THE BLOG
-
Mar 11, 2021Attackers on the Inside
We perform penetration testing on organizations that often use the latest and greatest tools in security defense, yet our testing sometimes goes unseen. The key to detection and defense? Security layers. If you assume your primary defense does not work, what is its backup? How do you spot activity based on the original outlined phases of an attack if your primary tooling is inadequate? Layers!
Let us focus on the period during which threats are attempting to expand within your network, laterally, after having gained access. Expansion is possible both for ransomware and for individual attackers. Both wish to make the most of their efforts and obtain the greatest levels of success which often involves searching for additional targets.
There are several ways to look for this type of movement, such as reviewing network logs or looking for unexpected connection attempts to different devices. Unfortunately, while academically possible, the reality is that not every organizatio... ( Read More )
-
Feb 11, 2021Attack Frameworks 101
We follow a pretty standard pattern for gaining access within a Network Penetration Test (aka pentest) – recon, exploit, escalate, expand, execute. First, we look at the environment for any exposed information or misconfigured systems. Next the goal is to gain control or access to a resource using known methods or exploits. From there, we shoot to obtain as high a privilege level as possible. Once we have the appropriate levels of access, we can expand laterally looking for targets or data. When we have achieved a level of control on an environment equal to our goals, we execute our intended goals. This is a straightforward high-level process with a not-so-straight-forward multitude of steps in between. The uniqueness of the path between each step is what can make detection difficult for security teams and SOC’s watching the wheel.
Threat groups and malware campaigns use similar approaches to the above. Understanding that attack and infiltration methods of a pe... ( Read More )
-
Jan 11, 2021MFA – A requirement, no longer a choice.
If you do not have Multi-Factor Authentication (MFA) in place yet, get a move on! If by some chance you have selected this post to read and do not understand MFA let us provide a brief definition.
MFA – sometimes known as 2 Factor Authentication – requires users to sign in with two out of three of the follow credential types – something you know (e.g., password), something you have (e.g., application on your phone), or something you are (e.g., fingerprint).
While many organizations have made the shift to using MFA, there are still some that are struggling to get this technology in place – due to timelines, budgets, or just overall understanding of its benefit. Today, it is no longer a nice-to-have to implement MFA, it has really become a requirement. A layer that is a must have for all institutions. Phishing campaigns have made it easy business for attackers to gain cred... ( Read More )
-
May 27, 2016Effective Threat DetectionThreat prevention must always begin with the effective ability to detect threats. Detection must be sweeping and comprehensive if an organization plans to truly understand its risk. As the model for detection continues to shift into ‘threat intelligence’, CISO’s and security teams must understand where these programs excel and where they do not. The issue many groups encounter is not due to lack of effort or investment, but instead, the fault lies with the vendors for lack of transparency. The threat management solutions such as managed SOC’s will often hold back intelligence as an add-on, but also vendors don’t take the time to present what is detected and what is not.
There is also a gap between an internal threat actor and the ability to detect host-to-host incidents. This means that when an attacker finds himself inside the network, he is able to pivot and attack freely going mostly undetected. Why is this? There is nothing in place to detect host-to-host attac... ( Read More )
