesting 2018.02 ~ 2018.03 KB Kookmin Bank Card
2.2 Proposal Business Performance Ⅱ. Proposal Company Information

Business Performance

Business Business Type Business Period Clients Sector

Woori Card App Penetration Testing Pentesting 2016.12 ~ 2016.12 Woori Card Card

Hana Members App Vulnerability Check Pentesting 2016.11 ~ 2016.11 Hana I&S Card

Mobile App Penetration Testing

Pentesting 2016.10 ~ 2016.12 Samsung Card Card
Cloud T-money App Penetration Testing

Samsung Life App Service Penetration Testing Pentesting 2016.10 ~ 2016.11 Korea Smart Card Card

Meritz Fire Safety Check 2 Pentesting 2019.12 ~ 2020.01 Samsung Life Life

Prudential Life Insurance Hacking Pentesting 2015.11 ~ 2015.12 Meritz Fire Insurance

Hana Capital Web Vulnerability Check Pentesting 2015.11 ~ 2015.12 Prudential Life Insurance

Meritz Fire & Marine Security Check 1 Pentesting 2015.06 ~ 2015.12 Hana Capital Insurance

Toss Mobile App Vulnerability Check Pentesting 2015.02 ~ 2015.03 Meritz Fire Insurance

Eosdaq Exchange Mock Hack Pentesting 2017.03 ~ 2017.03 Viva Republica Finance

Min & G & Blockchain Company Service

Pentesting 2018.09 ~ 2018.10 axiom Exchange
Penetration Testing

Service Vulnerability Check Seoul City Hall ISMS-P Penetration Testing Pentesting 2018.07 ~ 2018.08 Min & G Exchange

Supreme Prosecutor's Public

Pentesting 2020.02 ~ 2020.02
Korea Hydro & Nuclear Power Simulation Hacking
Office institutions

Public
Pentesting 2019.10 ~ 2019.11
Woori Card App Penetration Testing Unity Lab institutions
Korea Hydro & Nuclear Public
Pentesting 2018.12 ~ 2018.12
Hana Members App Vulnerability Check
Power institutions
2.2 Proposal Business Performance Ⅱ. Proposal Company Information

Business Performance

Business Business Type Business Period Clients Sector

Defense Acquisition Program Public

Pentesting 2018.04 ~ 2018.05
Defense Acquisition Program Administration Penetration Testing
Administration institutions

National Security Technology Public

Pentesting 2016.06 ~ 2016.12
Research On Iot Device Vulnerability Verification Technology institutions
Research Institute

Service Penetration Testing Pentesting 2020.09 ~ 2021.02 R Support Service

First Half Web/App Vulnerability Check Pentesting 2020.04 ~ 2020.05 우아한형제들 Service

APC Product Vulnerability Diagnosis Consulting Pentesting 2019.09 ~ 2019.10 Ahn Lab Service

Document Management System Analysis Pentesting 2019.07 ~ 2019.08 Uwise One Service

Toss Service Vulnerability Check Pentesting 2019.04 ~ 2019.05 Viva Republica Service

NHN Enter Payco Vulnerability Check Pentesting 2018.11 ~ 2018.11 NHN Enter Service

Pyeongchang Winter Olympics App Penetration Testing Pentesting 2018.01 ~ 2018.02 Pyeongchang Winter Olympics Service

TCI Security Library Vulnerability Check Pentesting 2017.11 ~ 2017.12 titan platform Service

Igriffin Vulnerability Check Pentesting 2017.10 ~ 2017.12 Secube Service

Genian Nac Vulnerability Check Pentesting 2017.10 ~ 2017.12 Genius Service

DLP PC Security Solution Vulnerability Check Pentesting 2017.10 ~ 2017.12 Nickstech Service

Kakao Mini Security Consulting Pentesting 2017.08 ~ 2017.11 Kakao Service

17 Years Of Melon Service Penetration Testing Pentesting 2017.04 ~ 2017.12 Loen Entertainment Service
2.2 Proposal Business Performance Ⅱ. Proposal company information

Business performance

Business Business Type Business Period Clients Sector

Vulnerability Check Of Accredited Authentication And Integrated

Pentesting 2017.02 ~ 2017.03 Service
Installation Solution Wizvera

Cloud Penetration Testing Pentesting 2016.08 ~ 2016.08 Korea IT Evaluation Institute Service

Network Protocol Vulnerability Check Pentesting 2016.08 ~ 2016.10 Solbox Service

Perform Annual Mock Hacks Pentesting 2019.12 ~ 2020.12 Law & Company Legal Service

2020 Website Penetration Testing Using External Experts Pentesting 2020.10 ~ 2020.12 Skt New Agency

2020 Mobile Service E2E Penetration Testing Pentesting 2020.10 ~ 2020.12 Skt New Agency

Website Penetration Testing Using External Experts Pentesting 2020.11 ~2020.12 Lotte E&C Construction

Service Vulnerability Check Pentesting 2020.04 ~ 2020.04 Amorepacific Manufacture

Webzen Game App Vulnerability Check Pentesting 2018.09 ~ 2018.10 Webzen Manufacture

Mobile Game Security Service Diagnosis Consulting Pentesting 2019.01 ~ 2019.03 Nexon Game

