Transcript – Pentester explains what are the easy ways in to most companies and one that were not able to break

wrath of God type stuff fire and brimstone coming down from the skies rivers and seas boiling 40 Years of Darkness earthquakes volcanoes the dead rising from the grave Human Sacrifice dogs and cats living together massaria enough I get the point Old Testament Mr Mayor real wrath of God type stuff fire and brimstone coming down from welcome everybody to this week’s edition of Team yeah pentesting wrath of God cats and dogs all the things hey I’m Tim golden founder of compliance scorecard happy to be here uh with our great friends uh Dylan and Teddy Shield cyber talking uh not pen but pen testing right and so hey uh Jesse you’re in the top right corner why don’t you just say hello hi welcome hey everyone welcome to team Tim our local local Friday live stream for all things cyber security my name is Jesse Miller I’m the founder of power PSA Consulting we help msps scale vciso and cyber programs and do that profitably awesome awesome you know what and I just want to make sure we’re up and running on LinkedIn because I got a little bit of a message here and while I’m doing that we’ll put Mr schneer up over here too so what’s going on uh welcome back uh Tim shner inquisitive it I do some vciso work manage it in the New York’s Tri tri state area for uh Financial Services firms um law firms and some startups so um if you’re looking for you know anything that’s talked about on the show shifting left and getting ahead of cyber security certainly reach out um but uh excited excited for this episode uh Teddy and I have been chatting um for a couple weeks here on uh talking about you know pentest or at least I think the flavor it’s a little different what Teddy and Teddy and Dylan do so this should be interesting all right hey Teddy since he mentioned you next come on up say hello hello hello Tim schnor I hope you’re recovering okay from that uh that earthquake today um but yeah no excited to be here talk pentesting uh I’ve been doing I’ve been performing pentest for the better part of a decade now um building piece of software that comes out of that as well to help organizations uh find those flaws before they become a real problem uh love talking about it offensive security the whole the whole Community everything like that so um always open to to chat and and go deeper into these things awesome thank you and then Mr Dylan you are next my friend thanks for having me guys uh yeah really excited about the conversation I always like to tell people I got my start in cyber uh on the pin testing side and quickly realized how much I hated writing reports so uh jumped over to the sales side instead a lot less report writing awesome all right so uh Mr Tim let me make sure I’m rearranged here we’re GNA put Mr Jesse up in the middle kind of get us down here there we go all right we got the Brady Bunch going on so why don’t we just Dive Right In can we start look ahead Tim yeah I can kick it off so um I I I had a quick LinkedIn just post talking about Teddy and um you he’s talking a little bit of his experience like he’s been involved in pentests for I don’t know probably a good 10 years here and some of them are really easy right some of these companies it’s one move to two moves three moves and you’re you’re in you’re you’re in full control data you know very little siloing full full data uh access to whatever you want um and then there are other firms that are clearly doing all the right things um that are very difficult if not impossible to get into so I thought this would be a great episode um Teddy Dylan can really talk about their experience here and talk about you know what what are some of the big gaps and some of the obvious gaps that people need to take need to take care of so Tim why don’t we start with that right like and that’s a load I think that’s a very loaded term aen it is but I think it makes sense it makes sense to to set the stage for what it is that we’re going to get into here um and I think for the first way to start it though is that people talk about pent tests and they’re usually defaulting to you know maybe a network pentest or like the idea behind this is is that penetration tests can can can apply to any type of scope um so traditionally right people think of pent test as internal external pent tests usually external um web applications go in there mobile applications are in there right physical pent test there’s things like that so across the board um pentesting is really all about the the scoping right and how you’re going to Define with that scope in what what are those Rules of Engagement that you’re going to get into um but to Define penus is the whole right it’s it’s it’s really people would say breaking into a network or breaking into an environment or something like that but I would I would want to change that to testing controls that are currently in place to determine their uh validity how well they’re working and and and their advocacy at that at that so um and and that’s something we’re going to get into is is really breaking down when it makes sense to do a pen test and when it doesn’t um and that’s Tim to your question or your earliest point there is we’re going to get to that where when does it not make sense to do a pen test because it’s so easy to get into um so yeah that that’s how I would Define it right it’s testing your controls their efficacy of those and and determining where those gaps could be so don’t do a pen test before you know where those are so I have another followup to that and one that I I would like to maybe just nail down a bit more I know kind of where it sits in my mind but you know what what makes a pentest versus uh an a vulnerability scan or CU you know you see a lot of marketing fluff out there where you know automated pen tests or click button pen tests and you know you dig into that and it’s they’re running a b they’re throwing a bunch of scripts against the wall with Metasploit or you know corite or something else how do you see Teddy uh what What’s the break line between what makes a real pentest and what are some key Hallmarks of that yeah I mean as part of that scope process you’re thinking what what are the objectives of this right a real pentest as part of you know the the real value of append comes in the scoping aspect of everything so if you’re scoping and you’re like okay my objective is I’d like to see if you can gain access Global admin and Azure right or I want you to get access to pii where a lot of these oneclick type of you know the the automated pentest and they’re they’re good as a security tool but they’re not a real I wouldn’t consider penetration test right you’re not testing you’re not testing against an objective you’re testing against a set of controls um and yeah so Tim scoping scoping is totally key it’s it’s breaking down what are the goals and objectives of a of a pentest before you’re getting into that now when you’re talking about there are tools out there that go much farther than what what people would traditionally say like Anessa scan pentest which we’re still working through in the industry to get past um like I mean so our our consulting company hoplight we we lose deals because due to price all