There’s something positive about a healthy degree of fear. It lets us understand our own limitations, heightens our senses, and keeps us alive. The tendency to err on the side of caution was called out in our recent 2023 Penetration Testing Report as a smart practice when it comes to cybersecurity. In fact, though security professionals reported less confidence in their security posture, this loss confidence is a good thing.

 As cybersecurity needs continue to rise, it’s no secret that organizations are having to do more with less. In any given company one can find modern-day use of the old adage, “Patch it up, wear it out, make it do or do without.”  That make it do part is exactly what upskilling and reskilling is all about.

First there was the boom – now there’s the bust. Organizations that invested in myriad new solutions to handle the complexity of myriad security problems now have a different problem on their hands – how do you handle all of the vendors?

With the threat landscape expanding and criminals taking advantage of security gaps, organizations are turning to controls that can help them limit their exposure. Among other controls, penetration testing stands out because it simulates attackers' malicious activities and tactics to identify security gaps in business systems or applications.

Security adviser Roger Grimes once famously wrote, "To beat hackers, you have to think like them.” Grimes explained that security professionals should step into the attackers’ shoes and seek how to break into corporate systems, discover weaknesses, and create robust security countermeasures.

They don’t compete and they aren’t the same. But they are both invaluable to ferreting out and fixing problems within your security architecture. Vulnerability assessments and pen testing – contrary to popular belief – are two sides of the same coin.

So why are we talking about hacking of an IBM i? I think that's certainly not a headline we see very often, as IBM i systems have been considered un-hackable for years. Anyone who has worked on IBM i has heard some of these statements:  

Popular entertainment would have us believe that hackers are all sophisticated attackers ready to strike the latest vulnerabilities. That is sometimes true, but it’s become increasingly apparent that whether it’s the latest zero-day bug or something that was discovered the same year Apple released the iPad, hackers are equal-opportunity offenders.    

Lately, there has been an important increase in the relevance of valid call stacks, given that defenders have started to leverage them to detect malicious behavior. As several implementations of “Call Stack Spoofing” have come out, I decided to develop my own, called Hardware Call Stack. 

The worst thing about supply chain attacks is that the breach is not entirely your fault. Simply by trusting in software and services provided by a third party, they open the door to attack. Attackers look for a softer target in the supplier, gaining access they hope to leverage into more significant attacks.

Supply chain attacks were responsible for 62% of system intrusion incidents, according to Verizon’s 2022 Data Breach Investigations Report. This type of attack is one of the most effective ways to compromise organizations because it targets the weakest link in the security chain. Supply chain attacks usually begin by compromising a supply chain partner, such as a developer, distributor, or supplier.

CVE stands for Common Vulnerabilities and Exposures.  The CVE program is a reference list providing an id number, description, and instance of known vulnerabilities. The system has become the standard method for classifying vulnerabilities, used by the U.S. National Vulnerability Database (NVD) and other databases around the globe.

We’re ringing in the new year with the latest release of Core Impact ! Version 21.3 strengthens the connection between Core Impact and Cobalt Strike, amplifying the capabilities of both tools.

Ransomware and phishing are usually put in two separate categories when cyberattack methodologies are discussed.

In 2022, geopolitical unrest and an expanding online attack surface contributed to the emergence of several themes across the cyber landscape. Infrastructures associated with opposing ideologies were highly targeted, with government agencies, supply chains, and IOT devices falling victim to high-profile campaigns. Cybercriminals launched increasingly advanced attacks on vulnerable entities, with DDoS, ransomware, and hacking for a cause all consistently making headlines.

The Problem with Security Questions Whether it’s an IT admin helping an employee gain access to their accounts or an employee attempting to change their password, authentication is required to prove that the person attempting to perform that action is indeed who they say they are. In the past, many teams have felt comfortable relying solely on the use of security questions to carry out that authentication. However, this approach has its shortcomings:

In this series focusing on Active Directory attacks, we’re running through four different scenarios based on real penetration testing engagements that demonstrate the variety of techniques and tactics that can be used to compromise

In this series focusing on Active Directory attacks, we’re running through four different scenarios based on real penetration testing engagements that demonstrate the variety of techniques and tactics that can be used to compromise

Prior to launching a targeted attack against an organization, threat actors conduct thorough reconnaissance missions, gathering intelligence on employees, the infrastructure, and more. They want to know every possible inch of the attack surface to find every potential exposure before they make their move, using an array of tools and tactics to exploit vulnerable infrastructure.

Active Directory is an essential application within an organization, facilitating and centralizing network management through domain, user, and object creation, as well as authentication and authorization of users. Active Directory also serves as a database, storing usernames, passwords, permissions, and more. Active Directory is a perfect example of a technological double-edged sword. While such a centralized application can streamline IT operations, it does also make for an irresistible target for attackers.

Penetration testing is more than a bunch of ex-hackers in hoodies attempting to break into an organization that hired them. It is a carefully planned and organized engagement that probes and tests a defined piece of an organization's IT infrastructure for potential flaws. Without good intelligence to work from, testers cannot efficiently conduct their attacks, leaving potentially unidentified gaps in an organization’s defense. 

Congratulations! You’ve just completed a penetration test. So what now? 

Modern threat actors and the condition of today’s threat landscape are forcing the collective hand of cybersecurity to go on the offensive -- and federal agencies are no exception. As cyber attackers grow increasingly adept at identifying and exploiting infrastructure weaknesses, they will opt for the path of least resistance. Therefore, agencies with a security posture that goes beyond traditional cyber defenses will fall farther down the list of attack targets -- but they will still be targeted. 

The Payment Card Industry Data Security Standard (

Though we have a new release planned for later this year, we’ve made some updates to Core Impact that we just couldn’t wait to release and share! First, we have a new agent written in Python to expand its use to different environments and further enhance its flexibility. Additionally, we’re staying on top of the latest threats by updating to the latest OWASP Top 10 list, making web application tests even more effective.