In this episode, we discuss soft skills and mental health for security professionals. Soft Skills self-awareness Gumption (initiative & resourcefulness) Autodidactic (self-educate) Empathy Patience Determination Communication - This is one to hit heavily Written & Spoken read the room Creativity (BS-ing) Attention to detail Curiosity Mental Health do you truly enjoy/love what you do? work-life balance change the definition of "success" give yourself a break/don't be so har...
Jan 10, 2024•38 min•Ep 74•Transcript available on Metacast In this episode, we discuss password spraying, a favorite technique among attackers who are trying to compromise organizations. Spencer and Tyler discuss external and internal password spraying, why it is so effective, how password spraying works, and what to look out for on your network. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer's LinkedIn: https://linkedin.com/i...
Jan 03, 2024•35 min•Ep 73•Transcript available on Metacast In this episode, Spencer is joined by Daniel Perkins, a Senior Information Security Officer at SecurIT360 to discuss the intricacies of vulnerability management, the important prerequisites to vulnerability management, and best practices, and provide actionable strategies to level up your vulnerability management program. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer'...
Dec 27, 2023•36 min•Ep 72•Transcript available on Metacast In this episode, Zach Sims (Information Security Officer at SecurIT360) provides valuable insights into offensive security services from the perspective of a security leader. This episode explores the significance of these services in today's digital landscape. Listeners gain a concise understanding of the CISO's role, the alignment of offensive security goals with cybersecurity strategy, and the challenges faced in implementation. The discussion also delves into how CISOs balance the ...
Dec 20, 2023•34 min•Ep 71•Transcript available on Metacast This is part two of Future Trends in Pentesting. Spencer and Darrius, members of SecurIT360's offensive security team discuss up and coming techniques, tools and tactics that they see on the horizon for 2024 and beyond. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer's LinkedIn: https://linkedin.com/in/SpencerAlessi Work with Us: https://securit360.com...
Dec 13, 2023•32 min•Ep 70•Transcript available on Metacast In this episode Brad and Darrius discuss future trends in penetration testing. We plan for this to be a multi-part series and in this part listen to Brad and Darrius delve into why keeping pace with current and future trends is important, evolving threats, the cloud and much more! Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer's LinkedIn: https://linkedin.com/in/Spence...
Dec 06, 2023•25 min•Ep 69•Transcript available on Metacast In this episode of "The Cyber Threat Perspective," Tyler and Brad, members of SecurIT360's offensive security team, take us through the evolution of various penetration testing TTPs. Specifically, using the external penetration test process as an example and analyzing other processes and why/how they changed. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer&apo...
Nov 29, 2023•19 min•Ep 68•Transcript available on Metacast In this episode, Spencer and Tyler go "behind the hack" and discuss what life is like behind the keyboard of an external pentest. They discuss various parts of an external penetration test such as planning and preparation, execution, and post-exploitation as well as common challenges throughout the way. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer's LinkedI...
Nov 22, 2023•29 min•Ep 67•Transcript available on Metacast This week we are replaying one of our earliest episodes. In this episode, Brad and Spencer discuss the THREE primary ways we gain initial access on penetration tests and how to stop us! The moral of this story is that these are attack vectors we see adversaries using day in and day out to compromise organizations. We hope this episode helps you track down and close those gaps in your own environments. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://tw...
Nov 15, 2023•34 min•Ep 1•Transcript available on Metacast In this episode, Spencer and Darrius discuss a common divide found among companies between the Security Team and the development teams. These are two teams that are ultimately trying to benefit the company, and by working together both are able to succeed. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer's LinkedIn: https://linkedin.com/in/SpencerAlessi Work with Us: htt...
Nov 08, 2023•19 min•Ep 66•Transcript available on Metacast This is the November 2023 Cyber Threat Recap. Every day our Cyber Threat Intelligence team is tracking, researching, and analyzing threats, vulnerabilities, exploits, and techniques with the purpose of keeping you up-to-date on what's relevant and important in the industry. So you can be more prepared today than you were yesterday to protect your organization. Okta Breach/1Password Okta says its support system was breached using stolen credentials 1Password Detects Suspicious Activity Follo...
Nov 01, 2023•15 min•Ep 1•Transcript available on Metacast In this very special Halloween episode, prepared to be scared. Brad and Spencer discuss the common and not so common locations that we find credentials during penetration tests. This includes plaintext credentials and other types of credential material like API keys. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer's LinkedIn: https://linkedin.com/in/SpencerAlessi Work w...
Oct 31, 2023•35 min•Ep 65•Transcript available on Metacast In this episode, Spencer and Darrius go "behind the hack" and discuss what life is like behind the keyboard of a web application penetration tester. They discuss various parts of a web app penetration test such as planning and preparation, execution, and post-exploitation as well as common challenges throughout the way. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spenc...
Oct 25, 2023•35 min•Ep 64•Transcript available on Metacast In this episode, Brad and Spencer go "behind the hack" and discuss what life is like behind the keyboard of an internal penetration tester. They discuss various parts of an internal penetration test such as planning and preparation, execution, post-exploitation as well as common challenges throughout the way. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer's L...
Oct 18, 2023•30 min•Ep 63•Transcript available on Metacast In this episode we discuss what makes a great penetration test report. The report is THE crucial deliverable of a penetration test. It's the culmination of all the effort that went into testing. It not only provides insights into an organization's security posture but also serves as a roadmap for addressing vulnerabilities and improving overall security. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twit...
Oct 11, 2023•28 min•Ep 62•Transcript available on Metacast In this episode, we explore the various tactics used by malicious actors to manipulate individuals and organizations, and provide practical tips to safeguard against these attacks. From educating your team members to implementing strong security measures, join us to learn how to effectively protect yourself and your organization from social engineering threats. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter...