the time like there’s no no hiding that like that’s it’s very clear and we’re fine with that um we we always try to make it very clear but it’s very difficult for people to compare apples to apples from pentest to pentest because there isn’t a standard out there there’s nothing that says like this means that you can do there’s really not I mean there’s a pest framework which is what most people use um but even still so then people don’t understand that and then they’ll just be like oh this person’s price was a third of your cost and spending Seven Grand on a a vulnerability scan that’s gonna give them something that they could have just bought the tool and done it for a year instead so yeah I I’d love I’d love to be able to Circle back because you know in the compliance world we talk a lot about scoping and Boundary right and so for those of for those listening in the audience right whether it’s a penetration test or an engagement in red team blue team or compliance you know uh engagement like really having that defining like this is what we’re doing this is the Rules of Engagement these are the products Services apis people process these are the things that we’re doing this work against right you know I hear a lot from you know msps trying to do work in the Department of Defense and you talk to those def Department of Defense companies and they’re like everything we want our whole company yeah but that’s probably not the actual right scope right you know when I look at our platform or we look at any of those other platforms you know I’m gonna want to have teddy and Dylan go after my apis you know go after both authenticated and not authenticated and go after the public facing website go after the DNS servers put those things in scope appropriately right so scoping is probably the biggest misconception in a penetration World in a compliance world and even in a risk world right talking about peer group the other day like defining an area of risk you know they just had a huge earthquake right and you know where Tim’s at in that area and like I don’t experience earthquake so it’s not a risk that I would have but I probably want to make sure things are locked down so the whole conversation around scoping and getting that right is extremely important because as you said Dylan I can buy a tool and scan all my stuff but is that authenticated not authenticated all of that so scoping is really a big important part right yeah that’s a great model that you just mentioned scoping right so a lot of times I think the misconception is is I go out and hire a a red teamer you or you know someone from Defcon or someone to come in and basically just get in right like but did you actually go and check all those controls right like did you you found one way in but is there aund ways in um is there have you gone through Tim I guess the word is more like audit right like have you gone and through and and validated as Teddy said the efficacy of those control so um I think that adds a lot a lot of color and a lot of value like going through and actually pushing on every surface to figure out where where there’s weakness so um yeah Dylan go go I know you’re uh you’re waiting to go so no I’m I’m good no I say Tim you you make a good point there in distinguishing the difference between red teaming and Pen penetration testing right a penetra a red teamer May perform a penetration test or you may do fullon red teaming right where that’s how we view it is is when when we get when we sign up for a red team it’s no rules how are you getting in obviously there’s some Rules of Engagement but like for the most part you can send emails you can go break in physically you can whatever you need to do to gain that initial access you can use Wi-Fi like whatever you need to do to gain that addal access and then pivot through to get access to whatever it is that those objectives are whereas a penetration test is much more stringent when we’re going through we’re deciding okay this is in scope these systems scope these are out of scope because these are maybe medical devices they could be um and but there’s a when you do each one of those is depends very greatly on on what you’ve done in the past and what you’ve gotten there if you go if you go to someone you’ve never gotten a pen test done your controls are iffy you don’t remember when your last risk assessment was you’re like I want to hire a red teamer it is an absolute like it’s a it’s a joke like it’s it’s and to your point it’s like yeah we’ll find because we’ll find a way in to get to that objective and then the clients’s like that’s all that they’re getting as as value because that’s what they paid for they paid for us to capture an objective not to go through and evaluate the efficacy of all of their of these different types of controls yeah so um yeah Tim Tim you just threw something up as a question there um was that would humans ever would you love to take this one so yeah right piggybacking uh following people tailgating into into building using sending emails making phone calls things like that those are all things that come into play they could come into play as a part of a silo type of red team engagement or or type of pentest Engagement or as part of a red team it’s just like hey we want you to see if you can gain access to our our treasury systems is one that we’ve done in the past it’s like um you know I don’t care what you do around the country go to all of our different locations but can you gain access to this thing but we don’t want to know about it and then you report back when you’re done so go ahead Dylan yeah if I if I can jump in real quick one of my favorite things when talking to small midsize businesses is when they’ve gotten quotes you know Tim you talked about this a little bit earlier they’ve gotten quotes from Red teamers at Defcon for 50 60 80,000 for a pin test I’m like yeah you know pin test I’d love to have one I need one for compliance just can’t fit it into the budget and that’s where where Teddy was talking about the power of scoping you may not need a full you know blackbox red team pin test let’s go after you know one connection let’s try to go after one path of attack that’s where the power of scoping really comes in so we can right siize the engagement for those smbs yep yep and I think that’s where kind of I had a question in the green room I’ll bring that out now don’t like so CIS controls right so like pen testing is one through 18 it’s 18 right it’s dead last so I’m sure you kind of hear the objection of like what’s the point of pentesting I think you’ve opened the door a little bit on the value right like if everything’s in scope and you’re testing it it sounds like it’s more it can be almost like a a walkth through of a gap assessment or a right a risk assessment which is very early in the process which which you know if everything’s go up there’s a lot of value there I think as opposed to being hey let’s see if you can get in it’s like you know it’s like me guarding an NFL receiver like it’s a joke I promise without training we don’t we think you could but you have to train right yeah no so on that um and I I don’t know if they did this by Design you know putting it at 18 dead last but it’s a conversation that we have all the time if you