※ Other Penetration Testing and Implementation of Many Private Projects with Government Agencies
03
Penetration Testing
Proposal

3. Business plan
STEALIEN Indonesia
3.1 Business Implementation Methodology Ⅲ. Business Plan

Performance Strategy

Requirements Professionalism
Analysis • Hacking
• Identify customer Competition
needs through Winners manpower
multiple • Global vulnerability Know your needs
penetration testing discovery manpower
experiences • Accurate understanding of customer requirements
• Present various vulnerabilities and scenarios
• Support for establishing technical protection
measures

Strategy
Ready performance

• Introduce the best hacking experts in Korea with

experience in performing multiple penetration testing
projects
• Strengthening source code security through source
Scenario
code diagnosis
establishment
• Establish a suitable • Possible to propose technical protection measures
scenario according
to the service optimized for strengthening customer information
provided
protection capabilities
• Presenting a differentiated attack scenario from a
uniform result
3.1 Business Implementation Methodology Ⅲ. Business Plan

Implementation Plans

Plan Penetration test Scenario penetration Report Improving

Information Scenario Inspection result Report writing and

Target selection
gathering penetration analysis Recommendation
• Vulnerability • Collection of • Establishing a • Analysis of • Vulnerability trend
analysis target inspection target scenario based on penetration testing analysis result by
selection information discovered results targe
• Consider the • Identify special vulnerabilities • Expert perspective • Cause analysis for
nature and items for each • Scenario-Based analysis on the vulnerability results
importance of the inspection target Penetration entire inspection • Suggestion of
target • Perform • Performing area countermeasures
vulnerability check internal • Evaluate and verify for vulnerability
• Overall business penetration testing measures
penetrations from
analysis results • Implementation
services
check

Analysis Support

Review Analyze Check Scenario Implementation

Measures
check
• Service
• Know what to • Scenario-
vulnerability
analyze based • Establishment of
• Review check
• Information infiltration vulnerability • Implementation
customer • Creating
collection • Bypass protection check for improved
requirements Vulnerability-
through security measures vulnerabilities
Based
inspection equipment • Final report
Scenarios
3.1 Business Implementation Methodology Ⅲ. Business plan

Measures to Minimize Obstacles

- Proposal PM creates a scenario through a meeting before establishing scenario penetration through organic communication with
PL and attendants
- In order not to affect the system failure, the operating environment of the system is also identified in advance.
- If an inspection that may affect the system failure is required, proceed through consultation with the person in charge of the
ordering organization

Proposal PM

Person in charge of ordering

organization
Communication Tools
Proposal PL
3.2 Detailed Business Plan Ⅲ. Business plan

Promotion Strategies

Penetration Testing Process

- Attack techniques of all means that hackers can perform and vulnerability analysis in the same way that external attackers actually attack
- Linking each vulnerability to derive scenarios that can actually occur
- Proposing a scenario specific to the customer by collecting sufficient prior information on the target of the attack rather than a formal attack
scenario

Hacker Internet Firewall Security Switch File Download SQL - Injection

Equipment

External System

Internal System
3.2 Detailed Business Plan Ⅲ. Business Plan

Detailed Technology

Web vulnerability check (Example)

- Attempt to upload web shell using external service administrator privileges

- Modification of external pages for internal server access and malicious code distribution through Web Shell upload
- Promoting the Lateral Movement such as acquiring internal system access rights based on the shell

101.000.000.1 5. (System)
101.000.000.2 6. (Groupware) Extracting employee information
101.000.000.2 7. (Mail System) after accessing the DB
101.000.000.4

Hacker Externally Web Shell Internal Server DB

Accessible Upload
Page
File Upload
3.2 Detailed Business Plan Ⅲ. Business Plan

Detailed Technology

Web vulnerability check (Example)

- If the internal system is successfully accessed through an external vulnerability, the SQL – Injection vulnerability is attempted in the
password recovery page, etc
- DB information extraction and account information extraction or internal penetration scenario establishment through SQL injection

SQL - Injection

Internal penetration

Hacker Web Page DB information extraction

Admin information
3.2 Detailed Business Plan Ⅲ. Business Plan

Detailed Technology

Web vulnerability check (Example)

- After logging in to the homepage service, request to view personal information of the homepage service using the attacker session
- When responding to other people's information and personal information, subscriber information can be extracted

Stealing someone else's session using XSS

Malware distribution

Hacker External Service

Obtaining
other user
information
3.2 Detailed Business Plan Ⅲ. Business Plan

Detailed Technology

Web vulnerability check (Example)

- Data extraction and analysis of extracted data from internal systems accessible through the shell
- Attempt to check customer / employee / other information from the extracted file

Shell Upload

Internal
server

Hacker External server Privacy

extraction

File Download
Internal
PC
3.2 Detailed Business Plan Ⅲ. Business Plan

Detailed Technology

Internal penetration (example)

- Analyze accessible web services and attempt to penetrate all attackable services
- If the penetration is successful, it behaves in a pattern similar to that of general employees of the customer company, checks the
accessibility of the business PC or customer information management DB, etc. Attempts to obtain information

Web server
Hacker

Internet Router Web firewall Internal router Switch Privacy server Privacy DB

Business server Business PC

Thank you.