SiegeCast: Access (Still) Granted

By Red Siege | June 4, 2020

 

The REAL Objective

The traditional benchmarks of success in penetration testing, like achieving domain admin rights, are being challenged. A recent event hosted by Red Siege Information Security brought this issue into sharp focus. Our CEO Tim Medin and Principal Security Consultant Mike Saunders, both seasoned professionals in ethical hacking and network security, shared their invaluable insights and experiences, shedding light on the modern landscape of penetration testing and its real objectives.

The Misconception of Domain Admin as the Ultimate Goal

The conventional wisdom in penetration testing has often placed the attainment of domain admin rights as the pinnacle of success. However, as Medin and Saunders eloquently argued, this perspective is somewhat myopic. Real-world attackers are driven by specific goals such as financial gain, intellectual property theft, or simply causing disruption. These goals do not necessarily require high-level network privileges but rather access to sensitive data, which can often be obtained through simpler, more direct means.

Credential Stuffing and Password Spraying: The Real Threats

One of the critical topics discussed was the techniques of “credential stuffing” and “password spraying.” These methods exploit known or easily guessed passwords to gain initial access to systems, bypassing the need for advanced hacking skills or network privileges. The speakers emphasized the importance of organizations monitoring for leaked credentials and implementing robust detection mechanisms for unusual access patterns. Traditional prevention strategies may fall short against these types of attacks, making detection and response capabilities crucial.

The Overlooked Goldmine: File Shares

Another significant point of discussion was the potential treasure trove of sensitive information lying unsecured in file shares. Despite being a seemingly low-tech target, file shares often contain valuable data that can be exploited by attackers. Tools like PowerView, as well as manual searching techniques, were highlighted for their effectiveness in navigating through networks and accessing critical information without the need for domain admin rights.

Real-World Case Studies: A New Perspective on Success

The event featured compelling case studies that illustrated the speakers’ points. In one instance, Saunders described how he leveraged default credentials in a NoSQL database to access a Linux server, which eventually led to the discovery of financial data within MySQL databases. These examples reinforced the notion that the true measure of success in penetration testing should be the identification and mitigation of business risks related to data security, rather than the acquisition of network privileges.

Conclusion: Protecting What Truly Matters

The insights shared by Medin and Saunders at the Red Siege event represent a significant shift in the approach to penetration testing. The real objective is to emulate the tactics, techniques, and procedures of actual attackers, focusing on the paths they might use to access sensitive data. This approach provides more value to organizations by prioritizing the protection of data over the traditional benchmark of network dominance. As the field of cybersecurity continues to evolve, so too must the methodologies and goals of penetration testing, ensuring that they remain aligned with the real-world threats faced by organizations today.

Learn More

For organizations looking to fortify their defenses, Engaging with seasoned consultants like those at Red Siege can provide not just insights but also practical strategies to enhance security measures against the ever-evolving landscape of digital threats. You can always contact us, or reach out on our social media. If you’re looking to dive deeper, have questions, or just want to connect with fellow cybersecurity enthusiasts, join us on our Discord.

SiegeCast: Practical People Hacking

By Red Siege | April 25, 2022

  Introduction: In an enlightening conversation, Security Consultant Jason Downey and Senior Security Consultant Cory Overstreet delved into the intricate world of social engineering, focusing on phishing, vishing, and physical […]

Learn More
SiegeCast: Practical People Hacking

SiegeCast: The Way of the Spray

By Red Siege | August 24, 2021

August 24th at 3pm Eastern. In a world where the security landscape is ever changing, weak passwords and an attackers ability to leverage that weakness is the gift that keeps […]

Learn More
SiegeCast: The Way of the Spray

SiegeCast: Unpacking the Packet

By Justin Connors | November 16, 2020

  Introduction: In a recent session, Jason Downey, a seasoned Security Consultant at Red Siege Information Security, took us through the foundational elements of networking that are crucial for every […]

Learn More
SiegeCast: Unpacking the Packet

Find Out What’s Next

Stay in the loop with our upcoming events.