don’t have proper security controls in place you don’t test things on a regular basis a penetration test might not be the right investment at this point in time you you know you might need a v Management program you might need a compliance assessment risk assessment um to build that program build that framework so that down the line you know maybe 12 18 months later a pinest would be right for you but a pinest isn’t the right thing at the right time for any given organization yeah yeah yeah I think that’s important that’s important because um you know you touched on something and that I was thinking about as we were talking is you know a risk register and actually understanding what the critical systems are to the business and if we have identified critical systems and we feel reasonably comfortable that we have controls in place then is a good time to test those controls and actually make sure that they’re providing the efficacy that we believe they’re providing providing right so I think that’s a really important frame to look at it through what’s that acaron I know it well because I’ve been taking this risk management test all month yeah so I I I just broke my own rule of putting up a comment of an acronym without actually defining the acronym which is business impact analysis Jesse we were just talking about that in my peer group yesterday y yeah and risk register and that stuff so um so what’s a risk register I think we talk about that term all the time it’s obviously mythical I call it the Amazon Amazon shopping cart of risk right so but I wanna I want obviously we stay on topic right because you know we tend to Circle the Drain sometimes um so I’m a I’m a SAS company right I know as part of my compliance thing I need to do a pentest yeah I’m scanning my code I’m doing vulnerability scanning on my code base on my machines on my stuff I think I’m covered okay I need to fit this compliance or this you know framework or this insurance or this thing and they ask do you do a pen test yeah I run end map I’m good no no so my question right right we talked about scoping I think we you know the last 17 minutes or so we’ve kind of gotten our head around all right get the scope right so you know are we doing the entire football Stadium or are we just looking at the defense the offense or the coaches right scoping okay great now we’re just gonna go after the offense right or the coaches we’ve defined the scope so now what where do I go what do I do do I do I like since you’re living and breathing this stuff all day every day far better than us like what is the next part of this process right scoping and Boundary step one in a sense where do we go from here yeah um that’s when that’s when key communication starts uh so you want to make sure right before you’re testing anything um well first of all you want to be testing depending on the scope right so in an application specifically we would we would opt to test in in a QA or staging type of environment you don’t usually want to test anything like that in production production data you know real people actually using stuff you want to you w to into a pre pre-production environment and um right then it’s then it’s Gathering credentials um it’s Gathering so the way that we would look at something like that is we would look um from a blackbox perspective we would look at the you know the login page can we can we bypass authentication somehow and that’s what we call an uncredentialed or unauthenticated test um we do all of our testing there and then we would move to okay now we need credentials um and uh You’ use those credentials to then verify to to to explain the risk of whether someone’s credentials were compromised or if someone there’s some apps where people can just sign up right so you bypass authentication wall but then there’s all these other risks that are there behind that so um can you horizontally pivot or vertically pivot meaning horizontally meaning can I access me as a user of your platform can I access Tim nerve um tenant um how can I bypass that or vertically can I as me access Tim Golden’s super admin tenant um and how do we authorization is a huge part in application security that’s that’s often overlooked and that’s why companies kind of get screwed when they buy a pent test and someone just goes and runs a burp scan on their environment um where it’s oh here’s your SQL injection that’s a Time based Boolean SQL injection that is actually a false positive because uh burp site can’t actually pick up on those things or there’s of things that that it doesn’t pick up on at all um it’s a great tool like anything else tool is good but you also need the proper people operating those tools on the back end to understand um other types of gaps and flaws that are there so um and again this is for web applications and apis and stuff like that specifically separate than a network pentest what most people would usually refer to um but yeah that’s how we look at it but then you got to be constant communication when we’re starting when we’re starting testing in the morning when we’re finishing testing in the afternoon some people want us to test at nights so when we’re starting testing in the evening and finishing in the morning um and then you keep you keep having those conversations weekly status meetings always always always you should be getting notifications if there’s anything critical um right if anything that’s dropped dead you should get a you should have numbers you should have uh phone numbers and emails and those that should be discussed immediately when like could call checklist yeah so I I want to click in on that that drop dead and I Tim I know you’ve got a question about the same thing yeah so I mean the question I think I started the show talking about like what are the easy gaps to fill right like so how do we know we got a rookie on the field and the wide receiver is just going to dust them right so like what are what are some of the easy things and it sounds like we’re we’re talking about what’s a scope and we’re talking about epic epy of controls just to kind of hammer down that theme Here um so even in Risk assessments Jesse like from a BC so perspective like you know what are you know what are you I guess what are you trying to unearth there and it’s interesting because Tim we just talk Teddy just talked about a lot of like very technical things and I think a lot of people that sign up for pentest like wouldn’t know what an API is even right like so you know it seems like they don’t they don’t have the knowledge to understand what’s in scope and what’s not in scope um which you know so go ahead I mean to me I was It was kind of leading into and kind of where I was going with my question on you know we’ve talked about you know the guys from black hat that are charging you 50 $60,000 or there’s organizations that will do that you know I’m not going to name names but that I’ve worked with in the past and they’re great pentesting teams but it’s A50 $60,000 engagement it’s over the course of three months they do low and slow emulating hacker attacks and all that kind of stuff and that definitely has a place but then there’s a flip side of that where oh yeah I just I’m just going to go buy Cobalt right it’s got all my pen tests