In this episode Brad is joined by Matt Tesauro to talk all things OWASP, API Hacking and DevSec. Matt Tesauro is a Distinguished Engineer at NoName Labs, a member of the OWASP Global Board of Directors and Founder of 10Security, the creators of DefectDojo. Matt Tesauro is a DevSecOps and AppSec guru with specialization in creating security programs, leveraging automation to maximize team velocity and training emerging and senior professionals. When not writing automation code in Go, Matt is push...
Nov 16, 2022•34 min•Season 1Ep. 16
Are you looking for your first job in penetration testing? Perhaps you're looking to advance and up your skills or maybe you're a manager looking to hire a penetration tester to your team. In this episode Brad, Spencer and Darrius talk about which pentesting certs to get and why. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter: https://twitter.com/cyberthreatpov Work with Us: https://securit360.com Blog: https://offsec.blog/ Youtube:...
Nov 09, 2022•38 min•Season 1Ep. 15
This is part 3 of a multi-episode series where the Offsec group at SecurIT360 dives into the details of various Offensive Security Tests, what they mean, what to expect, war stories and much more! Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter: https://twitter.com/cyberthreatpov Work with Us: https://securit360.com Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's ...
Nov 02, 2022•31 min•Season 1Ep. 14
This is part 2 of a multi-episode series where the Offsec group at SecurIT360 dives into the details of various Offensive Security Tests, what they mean, what to expect, war stories and much more! Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter: https://twitter.com/cyberthreatpov Work with Us: https://securit360.com Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's ...
Oct 26, 2022•17 min•Season 1Ep. 13
Coming at you LIVE from LegalSec22 in San Antonio Texas. In this episode Brad and Spencer discuss common security challenges that are unique to law firms and provide insights on ways to begin solving those challenges. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter: https://twitter.com/cyberthreatpov Work with Us: https://securit360.com Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthre...
Oct 19, 2022•16 min•Season 1Ep. 12
This is part 1 of a multi-episode series where the Offsec group at SecurIT360 dives into the details of various Offensive Security Tests, what they mean, what to expect, war stories and much more! Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter: https://twitter.com/cyberthreatpov Work with Us: https://securit360.com Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's ...
Oct 12, 2022•26 min•Season 1Ep. 11
Web application risks are not new, but they are different because how they have fully proliferated all aspects of modern computing. Everything lives on HTTP or HTTPS or some webservice. Tune into this episode to learn about some of the most common risks we see with web applications in the modern landscape. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter: https://twitter.com/cyberthreatpov Work with Us: https://securit360.com Blog: https://offs...
Oct 05, 2022•22 min•Season 1Ep. 10
There's essentially a 0% unemployment rate in cybersecurity. It's a very hot field, great job security, great pay and great mission. But, with that comes a high level of competition for individuals seeking cybersecurity jobs. So on today's episode, Brad and Spencer talk with Misty Stacy, Managing Partner at Trusted Cyber Talent, who is on the forefront of helping cybersecurity professionals find their first or next cybersecurity job. Looking for help getting a job in Cyber? Check ...
Sep 28, 2022•40 min•Season 1Ep. 9
In this episode Brad and Spencer discuss the THREE primary ways we gain initial access on penetration tests and how to stop us! The moral of this story is that these are attack vectors we see adversaries using day in and day out to compromise organizations. We hope this episode helps you track down and close those gaps in your own environments. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter: https://twitter.com/cyberthreatpov Work with Us: ht...
Sep 21, 2022•34 min•Season 1Ep. 8
In this week's review Uber was hacked Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs Ransomware Developers Turn to Intermittent Encryption to Evade Detection Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter: https://twitter.com/cyberthreatpov Work with Us: https://securit360.com Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: ...
Sep 16, 2022•16 min•Season 100Ep. 19
In this episode Brad and Spencer talk about what mature, proactive organizations are doing to harden and secure their environments, with the end goal of forcing attackers to make more noise which hopefully leads to quicker detection and ejection from your network. These are things that get us caught and slow us down on penetration tests and they are things that will absolutely do the same to real threat actors. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV...
