Downtime is decided months before the attack. Ethical Threat Insight: Surviving a Ransomware Attack A DC‑area Reddit thread described days of disruption after a hospital system was reportedly hit by Rhysida ransomware. How much was the ransom? ~$3 million USD at the time of the incident. 😲 It’s a painful, real‑world reminder: your ability to operate “offline” is the difference between chaos and continuity. The time to have a plan and to prepare is before the proverbial SHTF. 6 ways to prepare...
20 days ago • 2 min read
Who you choose to test your environment matters just as much as what they test. Ethical Threat Insight: Internal Pentest Report Red Flags If you know a little bit about me, you know internal pentesting is kind of my thing. I’ve done more than 120 internal pentests in the last 5 years. What I have come to realize is that not all internal pentests are created equal, especially when it comes to reporting. Most internal pentest reports look impressive at first glance, but after you dig into them...
27 days ago • 2 min read
Attackers thrive on easy targets, don’t be one. Ethical Threat Insight: How insecurely installed 3rd-party software can hurt you Single, high-value action to do today: audit any recently installed third-party Windows software for who can write files where it installs…then lock it down. Why that matters: attackers don’t need complex exploits if they can abuse commonly overlooked issues. Like insecure software installs and writable system locations. Fixing those stops a huge class of easy...
about 1 month ago • 2 min read
What you don’t watch for could be exactly what attackers exploit. Ethical Threat Insight: Security Alerts No One Sets Up (But Should) Most orgs watch for malware, phishing, account compromise and a whole host of other attacks. But so often I see, what I would consider low-hanging fruit detections, missed by security teams. Here’s a few high value alerts not enough orgs have implemented: Active Directory enumeration - especially when privileged (tier 0) resources are touched, like Domain...
about 2 months ago • 1 min read
One bad rule can undo your entire security policy. Ethical Threat Insight: 3 AppLocker Rules To Never Break AppLocker is a powerful tool…but only if you use it wisely. A single weak or misconfigured rule can be just what an attacker needs. Here are the 3 rules you should never break: 1) Avoid drive roots (like C:\), user-writable folders, wildcards (*), or UNC paths. Attackers look to drop malware where your rules are weakest. 2) If you allow “any binary” from a publisher or forget to set an...
2 months ago • 1 min read
MFA on RDP is like locking your front door while leaving the windows wide open. Ethical Threat Insight: MFA Internally on RDP is NOT Enough Enabling MFA internally on RDP is great, but attackers know that’s not the only way to move laterally in your environment. Protocols like SMB and PowerShell Remoting (WinRM/PSRemoting) usually don’t enforce MFA at all. That means once an attacker is inside, they can often move laterally (unrestricted) with just a password. Here’s the fix: Lock down...
2 months ago • 1 min read
Attackers love shortcuts. Hidden insecure permissions are their express lane to Domain Admin. Ethical Threat Insight: Finding Hidden Insecure Permissions in Active Directory Delegated permissions in Active Directory are specific access rights that are granted without requiring that user be a member of a security group. It’s a way of assigning more granular permissions. However, it’s all too easy to make mistakes when delegating permissions. What are the risks of insecure delegations?...
3 months ago • 2 min read
“Ransomware Threat Actors are very good at the basics, and this shows against companies that aren’t.” -SANS DFIR Aug 2023 Ethical Threat Insight: Windows Misconfigs That Shouldn’t Exist in 2025 I still find these in well-managed environments, and yes, attackers know it. Here are just three of the big ones: Weak Local Admin Control – Shared local admin passwords and no LAPS? That’s pretty much guaranteed lateral movement for threat actors. But that’s not all… Unrestricted PowerShell –...
3 months ago • 1 min read
If you don’t control what runs on your endpoints, you don’t control your network. Period. Ethical Threat Insight: Why App Control Is a Big Deal The traditional method of app control was to block everything and just allow what’s needed. But that ignores what threat actors are actually doing in their attacks. App control is about letting the apps you actually trust, run, and denying execution of everything else. It’s about STOPPIND BAD. Especially Living-Off-the-Land (LotL), dual-use tools, and...
3 months ago • 1 min read