preloaded you give me your your application your apis I’m going to click button execute it and come back to you and be like yeah 10 grand we test your application I run you know I click button test it and give you the Cobalt report and say oh yeah there you go pen test done check the box compliance right so I think what Tim was getting at is you know how do you what are some things to look because I I wouldn’t call that a pen test I mean maybe technically it is but it’s not there’s not much value there so what are some things to look for uh for a pen tester that actually knows what they’re doing and is doing more than just running scripts or attacks from a platform against your environment yeah Dylan that or I say this is where my knowledge would stop because I when I got my start in the pin testing it was script Kitty you know to the max so this this is where I’m I’m here to learn from Teddy scrip scrip turned head of Channel um yeah so so that’s where and that it truly does go back to to scoping right and that scoping should go well before or the proposal or any contracts or signed right you should be talking to different different um different firms and and really interviewing the problem is is sometimes people don’t have the right questions to to ask um to understand the difference now I would say big red flags are if they’re’s like yeah well we look at the O top 10 and that’s that’s what we do right or or if they just if their value prop is their tools or something like that big red flag um specifically for web app testing that is a very Niche uh like good web app testers they very very few in far between um and you you want them to actually go into their methodology and the stuff they’re looking for I would always listen for looking for authorization errors that’s like the biggest thing right now is and then we see that we we bypass so many so many controls uh or so many apps we gain access to things that we shouldn’t because of authorization and and there’s always companies that are like oh we’ve gotten pentests the last six or seven years and it’s like let’s see those reports and then you look into them and it’s like you know there was no there was no vertical or horizontal pivoting being checked for there so what you’re telling me as a SAS vendor I I just can’t go grab the community edition of burp site and and and be done and check that box on my sock 2 and ISO ran burp sweep got a report green everywhere I’m good to go I’m secure I think that’s really the question is I got some green checkboxes on some tools and I’m secure like maybe you know Dylan or or Teddy or Jesse or any one of you like talk about that for a few minutes right I ran a tool I got some check boxes I’m secure really so let me let me start with that and it goes back to the whole you know problem with the industry calling vulnerability scans uh pinest because by definition you know we’ve we’ve heard this time and time again a penetration testing is objective based custom assessment not a hey let’s go touch everything we can and and throw out a couple hey you know uh yeah exactly The $99 pin test um let’s throw some green check boxes and you’re all good because you’ve got skilled testers that can go no I I can just you know screw up all of this authentication and get access to every database ever um so it’s important to draw the line in the sand of what is a scan what is an actual test because testing is all validation and exploitation so Teddy I’ll I’ll throw it over to you there but wanted to draw that line yeah no I think that’s a good point I mean it’s just it’s like anything else you know being successful and something like that is going to always require a combination of people process and technology and and ultimately the the the technology that you have maybe a good scanner maybe something like that but it’s not going to look for everything that you need to find so um yeah that’s that’s kind of how I would break it down is is making sure that the firm that you’re working with have the right tools making sure that they have the right people and that they’re following the right process to lead it to a successful test it sounds like it’s more than it is because a lot of it’s just for a lot of testers that are you know really good testers it’s just back of the hand but they should be able to answer any of those questions very confidently and know you know exactly what they’re doing tell you exactly what they’re doing so what do you what do you feel like the biggest risks I guess like I’m just trying to back it up from an MSP or like an or small business what are like the assuming you you weren’t going through and checking as I said like the weakness of every e the efficacy of each control like what are some of the like the areas that are drastically like I guess going to hit them with ransomware like tomorrow yes uh all right so let’s on the topic of ransomware then let’s pivot over to infrastructure Network pen tests then so um the biggest thing is misconfigurations right um it’s it’s you know everyone’s worried about cve here cve there things like that and yes and lot of these do end up falling into like the CIS um Benchmark misconfigurations and stuff that I know some people think like that’s a compliance check box but there’s a lot of those things in there that like are very important to us so for example um if you’re talking like once once an attacker is on the network the first thing that they’re going to look for if they’re trying to bypass EDR um or bypass any sort of detection mechanism is we’re going to look for standard Network traffic that’s going on right now we’re going to look for credentials that are stored in uh file shares that everyone can access we’re going to look for net bios we’re going to look for lmnr we’re going to look for MD s we’re going to look for IPv6 right those different types of protocols that broadcast um they broadcast uh credentials and what we do is we capture those credentials we either crack them or we can relay them on to another misconfiguration which would be SMB signing and this in this situation um so those are I think we get in with that almost every time um once once we get in once once you bypass external and you get in to internal it it’s very easy to do that because Microsoft has made the mistake of enabling a lot of these things from default from the very Geto so that’s where it’s like you can’t just you can’t just depend on Microsoft to have oh it’s a brand new operating system it’s not gonna have any vulnerabilities on it no like that’s uh yeah that those are things that are are very very important um and so yeah again like I said all those things that I just mentioned there none of those was a single cve which that’s the common miscon concep misconception is that people think oh like it’s all these vulnerabilities that are out there and it’s like really no the widespread attacks those are all comes from come from misconfigurations yeah would it help I mean it’s almost like there should be a cve for a Microsoft misconfiguration I I gu some overlapping a little bit here but it’s how do we kind of make you know make it obvious that that’s like a problem I don’t know well it’s a good point and I’m going to take take this time to to talk about like kind of what we that’s