13 hours 9 minutes
Hello and welcome to another penetration testing execution Standard discussion. Today we're going to be looking at high value targets and high profile targets with respect to the post exploitation phase of the Pee test standard. So please remember that pee test videos do cover techniques and tools that could be used for system hacking.
Any tools, disgust her techniques discussion, be understood by the user and research prior to their use.
Please research your laws and regulations regarding the use of such tools in your area to ensure you do not. Finally, any local laws. Now the objectives of today's discussion are pretty straightforward. So we're going to be discussing what a high value target is.
We're going to discuss why high value targets air sought, and we're going to discuss what precautions we should take
with high value targets.
So what are high value targets? Well, they can be identified and further expanded from the targets identified in the pre engagement meeting through the analysis of data gathered from compromise systems, and the interaction of those systems and service is that run on them. So examples of this would be payroll servers, HR systems,
order processing systems,
anything really, that
maybe initially considered high value or something that's within scope. But then we find is crucial or critical to the ability of the organization to continue to function and operates. If something were to happen to the systems that they were to go down, then they would cripple the organization. Now, why are these targets sought?
Well, it helps us to identify high risk. And this in in effect, helps us to reduce risk to critical systems and to meet the primary goals of penetration. Testing from our perspective, where we're helping the client to understand and reduce risk,
simulate the activities of a threat. Actors big. I mean threat actors get on networks, and they might wanna print server for something they might want, you know, a file server or something of that nature. But if they've got a secret sauce server where they can still I p, and sell it to another
business, if they've got ah credit card processing system that they could then use to still thousands or hundreds of thousands of credit cards and that could be beneficial on Ben, of course, were ultimately trying to provide a return on investment to the client,
and so, by being able to show them what the risks are, being able to direct them to reduce those risks
one, it provides a return on investment for them. But then it helps us to potentially get additional business where we could do an engagement next year or something of that nature. So it's beneficial for both parties to work through those targets
now. What are some precautions that we should take with high value targets? Well, we don't want to destroy any high value data. We don't want to use exploits that could crash high value systems. And so if you run something and it has the potential to cause a denial of service type effect, where the system goes down or the service crashes,
that could be detrimental. And it could cause issues, especially in like an icy s or manufacturing taught style network. And I would even say if someone's willing to let you test, I see a systems and you've never done it. Don't so you could get into a lot of trouble there. Do not engage systems outside of the scope
makes sense, even if you see something that you think is high value if it's not in the scope of service, don't engage, don't violate the rules of engagement to compromise. Ah, high value targets. So even if you think well, the climb will be fine. They're gonna want to know this. They're gonna want to see this, and it's going to provide value to them.
It doesn't matter if you violate the rules of engagement
and something happens.
Your online at that point and then don't do harm. Do no harm in your actions. Ultimately,
the focus of your efforts is to reduce risk and help the client be aware of what's going on in their network.
If you come in with a hammer and you start pounding away at things and you're breaking stuff and things were going down and they're having a hard time, this engagement becomes frustrating for the client
and becomes frustrating for management. And it just makes it that much harder for them to see benefit in value and what it is that you're doing. So always attempt to do no harm in the process of doing your testing, especially when it comes to working with high value targets.
Now let's do a quick check on learning true or false. If I high value target can be compromised, it should be done by any means necessary.
All right, If you need an additional second or two, please pause the video
so high value targets should be compromised by any means necessary that is laid out within the rules of engagement. Okay, so you should not break any laws. You should not violate
client trust. You should not violate the rules of engagement to gain access or compromise that system. So we're within the means of your rules of engagement, your scope of work. And if you're in doubt, then ask a question to your lead or your manager or to the client to ensure that that is covered in the scope
or the rules of engagement. And if they don't concur and they feel that it isn't,
then go from there. So this is a false statement. You should not work by any means necessary to compromise. How about your target? Especially if it's not covered in the rules of engagement.
So what? That said, Let's go ahead and look through our summary. So we discussed what high value targets are. We discussed why they would be sought, and we discussed what precautions we should take when working with those targets. Remember, it's really anything that could be of
critical value to the organization, so an executive could be a high value target. You could try to fish, you know, executive, get them to interact with email, compromise their system. The secret sauce server, the primary file share our Indy Server
HR payroll, a system that controls power on machinery.
Whatever the case may be, those could be considered high value targets, depending on what the organization's perception is of those systems. What's critical to their business operating and functioning. And then what role that person probably plays in the organization factors into whether or not they would be considered high value from an attacker standpoint.
So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.