Sep 14, 2022•31 min•Season 1Ep. 7
In this week's review: New EvilProxy Phishing Service Allowing Cybercriminals to Bypass 2-Factor Security New Linux Malware Evades Detection Using Multi-stage Deployment Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter: https://twitter.com/cyberthreatpov Work with Us: https://securit360.com Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com...
Sep 09, 2022•22 min•Season 100Ep. 18
Are you sure you're getting what you paid for when it comes to external penetration tests? In this podcast Brad and Spencer discuss 5 things that you as a consumer of penetration tests can do to get more value from them. Some of these are easy wins, some of them require work, all of them will make your external pentests better. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter: https://twitter.com/cyberthreatpov Work with Us: https://securi...
Sep 07, 2022•24 min•Season 1Ep. 6
In this week's review Roasting 0ktapus: The phishing campaign going after Okta identity credentials Advanced BEC Scam Campaign Targeting Executives on O365 The Rise of LNK Files (T1547.009) and Ways To Detect Them Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter: https://twitter.com/cyberthreatpov Work with Us: https://securit360.com Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthr...
Sep 02, 2022•27 min•Season 100Ep. 17
It's an unfortunate truth that we see these common high risk findings time and time again on internal pentests. We find these issues on super-maximum secured environments as well in less hardened environments. The end result though is the same. Tune in to learn more about these common high risk findings and most importantly, how to mitigate them for free! Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter: https://twitter.com/cyberthreatpov ...
Aug 31, 2022•31 min•Season 1Ep. 5
In this week's review Hackers Breach LastPass Developer System to Steal Source Code You Can’t Audit Me: APT29 Continues Targeting Microsoft 365 | Mandiant The GitLab 2022 Global DevSecOps Survey Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter: https://twitter.com/cyberthreatpov Work with Us: https://securit360.com Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer&apos...
Aug 26, 2022•32 min•Season 100Ep. 16
In order to stay relevant and up-to-date with new techniques and tools, it requires a certain amount of focus day after day, week after week, year after year. That focus being constant improvement. If we, as pentesters, don’t get better, we can’t help businesses defend better. So that’s what this podcast is about. Constant improvement and showing that off to the world. We are going to talk about WHY you would want to show off your skills as a pentester as well as 7 awesome ways to do just that, ...
Aug 24, 2022•32 min•Season 1Ep. 4
In this week's review Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY Realtek SDK Vulnerability Exposes Routers InfoSec Handlers Diary Blog - SANS Internet Storm Center CVE-2022-27255 - Realtek eCos SDK SIP ALG buffer overflow Clop Ransomware Gang Breaches Water Utility, Just Not the Right One https://twitter.com/malwrhunterteam/status/1559244860636413952?s=20&t=ixiTRaQ9aflHzI37D_VlwQ https://twitter.com/UK_Daniel_Card/status/1559252446320500741?s=20&t=ixiTR...
Aug 19, 2022•23 min•Season 100Ep. 15
This podcast is a discussion about 4 Common Pentesting Mistakes that we oursleves have made and have seen other pentesters make. Hopefully, the dialog around these mistakes and how we go about solving them, helps you not make them yourself or to realize them and recover from them quickly. Read the associated blog post here: https://offsec.blog/its-a-trap-avoid-these-4-common-pentesting-mistakes/ Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter:...
Aug 17, 2022•32 min•Season 1Ep. 3
In this week's review BumbleBee Roasts Its Way to Domain Admin SMS & Voice Phishing Attacks https://www.twilio.com/blog/august-2022-social-engineering-attack https://blog.cloudflare.com/2022-07-sms-phishing-attacks/ https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter: https://twitter.com/cyberthreatpov Work with Us: https://securit360.com Blog: https://offsec.blog/ Youtub...