what was the whole purpose of Shield um was we we spent time you know thousands and thousands of pentests we find the same things over and over again the same we get the same feedback from people saying We Run quala scans every week or Nessa scans it’s like doesn’t matter how many scans you run or how many patches you fix like if you don’t understand the context of how all that stuff fits into your environment then there’s no point in doing it you’re playing wack Ando for nothing um so you should you should take misconfigurations and there cves are a problem too um there it’s a lot of times how you gain initial access but it’s not how widespread attacks are happening so you have cbes you’ve got misconfigurations and you’ve got the identity layer which is how a lot of people are pivoting through in internal networks that’s how ransomwares happen things like that um so it’s a combination of all those things and how do you bring context up to to the the user to know okay this cve this misconfiguration this mis misconfigured identity can result in a very very big problem um and that’s the kind of context that we’re trying to bring to people instead of looking at them all in siloed not understanding how they all fit yeah the sunzo quote that says uh tactics without strategy is the noise before defeat that’s what it is right exactly exactly Dylan let’s make sure Sam writes that somewhere on our website awesome awesome so you know as we’re as we’re about halfway through here I kind of want to throw some stuff out to the audience um as we’ve talked about penetration testing you know scoping boundary the rookie on the field versus the experts like the teddy and the dyons right um kind of keeping that in mind for those listening in the chat below give us a thumbs up or a yes if you’ve actually done more than an automated scan for a pen test if you’ve actually engaged with the smart people like Teddy and Dylan and others yeah have you done a penetration test as defined somewhat by CIS have you done this in the comments give us a yes no like or some indication please yeah yeah I just want I’m thinking more about what you’re were talking about about the the configurations and like llm llmnr being like one of the major ones you always see right it’s like new new domain controller new breach uh it’s so to your point Tim um but you know back when uh when I was working at MSP and we were building our security program and that was one of the things we always basically pushed as part of the risk assessment was an ad hardening which was you know LMR among other things getting that done and that was so it was one of the things that was harder to sell to be frank because the client’s like why do I need this but then when you talk to talk to that what you’re saying is this is how attackers get in a vulnerability management like I might say if if you have to choose between that and your standard like nessus scan you should do the ad0 hardening first right but yeah and that that’s what’s nice about Shield I’m not you know we’re not I don’t want to pitch you guys too hard but that’s what I think yeah I know I’ll plug you is that you guys are looking at the attack path and the attack chain and the actual how uh the how or the pragmatic way attackers are getting access to the environment so um I just think it’s really important for people watching to understand that if you want to get some mileage on easy low hang fruit to do with your customers go do some ad hardening and best practices I thought I saw Zach from sention pop pop in there with a comment and obviously they do a great job with uh doing some hardening against that as well but um I think it’s so important for people to understand that um and everyone obsesses about vulnerability management and yes it’s important right but only in the right frame with the right perspective yeah it’s I always I always describe this that like you can like humans most of us have like moles on our body right you can live with moles uh they’re fine until they become a problem right and that’s why you get them that’s why you’re continuously evaluating them it’s the same until it becomes an issue where it’s cancerous or something like that it’s fine to live with it you may remove it because it may become an issue at some point in time that’s the risk that your doctor is making with you it’s the same thing with vulnerabilities like you should not I’m not saying you shouldn’t this isn’t but you don’t have to worry about fixing every low and medium and even high like there’s high in critical vulnerabilities that are not exploitable there’s not a big problem right now it’s not you create a big issue for but you want to make sure you’re targeted about it so we’re trying to bring like you know let’s bring 8020 the 8020 principle to to security and vulnerability management and you know preventing attacks so Tim yeah I I can ask that um so a lot of msps like right I look at thousands of them 10 does is as a vendor and Jesse is always looking at potential customers to work with right so the typical stack is kind of you know the same things MDR MFA uh you know I’d say application wh listing probably isn’t even common like um there’s a big Channel vendor that starts with a t uh that does application white listing um but these are it’s not in my not in my stack Locker not your stack Locker so you know compensating controls right like you’ve got a you’ve got a out of the box Microsoft system that’s not configured at all like how much do those help right like how much do those um can they can they compensate 100% or like are you know you’re still G to have your way um just because they’re they’re wearing sunscreen so I’m gonna start on this one because I was at I was at an MDR provider for for a little over five years and and I I’ve used Teddy and the team before I I joined shield for penetration test and it always blew my mind how they were able to bypass different security controls whether it was MDR or uh you know application wh listing whatever the case was the reality is when you look at those misconfigurations in the identity layer it looks like real traffic you know you’re talking about bypassing uh EDR and other security controls when you’re acting as Dylan Hutchinson and accessing systems that I or may not access on a regular basis a sock that’s inundated with thousands and thousands of alerts is not going to catch that because it looks like Dylan access in different systems um so that’s one thing that I think is just tremendously I guess a misconception in the space is yeah I’ve got MDR EDR I’m protected from this it’s like if you’re acting as a known user you’re not going to see it so Teddy I’ll turn it over to you on how you’ve bypassed these I wanted to say that from 100% claims are like effective like yeah go ahead Teddy well I mean those 100% claims and stuff like that they come with a ton of little fine print there right um but bypassing bypassing EDR and stuff like that it it’s it happens it’s possible we do it all the time um and you know just by changing what the hash would look like which is what a lot of those things pick up on that that’s that’s as simple as it takes I mean now a lot of them are getting good where they the heuristics will pick on on the changes and things