Hello and welcome to another penetration. Testing, execution Standard discussion. Today we're going to round out our exploitation section of the pee test standard and discuss what the overall objectives should be of the exploitation phase. We've mentioned them in other discussions, but it's fitting that we, uh,
put them all in one place and go through them.
Ah, final time. So quick. Disclaimer. Any tools or techniques that we discuss could be used for system hacking. Anything demonstrated should be researched by the user and understood by the user prior to use of such tools.
And you want to make sure that you research your applicable laws and regulations regarding the use of such tools or techniques in your given area
to ensure we don't get into any trouble with the law.
Now the objectives of today's discussion are pretty straightforward and short, so we're going to identify the path of least resistance, which is the primary objective in exploitation overall, and we're going to talk about simulating potential loss. So let's jump right in
so identifying the path of least resistance. So in the pre engagement interactions phase with the customer,
a clear definition
of the overall objectives of the penetration test should have been communicated.
In the case of the exploitation phase, the biggest challenge is identifying the past of oblique resistance into the organization without detection and having the most impact on the organization's ability to generate revenue. So our goal, risk identification, risk reduction
and acting is a threat. Actor human beings, no offense to anyone by nature could be somewhat lazy. And so we want to find a method or a manner in which we can get into a system without much work or effort. And really, that's duly noted. If I can find, um, a port that is open
and I can connect to an FTP server with the credentials and then add men, that's much easier
then, attempting to bypass the firewall and dump a load on the system,
you know, So we want to look for those vectors first. The path of least resistance is often right there in front of us,
and so we don't want to go above and beyond. If we can impact and get into a critical system with minimal effort that makes the most sense. That's what an attacker would do
now simulating potential loss by performing the prior face properly and understanding how the organization functions and makes money
that all should be relatively understood. And so from the exploitation phase and into the post exploitation phase, the attack vectors should rely solely on mission on the on the mission of circumventing security controls in order to represent how the organization could suffer substantial loss
through a targeted attack against the organization. Our goal again risk reduction reduction identification.
we want to be able to tie dollars and cents back to the activities that were conducting. So if we can prove and show them in, accounting system can be compromised and brought down
dollars and cents can be tied to that. If we could halt production because we could shut down a system or damage it, dollars and cents are tied to that now. We don't want to damage systems in the process. But if we could do a proof of concept and prove that,
then that could be useful in simulating potential loss, and so that could be beneficial in a final report is coming up with a dollar value to quantify that risk in a manner that ties back to financial loss, damage of reputation and things of that nature for the organization.
And so this was a very brief discussion today again, to summarize the points
when working in the exploitation phase were working to get through the path of least resistance. And if we could use admin admin to get into a system, there's no major reason, especially if it's a critical system to go through the process of complex exploitation.
And then we also want to assist in simulating potential loss, showing the client what that would look like, what downtown could be, what damage could be and then tying dollars and cents into that which will allow them to make decisions based on risk, identification, risk reduction
and the cost of compensating controls and implement in those controls.
And so with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.