Pen Testing Active Directory

You may have been following our series of posts on pen testing Active Directory environments and learned about the awesome powers of PowerView. No doubt you were wowed by our cliffhanger ending — spoiler alert — where we applied graph theory to find the derivative admin!

We know from the many emails we received that you demanded a better ‘long-form’ content experience. After all, who’d want to read about finding hackable vulnerabilities using Active Directory while being forced to click six-times to access the entire series?

Thanks to the miracle of PDF technology, we’ve compressed the entire series into an easy-to-ready, comfy ebook format. Best of all, you can scroll through the entire contents without having to touch messy hyperlinks.

Get The Ebook Now
Or check it all out online, here.
Data Security, IT Pros

Disabling PowerShell and Other Malware Nuisances, Part III

One of the advantages of AppLocker over Software Restriction Policies is that it can selectively enable PowerShell for Active Directory groups. I showed how this can be done in the previous post. The goal is to limit as much as possible the ability of hackers to launch PowerShell malware, but still give legitimate users access. It’s a balancing act of course. And as I suggested, you can accomplish the same thing by using a combination…
Data Security

[Podcast] Security Pros and Users: We’re All in This Together

The latest release of SANS’ Security Awareness Report attributed communication as one of the primary reasons why awareness programs thrive or fail. Yes, communication is significant, but what does communication mean? “The goal of communication is to facilitate understanding,” said Inside Out Security Show(IOSS) panelist, Mike Thompson. Another panelist, Forrest Temple expanded on that idea, “The skill of communication is the clarity through which that process happens. Being about to tell a regular user about…
Data Security

US State Data Breach Law Definitions

We discussed in Part 1: A Guide to Per State Data Breach Response the importance of understanding what classes of data you have in your control. We stress this point as it’s easy to get lost in the different numerical conditions around per state data breach disclosure. What’s often not considered is that due to differences in how a state defines Personally Identifiable Information (PII), what may be considered a data breach in North Dakota…
Data Security

Reality Leah Winner and the Age of Insider Threats

Prosecutors allege that 25-year-old federal contractor Reality Leah Winner printed a top-secret NSA document detailing the ongoing investigation into Russian election hacking last November and mailed it to The Intercept. This raises a series of questions when it comes to protecting sensitive information from insider threats. First, should Winner have been granted access to documents related to the Russian hacking investigation in the first place? Were there any processes in place at Pluribus to periodically…
Data Security

[Podcast] Taking The Long View, Investing in Technology and Security

We’re living in exciting times. Today, if you have an idea as well as a small budget, you can most likely create it. This is particularly true in the technology space, which is why we’ve seen the explosion of IoT devices on the marketplace. However, what’s uncertain is the byproduct of our enthusiastic making, innovating, and disrupting. Hypothetical questions that used to be debated on the big screen are questions we’re now debating on our…
Data Security, IT Pros

Disabling PowerShell and Other Malware Nuisances, Part II

Whitelisting apps is nobody’s idea of fun. You need to start with a blank slate, and then carefully add back apps you know to be essential and non-threatening. That’s the the idea behind what we started to do with Software Restriction Policies (SRP) from last time. As you’ll recall, we ‘cleared the board’ though the default disabling of app execution in the Property Rules. In the Additional Rules section, I then started adding Path rules…
Data Security

A Guide to per State Data Breach Response

Part 1: Preparing for a US Data Breach In the data management and IT space there have been significant consideration and hand wringing about how the European Union’s General Data Protection Regulation (GDPR) will eventually impact US based businesses or how a future US Federal data breach disclosure law might affect IT operations. What often is the missed in the discussion is that there are significant per state data disclosure notification regulations currently in effect…
Data Security

[Transcript] Interview With GDPR Attorney Sue Foster

Over two podcasts, attorney Sue Foster dispensed incredibly valuable GDPR wisdom. If you’ve already listened, you know it’s the kind of insights that would have otherwise required a lengthy Google expedition, followed by chatting with your cousin Vinny the lawyer. We don’t recommend that! In reviewing the transcript below, I think there are three points that are worth commenting on. One, the GDPR’s breach reporting rule may appear to give organizations some wiggle room. But in…
Data Security

[Podcast] John P. Carlin, Part 2: Economic Espionage & Weaponized Info...

In part two of our series, John Carlin shared with us lessons on economic espionage and weaponized information. As former Assistant Attorney General for the U.S. Department of Justice’s National Security Division, he described how nation state actors exfiltrated data from American companies, costing them hundreds of billions of dollars in losses and more than two million jobs. He also reminded us how important it is for organizations to work with the government as he…
Data Security, IT Pros

Disabling PowerShell and Other Malware Nuisances, Part I

Back in more innocent times, circa 2015, we began to hear about hackers going malware-free and “living off the land.” They used whatever garden-variety IT tools were lying around on the target site. It’s the ideal way to do post-exploitation without tripping any alarms. This approach has taken off and gone mainstream, primarily because of off-the-shelf post-exploitation environments like PowerShell Empire. I’ve already written about how PowerShell, when supplemented with PowerView, becomes a potent purveyor…
Data Security

One Year Out: 75% of Organizations Will Struggle to Meet EU GDPR Regulation...

Today, we have released the findings from an independent survey probing attitudes towards the EU General Data Protection Regulations (EU GDPR), due to come into effect one year from today.  The survey, which polled 500 IT decision makers in the UK, Germany, France and the U.S., reveals that 75% of organizations indicate they will struggle to be ready for the deadline.  An additional 42% say that it’s not a priority for their businesses, despite the threat…
Data Security

Lessons from WannaCry: Varonis on CNBC’s Nightly Business Report

Last night, Varonis’ Brian Vecci, Technical Evangelist, sat down with Andrea Day of CNBC’s Nightly Business Report to discuss the recent WannaCry outbreak, where it goes from here and lessons to be learned. You can watch the full clip here. “We’re playing catch up because of how much data and how much complexity and how blind we’ve been to these kinds of attacks.” What’s the latest on the attack: We know how to prevent WannaCry…