like that but even still so um those are talk about like EDR technology specifically but like like I said before they may pick up on us trying to exploit an actual vulnerability but they’re not going to pick up on us acting as normal users and that’s the whole goal of an attacker anyway when you always hear people talk about like by the time you find out that an attacker is in your environment they’ve already been there for six or seven months it’s probably true right they they have access to credentials and they’re living there from credentials they’re not like living there exploiting machines throughout the environment they have credentials and then they’re slowly spidering their way through the network as they’re gaining access to more and more users and that’s really the name of the game is seeing how many users you can gain access to until you get to a super high privileged user and you can use that user then to deploy the ransomware or or turn off uh EDR or MDR or something like that right so um yeah I forget even what the question was there but that that’s that’s kind of how we do it and it’s like to your point they’re great controls like they they and everything about security is about and defense and depth um you need to have different layers of those things I’d rather have both of them doing okay than having a super expensive solution that you think is going to do it yeah yeah yeah it’s it’s it’s interesting because you know it occurs to me and you can tell me if and I’m trying to think of pragmatic ways for msps and clients to vet good pentest providers right so what a good question like a second or third level question be to ask a potential provider is how do you do and what’s your process for at for doing user emulation compromise techniques would that be something that if they maybe didn’t know what they were doing they might stumble but if they kind of knew and they were good pen like oh yeah we do X Y and Z we act like the users this is what we do this is how we get in into the network question there is that is would that be a good question to gauge maybe knowledge of a pentester yeah yeah like like are we going to evaluate the directory services are we going to evaluate entra ID a you know a uh active directory things like that like are we going to go to that layer I always view it as like you got your identity layer which is all at this plane and then or the the the host Bas layer which is dis pling but then the identity layer lives below that and they have access to all these other things right right so um I would 100% that’s got to be a part of the scope if not you’re just trying to scan and Performing exploits on it which yeah anyone can see whether or not a vulnerability has an exploit to it or not uh it’s available CF so yeah yeah yeah like I can I can go into a network and smash my way through getting on a computer and capturing llmnr requests and cracking those and being like yay I dumped a hash I got a hash I got a password I’m going to make so much noise of course I’m going to get caught and they be like Yay our sock did our job and I say yeah you just got a pen test right but that’s not realistic that’s not how an hacker or an attacker works in the network right you have a sock but go ahead down true I want to add on that by telling the the listeners out there don’t use a penetration test as a gotcha on your MDR provider uh because going back to where we started with scoping it goes on both sides if your MDR provider is only really managing your your EDR platform of of choice your flavor of choice they’re not going to have visibility into your 0365 or your ad or any SAS applications so make sure that it’s a collaborative discussion when you’re doing your PIN test with your MDR provider make sure they actually have visibility and access to what your PIN tester is testing so that way it’s it’s an actual productive engagement rather than throwing money against the wall that’s actually a really good point I hadn’t actually thought about that when I was so I’ve been you know dealing with scoping our own penetration like real penetration test not some you know burp Suite that I’d run anyways but but you know and I I’ve you know engaged with about four different organizations to conduct our you know own penetration testing and I hadn’t actually thought about that because you know we have pieces of our stack I won’t call out you know you know the the tools or whatever that we use for EDR MDR sock and y y y but I hadn’t actually thought of that like that whole concept of like Hey we’re gonna do this thing with this organization to test these kinds of things in the scope while we want you to be part of that conversation and not block them along the way because maybe the sock may be the gets discovered on that initial access and now the scope says we want to get Beyond initial access we want to get in and go change data and so if I don’t have that conversation with my sock or my MDR or my EDR and they don’t know it and they stop it dead in its tracks which they should then your engagement is done because I asked you to go change data someplace and prove it to me that you can and you get stopped dead in your tracks well if I didn’t have that conversation with my MDR or my sock or my other pieces of the stack I would have wasted everybody’s time it’s a really good point I hadn’t thought of that this is where it all comes down to um it’s a journey it’s not going to happen overnight um and so we always always recommend and you talk we talked about red teams earlier to kind of bring that back into it but like you’re doing your pent test early on it a ton of people should know about it your sock should know about it your MSP should know about it your uh your internal it team should know about it your executive team should know about it okay everyone knows we’re being communicative communicative throughout the whole process um year one year two you start to maybe Le involve less people and things like that but the whole point is early on like if we’re finding things we’re able to bypass MDR EDR for certain aspects the whole point is is that we should be able to report back to them and help them fix that in the future where it’s like hey no bad blood we’re just here to help you and we do this a lot with with different msps and and EDR providers is hey you missed that you should probably you should probably uh trigger an alert for when you when we change an active directory certificate like that that happened just last week with a different client where we went back to their stock to help them fix some configurations um and you’re improving it so then down the line 3 four years from now maybe you do you you omit the sock from knowing and then the idea is because we’ve worked through it we’ve helped them like improve their controls now we want to see what happens in a true um you know black hat scenario can we can we bypass them at that point in time but without by trying to Spring something on someone you’re not going to make anyone better for that so yeah that that’s interesting and so I guess that leads a question that I’m thinking of as you were talking where do you see the most types of what’s the most popular or the most that you guys are doing is it like an assumed compromise pent