Great story, but I wouldn't call it "failed" because it showed that the company has really good security procedures. I don't know many companies that could have resisted this sort of internal threat.<p>I've had pentests that found nothing before but I had logs full of attempts to compromise the app, including in some ways I'd never even heard of before. I didn't consider them to be failures either.
Meanwhile 4 put of 5 webshops we check have critical vulnerabilities and half the owners don’t care because “it just costs money to fix it and things have been fine so we’d rather spend more on Adwords”<p>Security, no scratch that - the human psyche works in mysterious ways :)<p>This company seems to run a tight ship though!
The problem I have with pen tests is that they're not systematic and rely on the cleverness and knowledged of the tester. Even if they identify an issue, it's often hard or impossible to ensure it doesn't regress, and if it's an inhouse or custom software they've never seen before they likely won't be of much help without a lot of effort.<p>I think one step forward would be also approaching security the same way epidemiologist track down causes of diseases. In that they take patient data and trace back the factors that caused it, just instead of patients we're talking about security vulnerabilities and breaches. Having a corpus of causal diagrams that then we can develop software to analyze risk factors that we can then systematically test for.
<i>I could've run "net accounts" on my workstation to query Active Directory directly & see their password policy, but decided to look elsewhere first. I didn't want to set off any alerts or logging.</i><p>I know nothing about Windows, but I'd have thought checking password policies far less likely to alert than plugging in your own device on the network.<p>Anyway, my favourite bit was that they didn't stop the people in Accounts running Powershell, they just raised an alert. I much prefer that approach to blocking people most likely just doing their job.
The author confirmed on Twitter that "aside from the beating up and tying down" this is a true story[0].<p>[0]<a href="https://twitter.com/TinkerSec/status/1063781216128835584" rel="nofollow">https://twitter.com/TinkerSec/status/1063781216128835584</a>
> I woke up, bloody, in an ergonomic office chair, my hands zipped tied behind me with the same zip ties they used to manage the server ethernet cables.<p>I didn't realize this story was fiction until I got to this sentence.<p>Update: The author confirmed on Twitter that other than the dramatization, this story is in fact true.<p>> And, aside from the beating up and tying down, it was true![0]<p>I can admit when I'm wrong. I stand corrected.<p>[0]<a href="https://twitter.com/TinkerSec/status/1063781216128835584" rel="nofollow">https://twitter.com/TinkerSec/status/1063781216128835584</a>
Nice story and a good illustration that a lot of good IT Security isn't buying fancy "next gen" products, it's doing the basics of managing your systems well.<p>It costs more to run IT well, but there are good payoffs, like this.
I love reading factual hacker stories that read like fiction. very entertaining. A brutal 5-7 year on ramp of learning what computers actually do on the inside... but understanding what the story about is worth it.
During pentests most testers run the usual route of attacking the domain. In my opinion it's not realistic, because most attackers don't attack domains. They attack applications.
This story is also available as a series of tweets in case anyone prefers to consume it that way.<p><a href="https://twitter.com/TinkerSec/status/1063423110513418240" rel="nofollow">https://twitter.com/TinkerSec/status/1063423110513418240</a>
So if he ran the powershell at midnight he could have potentially gone unnoticed until the IT guys got back in the office?<p>What if this was a global Corp, would someone be monitoring this 24/7 across timezones?<p>What kind of damage could he have done if he had, say, 1 hour of unfettered access?
> On most Internal Pentests, I generally get Domain Admin within a day or two. Enterprise Admin shortly thereafter.<p>Sounds realistic, from how most Windows shops are run.<p>Would it help to stop using AD to manage the IT infra, or have tiny domains (say, max 10 computers) without centralised control, and no company-internal workstation networks? Maybe throw in a rule that devices are recycled (to be wiped) frequently, say every 6 months.
> I had already tried various things to my own employee laptop, but I was not local admin and the disk was fully encrypted.<p>Hang on, if he can boot his laptop does it not follow that he has the necessary information to decrypt the drive?
Excellent reading. In my experience,internal politics is the greatest threat against companies.<p>Most of us here can walk into most companies and engineer end to end encrypted,least access,zero trust,mfa authenticated network using strictly foss tools and methodologies. Question: Who will let you?<p>No joke,OP wasn't exaggerating about how easy most of his pentests are. Most companies throw money at it,do risk analysis and say "hmm,this is enough,a compromise is tolerable".<p>IMO, when it rains,it pours. Risk analysis only tells you what the risk is based on known data. Unknown unknowns will be your doom. Best to build things right even without an incentive.
Story of a failed pentester, perhaps?<p>Social engineered their way into an unlikely scenario bound to raise suspicion.<p>Tests and methods were pretty successful, otherwise.<p>Still, I cannot fathom why companies insist on the rickety tinkertoy that is Microsoft Windows.
> hauling armloads of old laptops from the IT shack to my cubicle, a small Leaning Tower of Pisa forming under my desk<p>that sounds more unrealistic than properly protected Windows systems tbh. New marketing employee hauling lots of laptops, no one noticed? Like, people that work nearby might've noticed that?