In this series focusing on Active Directory attacks, we’re running through four different scenarios based on real penetration testing engagements that demonstrate the variety of techniques and tactics that can be used to compromise
Exploit types
- Phishing, SQL, Brute Force DDOS
Teaming
- Red teams, blue teams, purple teams
k
Pen testing tools
open source, enterprise, or an arsenal
Vulnerability scanning
Pen testing services
Pen Test Pivoting
Prior to launching a targeted attack against an organization, threat actors conduct thorough reconnaissance missions, gathering intelligence on employees, the infrastructure, and more. They want to know every possible inch of the attack surface to find every potential exposure before they make their move, using an array of tools and tactics to exploit vulnerable infrastructure.
Active Directory is an essential application within an organization, facilitating and centralizing network management through domain, user, and object creation, as well as authentication and authorization of users. Active Directory also serves as a database, storing usernames, passwords, permissions, and more. Active Directory is a perfect example of a technological double-edged sword. While such a centralized application can streamline IT operations, it does also make for an irresistible target for attackers.
Penetration testing is more than a bunch of ex-hackers in hoodies attempting to break into an organization that hired them. It is a carefully planned and organized engagement that probes and tests a defined piece of an organization's IT infrastructure for potential flaws. Without good intelligence to work from, testers cannot efficiently conduct their attacks, leaving potentially unidentified gaps in an organization’s defense.
Penetration testing and Red Teaming are two security assessment tools that have quickly gained traction in recent years, with professionals at all levels eager to jump onto the trend. However, to get real value out of these tools, you must first ensure your security program is mature enough to properly conduct one or both. But how do you figure out whether you’re ready for a pen test, a Red Team engagement, or a combination?
IT professionals like you know what you’re up against. The dynamics of today’s threat landscape require organizations to do more than just defend against cyber-attacks. While there will always be a need for defensive strategies and solutions, it is now essential for organizations to become more proactive and get ahead of threats to their critical assets.
Modern threat actors and the condition of today’s threat landscape are forcing the collective hand of cybersecurity to go on the offensive -- and federal agencies are no exception. As cyber attackers grow increasingly adept at identifying and exploiting infrastructure weaknesses, they will opt for the path of least resistance. Therefore, agencies with a security posture that goes beyond traditional cyber defenses will fall farther down the list of attack targets -- but they will still be targeted.
Though we have a new release planned for later this year, we’ve made some updates to Core Impact that we just couldn’t wait to release and share! First, we have a new agent written in Python to expand its use to different environments and further enhance its flexibility. Additionally, we’re staying on top of the latest threats by updating to the latest OWASP Top 10 list, making web application tests even more effective.