Nice product plug :) If I'd be a defensive CISO and someone would pentest my org and show me how he got domain admin, I'd tell them, "that's really great, but if you'd have a normal C2 working for some period of time, my crystal-ball based anomaly detection system would have picked it up and we'd IR/hunt you down" and the red team bros would have nothing to reply because, they, well didn't have a C2 going for a while and I would keep my bonus.
It is in the interest of the auditor/red-teamer to do this as much as it is in the interest of a genuinely concerned customer who wants to know how good they are. -- Konrads Smelkovs Applied IT sorcery. On Wed, Oct 28, 2015 at 1:59 AM, Kristian Erik Hermansen < [email protected]> wrote: > es that would be ideal but unfortunately there is always pushback due to > perception of privacy impact to staff / employees and also risk of > accidentally nuking the entire organization due to "unexpected changes". > You can try though and I wish you luck getting executives to sign off on > that risk. Or you could just buy Immunity Innuendo for $50K or Cobalt > Strike with beacon for about 1/10th that and get close to "APT > simulation"... > > > On Tuesday, October 27, 2015, Konrads Smelkovs <[email protected]> > wrote: > >> In my view, security improvements in organisations are driven by breaches >> and red team exercises/pentests. While breaches give hard lessons learned, >> red teams often don't and that's because we reward red teamers for a >> "domain admin" rather than longer term persistent access. >> >> This is what I call reach for the sky/rocket launch: you get domain >> admin, get a screenshot of CEO's e-mail and declare job done. In reality, a >> good simulation would be to "stay airborne" - take a screenshot of CEO's >> e-mail/exfil PST every week. >> >> That's not to say that there isn't a scenario where desctruction of >> assets is the end-goal of an attacker, but even then, I would argue that >> red teamers ought to put an .exe in autoruns for every PC they wish to have >> done a simulated wipe. >> >> >> >> -- >> Konrads Smelkovs >> Applied IT sorcery. >> > > > -- > Regards, > > Kristian Erik Hermansen > https://www.linkedin.com/in/kristianhermansen > https://google.com/+KristianHermansen >
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
