04-27, 13:30–14:00 (Europe/London), Main Room (Ballroom) - Track 1
Achieving domain admin status may showcase l33t hacking skills, but does it resonate with clients? This presentation challenges the traditional focus on system compromise by shedding light on the often-overlooked consequence: the compromise of client and user trust. While penetration testers traditionally strive for system vulnerability identification, threat actors are evolving to exploit novel ways to impact victims.
In a notable incident from November 2023, the ransomware group Alphv/BlackCat filed a complaint with the US Securities and Exchange Commission (SEC) against a victim who failed to disclose the data breach they caused. This incident may signal a potential shift towards hacking groups leveraging laws and regulations to pressure victims into making payments, adding a new layer to cyber threats.
Exploring the European landscape, where the protection of Personally Identifiable Information (PII) is paramount, is it possible for penetration testers to leverage regulatory frameworks. By highlighting the business and regulatory impacts that clients may suffer due to lax security practices, we aim to encourage better security adoption. Can we turn regulatory compliance into a powerful tool for enhancing cybersecurity and fostering client trust?
Presentation outline
1) Common pentesting goals
In the opening of the talk, we discuss that some common goals for clients engaging pentesters is the identification of vulnerabilities, and that testers have their own goals of being able to break all security, achieve a data breach and escalate privileges (Domain Admin FTW)
2) Traditional vs Modern penetraiton testing
This section talks about how clients are starting to see that security needs to be thought of as a big picture issue and that testing very small areas of a network or single applications don’t realistically improve security. Modern testing is moving toward continual vulnerability assessments and more scenario/red team style testing. However testers still want to get to DA and prove their skills
3) Real world incidents that didn’t follow traditional playbooks
A review of the Alphv/BlackCat attack against MeridianLink and how they posted a picture of themselves reporting MeridianLink to the USA SEC in an attempt to get them to pay a ransom
4) GDPR
A review of the types of data that are deemed valuable in the EU (PII) and how companies have been hit with fines after databreaches
5) Weaponising GDPR for the greater good
A discussion on how in 2024 cyber security is still not where it should be and that perhaps if we embrace non-technical ramifications of an attack we can convince clients to take action. Discussing how some clients have little idea what the impact of whoami command showing system access but can definitely understand comments such as “the last company that had this much data exposed in a breach payed £X millions in fines”
6) How to find the flaws
The release of a new tool FileFinder that searches network for file sharing locations and points pentesters to areas of interest.
7) How a single file doomed an organsation’s attempt at being secure
A case study of a real world penetration test against an organisation that took data security seriously was doomd due to an NFS share hosting a file with an excessive amount of passwords on it. It would have been significantly harder to break security without these credentials.
8) Conclusion
Summing up how pentesters can still view technical exploits and network compromise as a fantastic goal to achieve. But that we can also add steps to highlight areas that can cause real impact to clients.
Attendee Takeaway
1) Attendees will learn about pentesting concepts and how testers target networks
2) Attendees will learn about how regulation impacts their clients and that 1 hacking group has already threatened to use this against their victims
3) Attendees see a new tool that can be used to map files of interest across a network.
Daniel Cannon is a seasoned cybersecurity professional with over a decade of experience specializing in penetration testing and technical assurance. Throughout his career, Dan has collaborated with diverse public and private sector entities, providing invaluable security assessments and strategic advice.