In this episode Spencer and Darrius discuss and explore Active Directory security risks from a hacker's point of view. They discuss various techniques and tools that attackers use to attack Active Directory and how you can reduce your organization's risk by finding these vulnerabilities and misconfigurations and fixing them. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence ...
Jun 21, 2023•37 min•Ep 46•Transcript available on Metacast In this episode, Tyler and Brad talk about the most common external penetration test findings. We see these findings over and over again and want you to know what to do about them and how they may impact you. Check it out! Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer's LinkedIn: https://linkedin.com/in/SpencerAlessi Work with Us: https://securit360.com...
Jun 14, 2023•21 min•Ep 45•Transcript available on Metacast In this episode, Darrius and Brad talk about the need for coding skills in the offensive security world. There's some fun with regard to which languages are important too. Check it out! Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer's LinkedIn: https://linkedin.com/in/SpencerAlessi Work with Us: https://securit360.com...
Jun 07, 2023•20 min•Ep 44•Transcript available on Metacast In this episode John Hammond joins us on the show! We talk about John's background and how he got interested in computers, how he approaches learning a new topic, if you have to create content to grow your career and so much more. There's a whole lot of fun and smiles and joy in this episode, check it out! Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer's Link...
May 31, 2023•32 min•Ep 43•Transcript available on Metacast OSINT - Open Source Intelligence: is the process of collecting and analyzing publicly available information in order to achieve some goal or facilitate some kind of action. OSINT can and is used for all sorts of things and it's applicable to virtually every industry. OSINT like many other things, can be used for good and it can be used for evil. But it's what you don't know about OSINT that can really hurt you... Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberth...
May 24, 2023•34 min•Ep 42•Transcript available on Metacast In this episode Brad, Spencer and Tyler discuss the major differences and pros and cons of Security Assessments and Penetration Tests. In the end they are both very different types of assessments and require different skill sets to perform. If you're in charge of IT or Security at your organization, this is a must-listen episode! Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence ...
May 17, 2023•37 min•Ep 41•Transcript available on Metacast It's no secret law firms have become prime targets for attackers due to the sensitive information they handle and the clients they do business with. In this episode Brad and Spencer discuss common tactics used by attackers to breach law firms' defenses and provide practical tips on how to detect and prevent these types of attacks. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techs...
May 10, 2023•31 min•Ep 40•Transcript available on Metacast This is part 2 of a 2 part series where Spencer, Darrius and Tyler talk about pentesting certifications and where they fall on a tier list. For those unfamiliar, we're ranking the popular pentesting certifications from best to worst. This is a must listen/watch episode, check it out and be sure to let us know in the comments what YOU think of these certifications and if we had any bad takes! Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/c...
May 03, 2023•1 hr 6 min•Ep 39•Transcript available on Metacast This is part 1 of a 2 part series where Spencer, Darrius and Tyler talk about pentesting certifications and where they fall on a tier list. For those unfamiliar, we're ranking the popular pentesting certifications from best to worst. This is a must listen/watch episode, check it out and be sure to let us know in the comments what YOU think of these certifications and if we had any bad takes! Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/c...
Apr 26, 2023•31 min•Ep 38•Transcript available on Metacast In this episode Brad and Darrius continue the Offensive Security Testing series and discuss Wireless Penetration Testing. Wireless Pentesting is often overlooked, but could be the blind spot that allows an attacker onto your network. Listen to this episode for key insights and considerations related to wireless networks and pentesting. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence...
Apr 19, 2023•32 min•Ep 37•Transcript available on Metacast In this episode Brad and Spencer discuss the differences between a Penetration Test, Purple Team Exercise and a Red Team Engagement. The goal of this episode is to help educate and inform on the differences between a pentest, a purple team and a red team, what the goals of each may be, and how they help an organization improve security and resilience. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://...