Aug 12, 2022•24 min•Season 100Ep. 14
Brad and Spencer discuss a common finding on internal penetration tests. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter: https://twitter.com/cyberthreatpov Work with Us: https://securit360.com Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer's LinkedIn: https://linkedin.com/in/SpencerAlessi Work with Us: https://secur...
Aug 10, 2022•17 min•Season 1Ep. 2
In this week's review Large-Scale AiTM Attack targeting enterprise users of Microsoft email services Deception at a scale Initial Access Brokers Are Key to Rise in Ransomware Attacks Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter: https://twitter.com/cyberthreatpov Work with Us: https://securit360.com Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: ...
Aug 05, 2022•25 min•Season 100Ep. 13
This podcast is a discussion about the 2022 Verizon Data Breach Investigations Report and some of our key takeaways. From the Executive Summary of the DBIR: As introduced in the 2018 report, the DBIR provides “a place for security practitioners to look for data-driven, real-world views on what commonly befalls companies with regard to cybercrime.” For this, our 15th anniversary installment, we continue in that same tradition by providing insight into what threats your organization is likely to f...
Aug 03, 2022•34 min•Season 1Ep. 1
In this week's review IPFS The New Hotbed of Phishing How Threat Actors Are Adapting to a Post-Macro World Palo Alto 2022 Incident Response Threat Report Fewer Ransomware Victims Pay As Medium Ransom Falls in Q2 2022 Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter: https://twitter.com/cyberthreatpov Work with Us: https://securit360.com Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyber...
Jul 29, 2022•32 min•Season 100Ep. 12
In this week's review: Microsoft resumes default blocking of Office macros after updating docs https://docs.microsoft.com/en-us/deployoffice/security/internet-macros-blocked A potentially dangerous macro has been blocked BlackCat ransomware attacks not merely a byproduct of bad luck 'AIG' Threat Group Launches With Unique Business Model Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter: https://twitter.com/cyberthreatpov Work with...
Jul 22, 2022•25 min•Season 100Ep. 11
In this week's review: Microsoft DOES plan to work on blocking internet macros by default in Office , their pause is apparently temporary The DFIR Report - SELECT XMRig FROM SQLServer Hive ransomware gets upgrades in Rust From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter: https://twitter.com/cyberthreatpov Work with Us: https://securit360.c...
Jul 15, 2022•29 min•Season 100Ep. 10
In this week's review Microsoft Rolls Back Decision to Block Office Macros By Default 😢 Possible APT29/Ransomware Groups Use of Brute Ratel C4 When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors Reversing Malware Also How is APT 29 Successful with This Phishing Technique Raspberry Robin/QNAPWorm Raspberry Robin gets the worm early Microsoft finds Raspberry Robin worm in hundreds of Windows networks New Raspberry Robin worm uses Windows Installer to drop malware ...
Jul 08, 2022•27 min•Season 100Ep. 9
In this week's review Rise of LNK (Shortcut files) Malware LockBit 3.0 Released Now With Bug Bounty Program CISA Says PwnKit Exploited in the Wild Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter: https://twitter.com/cyberthreatpov Work with Us: https://securit360.com Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer&apo...
Jul 01, 2022•13 min•Season 100Ep. 9
In this week's review: New NTLM Relaying Attack via DFSCoerce Ransomware Potential for OneDrive & SharePoint Files Keeping PowerShell: Security Measures to Use and Embrace Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter: https://twitter.com/cyberthreatpov Work with Us: https://securit360.com Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https:/...
Jun 28, 2022•16 min•Season 100Ep. 8
In this week's review: The rise of BlackCat (ALPHV) ransomware Microsoft Analysis of BlackCat AdvIntel Analysis of BlackCat Ransomware Group Debuts Searchable Victim Data LockBit 2.0: How This RaaS Operates and How to Protect Against It Translating Saitama's DNS tunneling messages - SANS Internet Storm Center Public Travis CI Logs (Still) Expose Users to Cyber Attacks Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter: https://twitter.c...
Jun 17, 2022•29 min•Season 100Ep. 7