test or is it more that black hat scenario where we got to try and get a fishing email through and pop a shell and then work our way through or do you see mainly we’re just doing assume compromise and that’s probably the best way to help a sock learn yeah so it just depends on how how many years we’ve been working with that company okay but early on unless they can prove that they’ve done some mature things before from a pentesting perspective we usually like start them pretty early in the process yeah yeah but but to your point most like our default scope if someone comes to me and says we want a pent test done assuming they’re not a SAS provider right so if it’s a SAS compy the first thing we’re going to jump our heads to is API and web app that’s what we’re Focus right most modern SAS companies are all using right they have decentralized networks we’re not concerned about ransomware pivoting through their entire network we’re worried about their application data that SS behind it so if it’s a if it’s a SAS company immediately let’s look through your apps your apis okay if it’s a traditional company that’s got a more more traditional infrastructure then we’re thinking internal internal like assumed breach internal pentest but then also an external so from the outside in as well gotcha okay that’s helpful so the other thing that I find interesting right because you know we’re scoping and doing all that stuff right I deliberately excluded my M365 from scope because it doesn’t actually touch the SAS and while it touches the three or four humans in the organization out of scope right I’m not writing code our salespeople’s not writing code they’re not in the platform doing the things out of scope right now as a company as a whole I probably should be going after my staff and TFA and my M365 down the road and this is where Teddy you were talking about that long-term relationship ship with an organization like Shield or blackpoint or whoever the others are in the space I’m not gonna go after M365 today because I don’t really care I do but I what I care more about is a sass provider can you get in my thing can you break it can you change data right um you know so as we’re kind of winding down here you know into like the last 10 or 15 minutes I know we had a whole boatload of things in the green room we were talking about we talked about a little bit about like what are the first couple of moves so you know we you mentioned misconfigurations right yeah uh anything else there maybe Teddy or Dylan you want to kind of pop in that we might have missed yeah like a tough one you can’t you that you’re just like right out of the box you’re like these guys are good like they’re they got got their shop in order um like what are it sounds like misconfigurations are a big one um what else like in terms of you know missing gaps in the CIS you know 1 through 17 there yeah I I always like to explain to people like if if I can leave you with a couple of things to do it would be um have MFA enabled externally everywhere right so every application you can that’s gonna have access to your network or anything sensitive have MFA some sort of SSO something like that enabled um after that um if you’re traditional on Prem Network or something like that have long passwords um longer than 14 characters anything below that we can usually crack in less than a day after once gets higher than that it gets too expensive and and most people are not going to be motivated enough to spend $ thousand dollars cracking a password um it would also be having like like a specific CIS control having SB signing um required that’s like what is that those for those those of us in the back like what is that subject matter expert signing like yeah come sign my book server server message block signing so basically SMB is a protocol that like you we communicate that’s how we authenticate um on the back end to traditional like active directory environments and stuff like that so if you have that enabled and we’re trying to authenticate from a machine that’s not on the network that doesn’t have a certificate on that Network it’s not going to allow us to do it or it’s not going to allow us to relay credentials from an unknown machine that that the source hash didn’t come from to another machine so I remember rolling out like a year or two or three or five ago like s SMB 1.x like go run this PO shell script to block this on every machine so you don’t blah blah blah blah blah right so yeah but there’s like there there are there are minimal things you can do that when I talk about the 8020 principle is like a big thing for us uh when we talk with shield and stuff like that because it’s like just do these main things and I promise you like you’re doing more than 99% of other people yeah at the end of the day you’re just trying to look at you don’t want to be that last gazelle running across the Prairie right like yeah as a small business like what’s the risk reward so how do you make them unattractive yep 8020 rule as you said so that’s good stuff um Tim do you want to you know we got a couple minutes here maybe uh we won’t go over this time we can we can go into final thoughts I think I mean that really you know this is this is great Teddy and Dylan like in terms of what’s the value of a pentest because I I think a lot of times when I think of a pentest I’m like well it’s I’m not there yet my my house is in order my controls aren’t in order how can um a pentest add value uh if it’s done kind of like maybe somewhat out of order but as you said what’s in scope is really what defines a real pen test or you know maybe like a vulnerability test um what other layers you know like are you dealing with just vulnerabilities do are you actually dealing like emulate threats and and understand how they act and move horizontally as you said so um so yeah to you know key takeaways I guess we’ll uh yeah so as we as we TI of wrap up here in the last eight to you know8 to nine minutes um you know how we always like to leave the show with our MSP listening audience with a couple of key takeaways right and so since Dylan you’re in the top corner you get to be brought up first and then up next so take away from from you know from an MSP perspective you know have at it yeah I’m glad to go first because I was really worried you guys were going to take mine uh we talked about them earlier the the the CIS controls are there for a reason uh you know you talk about getting that that Step Zero to Step One in terms of of security framework use it use it to your advantage it’ll put you ahead of 99% of other organizations awesome awesome and uh I think if if I’m doing this correctly then Teddy you’re up next yeah so I have two one of them longer than the other the other one second one’s simple the first one is um and I can say this just being just having a penetration testing company do not do not think that going and get a penetration test done is going to be like an all-encompassing thing that’s going to find all of your gaps and your flaws and you’re all of a sudden going to be good and you don’t have to worry about cyber hygiene I look at a pen test and the whole process as think about it like a college class right you don’t take the final on the first day and then try to learn