TTP Selection Guide -- Reseau Sante du Nord

Engagement Context

Network and web security assessment for a health clinic EHR system. The central server in Cap-Haitien hosts the EHR application, database, and supporting services for six clinics. The European Health Development Foundation requires a security assessment for continued funding. Patient health records (medical histories, diagnoses, prescriptions, lab results) are the primary data asset at risk.

This guide describes testing categories for both network services and web applications. The student uses these categories to design their testing approach. The threat model the student creates should drive the selection of specific tests within each category.

Testing Categories

Passive Reconnaissance

DNS zone transfers, certificate transparency (crt.sh), technology stack fingerprinting from public sources (job postings, public repositories, conference presentations), historical DNS analysis. Goal: build a multi-source intelligence picture of the target before sending any traffic. Correlate findings across sources -- individual data points are fragments; the correlation is the intelligence.

DNS zone transfer attempts are findings regardless of outcome. A failed transfer tells you the target has zone transfer restrictions properly configured. A successful transfer reveals the full DNS zone.

Active Reconnaissance

Multi-protocol scanning (TCP and UDP), service version detection, OS detection. Goal: map all accessible services and correlate results with passive intelligence from the previous phase. Use the threat model to prioritise which services deserve deeper investigation -- not all services are equally important when patient records are the primary concern.

Scan timing decisions matter. The student chooses between aggressive and polite timing and documents the rationale. The detection rules written later should match the scanning pattern chosen here.

Network Service Testing

Credential testing against SSH and database services using appropriate tools (Hydra for credential brute-forcing, Metasploit Framework for service exploitation). Goal: determine whether network services can be compromised and quantify what access is gained.

For Metasploit: verify that the payload architecture matches the target container's architecture before executing. A payload compiled for the wrong architecture will silently fail. For credential testing: document the time and effort required to crack credentials -- this directly informs the remediation decision (password complexity vs key-only authentication).

Check the scope document before any lateral movement after exploitation. Access to one service does not authorise probing of other services unless the scope explicitly permits it.

Web Application Testing

Authentication, input handling, API security, session management. Goal: test whether patient records can be accessed through the web interface by exploiting application-level vulnerabilities. Previous projects focused on web exploitation; this project adds network service exploitation alongside it.

Connect web application findings to patient data impact. A SQL injection that returns patient names is different from one that returns HIV diagnoses.

Container Security

Dockerfile configuration, base image vulnerabilities (Trivy scanning), runtime permissions, resource limits. Goal: assess whether the container infrastructure introduces risk beyond the application itself. This continues from P3 -- the student has hardened containers before and applies the same practices to this environment.

Priority Guidance

Start passive and correlate across sources. Then build the STRIDE threat model before active work -- the threat model drives which services to test first and which attacks to prioritise. Network services with direct access to patient data take priority over internal infrastructure services.

CVSS Note

Findings include CVSS base scores. These scores are inputs to prioritisation, not the prioritisation itself. A CVSS 9.8 on an internal service with no external exposure may be less urgent than a CVSS 6.5 on the internet-facing EHR login page that protects patient records. Environmental context -- exposure, data sensitivity, operational impact on clinic operations -- determines actual priority.