Primary Content: Home

[BSides Talk] Offensive Anti-Analysis

Brief: A talk about options advanced attackers can deploy to beat behavioural malware analysis through the detection (and subversion!) of the behaviour engines themselves. Including a demonstration of how to beat modern engines through a working tool (demos!).This talk should be interesting to malware writers and analysts alike as it shows implementations of beating analysis, but also includes enough inline explanation to make it accessible to beginners.

Continue reading: [BSides Talk] Offensive Anti-Analysis

Security is Hard; Why are you laughing?

This weekend I posted a tweet, a short simple statement – with a lot hidden behind it:

Tweet: "I say "Security is hard" a lot. Infosec professionals laugh when I do. Why are they laughing?"

Security is Hard

I was trying to provoke discussion around two opposite ends of the security spectrum. The idea that security is so difficult that we might as well abandon the whole idea and the idea that security is trivially simple but there are certain blockers in the way (such as managerial denial, being understaffed, tech debt) which are preventing any real progress. The idea being that people are laughing at the statement “Security is hard” because they so wholeheartedly believe one of the above views that they cannot see the other.

Continue reading: Security is Hard; Why are you laughing?

Hacking a Corporation From the Outside: External Penetration Tests

This is one part of a two part series, maybe take a look at Hacking a Corporation From the Inside: Internal Penetration Tests too!

Introduction

Occasionally I get asked by clients how I approach the technical aspects of a Penetration Test, you know, what are all those little black boxes with green text that I’ve got open on my screen? Also occasionally, when I’m talking to new testers and people interested in becoming a penetration tester, they understand tool use and they often understand the specifics of vulnerabilities but don’t necessarily know how it all goes together.

Continue reading: Hacking a Corporation From the Outside: External Penetration Tests

Hacking a Corporation From the Inside: Internal Penetration Tests

This is one part of a two part series, maybe take a look at Hacking a Corporation From the Outside: External Penetration Tests too!

Introduction

Occasionally I get asked by clients how I approach the technical aspects of a Penetration Test, you know, what are all those little black boxes with green text that I’ve got open on my screen? Also occasionally, when I’m talking to new testers and people interested in becoming a penetration tester, they understand tool use and they often understand the specifics of vulnerabilities but don’t necessarily know how it all goes together.

Additionally, GracefulSecurity.com is filled with information on Infrastructure security, but there’s no guide about how it all fits together!  So I plan here, to write up a step-by-step example of how I go from plugging in to a corporate network and end up leaving that day as a Domain Administrator.

Continue reading: Hacking a Corporation From the Inside: Internal Penetration Tests

Book Review: Red Team Field Manual

Title: Red Team Field Manual
Author: Ben Clark

 

TL;DR:
In short, a book I recommend for those times you’re caught on a Penetration Test without Internet access and you just can’t quite remember valid syntax for the tar command!
You won’t learn anything new as the book offers little in the way of explanation for anything and is most certainly just a lengthy, bound, cheat sheet – but, it’s cheap, packed full, and serves its specific purpose well.

Continue reading: Book Review: Red Team Field Manual