Apr 12, 2023•36 min•Ep 36•Transcript available on Metacast In this episode, Spencer and Tyler discuss Tyler's journey from working at Home Depot to getting a job as a Penetration Tester. They also share first-hand advice for those that are looking to break into this exciting field. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer's LinkedIn: https://linkedin.com/in/SpencerAlessi Work with Us: https://securit360.com...
Apr 05, 2023•42 min•Ep 35•Transcript available on Metacast In this episode, Darrius and Brad look at the current state of web application penetration testing, why it is how it is, and what you can do if you want to break into the field. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://twitter.com/cyberthreatpov Work with Us: https://securit360.com Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Sp...
Mar 29, 2023•26 min•Ep 34•Transcript available on Metacast In this episode, Brad and Darrius talk about some of the buzz around recent changes in privacy regulation/law and how it may impact other market verticals such as banking, law firms, and retail. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://twitter.com/cyberthreatpov Work with Us: https://securit360.com Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x....
Mar 22, 2023•24 min•Ep 33•Transcript available on Metacast In this episode Spencer shares his affinity for PingCastle. If you are in IT, if you're a sysadmin or network admin or have any kind of responsibility for the security of your environment. I encourage you to have a look at PingCastle. Not only can it be used to find VERY severe vulnerabilities, but you can use it to track progress over time and show leadership you're doing the work. We also talk about some of my favorite ways to use this tool on penetration tests. Blog: https://offsec....
Mar 15, 2023•32 min•Ep 32•Transcript available on Metacast In this episode Brad and Spencer discuss some of the more, interesting, pentest engagements they've been on. The goal of this episode is to reflect on some of the significant vulnerabilities and "cool" attacks we've performed on pentests, yes, but it's also an important reminder that if we don't remember history we are bound to repeat it. Yes we are total nerds and no we're not going to apologize for that ;) Blog: https://offsec.blog/ Youtube: https://www.youtu...
Mar 08, 2023•35 min•Ep 31•Transcript available on Metacast In this episode, Brad and Spencer discuss the newly released information surrounded the 2022 LastPass data breach. They discuss potential controls that may have prevented the incident and recommendations for protecting your own organization against this kind of threat. https://support.lastpass.com/download/lastpass-blog-security https://support.lastpass.com/help/what-data-was-accessed Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpo...
Mar 01, 2023•32 min•Ep 30•Transcript available on Metacast In this episode Brad and Spencer vulnerabilities that are not detected by vulnerability scanning tools such as Nessus and explored several methods that can be used to identify them. While vulnerability scanning is important and effective at identifying known vulnerabilities, they are not so good at detecting unknown or complex vulnerabilities. To address this gap, we discussed several complementary methods that can be used, such as penetration testing, red teaming, fuzzing, and source code revie...
Feb 22, 2023•33 min•Ep 29•Transcript available on Metacast In this episode, Brad and Darrius discuss recent and upcoming changes made to the BurpSuite line of products. If you're a web application penetration tester or just interested in web application security, check this out, it's a game-changer. PortSwigger Post: https://portswigger.net/blog/burp-suite-roadmap-update-january-2023 Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://twitter.com/cyberthreatpov Work with Us: https://securit360.com Blog:...
Feb 15, 2023•28 min•Ep 28•Transcript available on Metacast In this episode Brad and Spencer discuss all the bad advice that's been given over the years regarding passwords and they provide insights into why the current state of passwords are the way they are. Chances are you're like us and you've made each and every one of these password mistakes before. If you want to know what to not do when it comes to passwords, this episode is exactly what you need. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: ...
Feb 08, 2023•38 min•Ep 27•Transcript available on Metacast In this episode Spencer and Darrius discuss a variety of things you can and should be doing to secure your cloud environments. While the majority of these quick wins pertain to Microsoft 365 and Azure, the same concepts can be applied to AWS, Okta, Duo and others. Take the time to know your environment and secure it well. We hope this episode helps give you ideas on how to further secure your cloud infrastructure. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitte...