Oct 04, 2023•27 min•Ep 61•Transcript available on Metacast In this episode, Spencer and Darrius discuss unpopular Cybersecurity opinions, which are referred to as "hot takes." This discussion was inspired from a tweet by John Breth (@JBizzle703) which as of recording has close to 4 million views. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer's LinkedIn: https://linkedin.com/in/SpencerAlessi Work with Us: https://sec...
Sep 27, 2023•35 min•Ep 60•Transcript available on Metacast In this episode, Darrius and Spencer discuss Offensive Security TTPs and tools that look promising, that we're excited for, or are trending. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer's LinkedIn: https://linkedin.com/in/SpencerAlessi Work with Us: https://securit360.com...
Sep 20, 2023•32 min•Ep 59•Transcript available on Metacast In this episode, we're talking about How To Identify and Mitigate Insecure Windows Services. This is a very common issue we see on internal pentests. So much so that day 1 of our internal pentests revolves around evaluating the security and configuration of the endpoint to identify these issues. But this is only the tip of the ice burg. https://offsec.blog/hidden-danger-how-to-identify-and-mitigate-insecure-windows-services/ Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyber...
Sep 13, 2023•31 min•Ep 58•Transcript available on Metacast In this episode we talk all about Active Directory Certificate Services and a free tool designed to help find and fix AD CS misconfigurations called Locksmith. Jake Hildreth (Mastodon: @horse@infosec.exchange) the creator of Locksmith together with Sam Erde (Twitter: @SamErde) and myself (who are contributors to the project) chat about the inception of Locksmith and some of the awesome features, such as remediation snippets. Invoke-Locksmith today! https://github.com/TrimarcJake/Locksmith Blog: ...
Sep 06, 2023•38 min•Ep 57•Transcript available on Metacast In this episode, Brad and Spencer talk about how vulnerabilities are assigned severity ratings, why they are important, how they are not perfect and why you should not rely on severity ratings alone to determine risk. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer's LinkedIn: https://linkedin.com/in/SpencerAlessi Work with Us: https://securit360.com...
Aug 30, 2023•26 min•Ep 56•Transcript available on Metacast In this episode, Brad and Spencer discuss the role EDR and Antivirus plays in a modern security stack, the overreliance on EDR, and how that's a dangerous game. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer's LinkedIn: https://linkedin.com/in/SpencerAlessi Work with Us: https://securit360.com...
Aug 23, 2023•24 min•Ep 55•Transcript available on Metacast In this episode we're talking about misconfigured and dangerous logon scripts. Spencer and Brad discuss 4 common examples, based on real-world engagements, of how logon scripts can be misconfigured and how they can allow for all sorts of bad things. Do you know what's hiding in your logon scripts? Read the blog post that goes along with this episode here: https://offsec.blog/hidden-menace-how-to-identify-misconfigured-and-dangerous-logon-scripts/ https://github.com/techspence/ScriptSen...
Aug 16, 2023•23 min•Ep 54•Transcript available on Metacast This episode concludes our miniseries all about PowerShell. In this episode, we're going to discuss How to Defend and Mitigate PowerShell Attacks. Definitely check out our previous episodes: How Attackers Use PowerShell, and Security Automation with PowerShell. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer's LinkedIn: https://linkedin.com/in/SpencerAlessi Work wi...
Aug 09, 2023•29 min•Ep 53•Transcript available on Metacast In this episode Spencer and Tyler discuss the most important things you must do before you have an external penetration test. Everything from understanding goals and objectives to asset management to dark web searches. Listen in as Tyler shares how the SecurIT360 external pentest process may be different from other pentests you've received in the past. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: ht...
Aug 02, 2023•22 min•Ep 52•Transcript available on Metacast Spencer and Darrius continue their series of episodes all about PowerShell. In this episode, they discuss using PowerShell for automation and orchestration. Stay tuned for the next episode where we talk about defending against PowerShell abuse. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer's LinkedIn: https://linkedin.com/in/SpencerAlessi Work with Us: https://securit...
Jul 26, 2023•36 min•Ep 51•Transcript available on Metacast In this episode Spencer and Darrius discuss how cyber adversaries harness the power of PowerShell to orchestrate their malicious activities. Stay tuned for the next episode where we talk about security automation with PowerShell. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer's LinkedIn: https://linkedin.com/in/SpencerAlessi Work with Us: https://securit360.com...
Jul 19, 2023•28 min•Ep 50•Transcript available on Metacast In this episode Brad and Spencer discuss the nuances around scoping offensive security engagements. Scoping an offensive security engagement involves defining boundaries, objectives, and limitations before starting. It includes objectives, rules, scope boundaries, legal considerations, timeframe, reporting, approval, and sign-off. Scoping is important for clarity, risk management, compliance, stakeholder involvement, and setting expectations. Blog: https://offsec.blog/ Youtube: https://www.youtu...
Jul 12, 2023•28 min•Ep 49•Transcript available on Metacast In this episode, Brad and Darrius talk about Authentication and what issues they routinely see while performing penetration tests. They walk about MFA, Passwords, Conditional Access, and other solutions that, done right, will improve your external security posture. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer's LinkedIn: https://linkedin.com/in/SpencerAlessi Work wit...
Jul 05, 2023•22 min•Ep 48•Transcript available on Metacast In this episode Spencer, Darrius and Tyler get together for a round-table discussion on sharpening your sword as a pentester. They discuss what they do to keep improving, upping their skill and honing their craft. Spoiler, it's not just the technical aspects of pentesting that are important to work on. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspence Spencer's LinkedIn: htt...
Jun 28, 2023•26 min•Ep 47•Transcript available on Metacast 
