Leroy Merlin

Challenge

1. Implementation of websites, mobile apps, and digital payment methods to support e-commerce lead to expanding attack surfaces
2. Customers making purchases online expose themselves to compromised financial accounts, PII and payment card information
3. Attacks lead to loss of revenue and credibility for impacted retailers

Solution

• Hadrian’s attack surface management tools used open source data collectors and passive data sources to identify assets previously unknown to Leroy Merlin
• Cross-asset testing analyzed assets across multiple cloud sharing providers and domains and provided information on how they linked together
• Fingerprinting technology contextualized assets by considering the language of the application, version and common vulnerabilities
• Insights collected were used to develop unique attack paths tailored to Leroy Merlin’s attack surface
• Hadrian collaborated with Leroy Merlin’s security team to prioritize risks in alignment with their needs

Outcome

Discovering Forgotten Assets

Hadrian deployed asset discovery tools with the express purpose of identifying unknown assets. In the case of Leroy Merlin, Hadrian used prior knowledge of e-commerce security to deploy tools that targeted areas most likely to contain forgotten assets.

For example, application developers in the e-commerce industry often accidentally leave administration pages available allowing attackers to access sensitive administration functions. Hadrian used this insight and deployed a hacking module designed to identify forgotten administration directories/pages.

Hadrian was able to identify a vulnerable endpoint with an unmonitored administration page.

{{quote-1}}

Developing Targeted Testing to Identify Potential Data Breach

When a forgotten or unmonitored asset was identified Hadrian drew on open-source information and its own logic to determine relevant attack paths. Targeted testing allowed Hadrian to validate Leroy Merlin’s security without overburdening IT infrastructure.

In the case of the unmonitored administration page, Hadrian was able to determine the most effective test by considering the context of the application, specifically its language, and framework. Hadrian ran a test that often revealed risks on assets with similar frameworks.

The test revealed credentials for database passwords and Google Cloud, as well as cookies containing sensitive user information.

Eventing Technology Generates Complex Attack Paths

Hadrian was built using event-driven technology. Event-driven testing means long, complicated attacks are broken down into smaller components and can be combined in different sequences allowing for flexibility.  In addition,  insights collected through past tests trigger new modules resulting in a testing methodology that is highly adaptable. The smaller components allow Hadrian to adapt as new insights are revealed.

For example, when Hadrian discovered the cookies in the administration page it triggered a hacking tool. The hacking tool used the cookies to gain access to accounts containing sensitive company and customer information.

Hadrian will continue to collect insights and deploy tests in response to changes in Leroy Merlin’s attack surface.