Feb 01, 2023•33 min•Ep 26•Transcript available on Metacast In this episode Spencer, Darrius and Brad answer the question: "What do I need to do before I have someone pentest my network or my web app or my environment?" Spencer talks about important considerations before internal pentests, Darrius talks about the critical components to focus on before a web app or even an API pentest and Brad wraps it up with two foundational security components to ensure you have in place before an external pentest. Blog: https://offsec.blog/ Youtube: https://...
Jan 25, 2023•32 min•Ep 25•Transcript available on Metacast In this episode Spencer and Darrius discuss some seriously free and relatively "easy" quick wins for hardening your Active Directory and internal environment. We go from talking about weak passwords to discussing nested group membership and a whole lot more. This episode is jam packed with advice, that's free and easy to implement. We hope you enjoy and get value from it! Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreat...
Jan 18, 2023•34 min•Ep 24•Transcript available on Metacast In this episode Spencer and Tyler continue the Offensive Security Testing series and discuss External Penetration Testing. We discuss all things external pentesting including what is an external pentest, what is PTES, how external pentests work operationally, pros and cons of different types of external pentests and so much more. Stay until the end of the podcast because Tyler shares war stories and talks about things that can get your organization compromised and how to prevent that. Blog: http...
Jan 11, 2023•35 min•Ep 23•Transcript available on Metacast In this episode Spencer and Darrius discuss the most recent LastPass Breach. We talk all about what happened, what it means to you and I as well as what it means for firms who use LastPass on an enterprise level. At the end we discuss some thoughts and opinions around with LastPass versus finding a new password vault product and some things to pay attention to if you're in the later boat. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cybe...
Jan 04, 2023•33 min•Ep 22•Transcript available on Metacast In this episode we've got the whole Offensive Security team at SecurIT360 on the podcast to talk about exciting moments of 2022 and what everyone is exited for as we move into 2023 and beyond. Thank you for listening and/or watching! If you enjoy our podcast we'd love to know what specifically you enjoy so we can make more of that type of content. Merry Christmas and Happy New Year! Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyber...
Dec 21, 2022•9 min•Ep 21•Transcript available on Metacast In this episode Spencer and Darrius discuss an amazing new AI chatbot that has taken the internet by storm and captivated the infosec community. Listen to this episode to learn what ChatGPT is, how it can be used (and abused) and what the possible implications are (good and bad) of such an amazing piece of technology. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer's Li...
Dec 14, 2022•38 min•Ep 20•Transcript available on Metacast CTF, or Capture The Flag, is a great way to expand your learning and understanding of various information security topics. It can also be great fun and a great way to meet people in the industry. In this episode Spencer and Darrius talk about the benefit of using CTFs to keep your pentesting skills sharp over the holiday "break." Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techsp...
Dec 07, 2022•17 min•Ep 19•Transcript available on Metacast In this episode, Darrius and Brad talk about Portswigger's Burp Suite, how they use it, and why it's important. They also offer a sneak-peak into what's coming in 2023! Blog: https://offsec.blog/ Youtube: https://www.youtube.com/channel/UCCWmudG_CTNAFBaV48vIcfw Twitter: https://twitter.com/cyberthreatpov Work with Us: https://securit360.com Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: http...
Nov 30, 2022•19 min•Ep 18•Transcript available on Metacast In this episode Spencer and Brad talk about the hidden dangers of not properly protecting Microsoft WSUS Servers. That's Windows Server Update Service for those not in the know. Attackers often use legitimate functionality to gain ground and WSUS is no different. Nettitude blog discussing SharpWSUS: Introducing SharpWSUS - Nettitude Labs Spencer's fork of SharpWSUS: GitHub - techspence/SharpWSUS: SharpWSUS is a c# tool for abusing Microsoft Windows Server Update Services for Lateral Mo...
Nov 23, 2022•22 min•Ep 17•Transcript available on Metacast 