everything after right you go to class you take quizzes you go to office hours you study you do homework you do all these things throughout the entire semester or the entire year and then at the end you take your final and so all those things you’re doing before the first 17 controls CIS right let’s make sure we have our asset management down let’s make sure we’re scanning for vulnerabilities let’s make sure we have all these um let’s make sure we have all these things fixed before we go because we know there’s going to be a problem so do all those things then the penetration test think of it as your final um so just be prepared for it don’t sit there and and be concerned about it know that you’ve put in the work and then you’re going into that thing and you’re gonna have it um and it’s going to look well um the one easy simple one do not Overlook the identity layer that’s that’s my main my main don’t overlook the identity layer from an attack surface perspective awesome thank you so much and uh Dr Jesse I know you always have a lot of great key takeaway this I’m going to go back to my quote uh tactics without strategy is the noise before defeat and so I think that building off of what Teddy and Dylan have said but understanding what you want to accomplish with the pen test and then also having a control to speak in scientific terms of the way you evaluate your pentest providers understand what you want to get done understand what makes a real pentest and what makes a good pentest and then build some control questions and some control evaluations to find that right fit for compliance number one but then also for getting some security leverage out of that as well awesome awesome and I don’t know if it’s my internet or something but I’m getting a little lag Mr Tim you up next my friend yeah I hope I’m not lagging but uh I think you know just going looking at a strategy of how to protect your company um you talked first about like we talked about using MDR and using application weight L and trying to use tools to kind of shortcut that or short circuit that like clearly that that’s failing right and you know a good pentester can get in get around that so table Stakes is like you still need to do hygiene you still need to go through all those CIS controls um authentication configurations there’s 256 maybe something like that Windows configurations and CIS Windows configurations recommendations so um just on that first recommendation that uh Dylan and Teddy talked about in terms of what you need to do um something you need to focus on right which is Tim golden I think it’s control four is configurations maybe it’s five but um you know you you can’t work backwards you can’t just like I’ll get a pen test and like I’ll go I’ll go correct those three things and think that you’re fine which is not not going to be the case is really what Teddy said you’ve got to kind of work up the whole body of work you can’t go from um totally unprotected to you know doing a pentest and working backwards you got to work work your way up as a work as opposed to coming down so awesome awesome and I guess I guess I I I probably should go um Mikey takeaway let me think about this for a second something Tim so that was good you got to coordinate and orchestrate the pentest I think that was a green a little bit little bit for you yeah like I’m trying to coordinate all the moving Parts here on on the live stream so um yeah so I guess my key takeaway would be um communication is key right all the way from the you know the top stakeholder to your sock to your MDR right as you’re doing these kinds of things that you’re trying to meet not only your compliance checks but good cyber hygiene and you know really good security make sure that you’re communicating that effectively across the entire organization and the departments in which this stuff will be touching right as as both Dylan and Tedy pointed out there may be parts of the engagement that you don’t want to tell the sock because you’re trying to test the sock or you do want to tell the sock so that they can capture that and allow that traffic through communication is a key part of this right being able to effectively engage at all levels across the organization so uh we’ve got just a few seconds left I’m going to kind of pull this up here you know I haven’t done this we haven’t done this in the past with a kind of call to action where do we go I thought I’d throw this out there you know see what the audience if they if they jump at it like Dylan Teddy I’m assuming head over to Shield cyber. is there anything else that we should probably let the audience know about engagement and that kind of stuff some kind of call Action how about power grid thing too right him all right there stole one you finish the one you get to the other I moving yeah no I’ll do a special uh we’ll do an impromptu special offer for the listeners um yeah if you if you reach out to us um just let us know that you you met us from the team Tim podcast and uh we can get you an identity security assessment uh complimentary of of the team here awesome wow wow for Tim golden cover by Tim kid coffee look even my even my coffee Mug’s not branded with my stuff so we’ll offer everybody a pinest um there you go there you go all right with the last you know minute minute and a half I I I really am excited to you know give our our good friend Jesse a minute minute and a half to talk about power grid right so yeah Jump On In okay uh hopefully my video isn’t lagging anymore but if it is too bad um power grid is kind of the vision uh that I’ve come up with from this year and a half of working with msps and seeing some consistent needs in the community in terms of being able to properly structure and scale VC so Services you know we’re getting to a Tipping Point where uh risk L approaches are required those Str that strategy is required to make sure we’re ensuring that our customers are safe and many msps are just underere equipped to do that so what the power grid is is a community um that has a deep Ops training section and then templates methodologies and basically my career’s worth of expertise helping to structure these programs for MSP so if you’re looking to deploy a VC so or secur security advisory practice for your MSP this is where you want to be um it’s extremely cheap right now to get started and uh go over to powerg grid. group to check it out and that’ll take you right to the uh info page and you can you can read about what it’s about and sign up awesome so I know we don’t talk about plugging our cell but I really felt the need to be able to bring forward to the community what Jesse’s doing with power grid what he’s doing with but not just powergrid but I believe you’re doing some stuff with empath cyber our good friends West and the rest of them over there um you know head on over to I just can’t where the heck did they oh yeah there we go I wanted to prop that up right so head on over to powerd Power grid. Group I know I love the I love the kind of like dumb down or like I love it so hey uh it’s three o’clock we’re getting out of here everybody uh stay safe for those of you that were affected by the um you know the earthquake and all of that stay safe um and we’ll see you uh next week next Friday subscribe now