This week, Christian Kirsch enlightened us about the latest trend in attacker methodologies: Credentials. In the webcast, "Credentials are the New Exploits: How to Effectively Use Credentials in Penetration Tests", we learned why credential abuse is in vogue, and what penetration testers can do to tackle this head on with as much efficiency and proficiency as possible so that risk assessment quality doesn't suffer. In case you missed it, here are some of the top takeaways from the session:
- Productivity, hurt by creds management, is critical for solving security problems – Credential management has been a very manual and time intensive process thus far. It creates a lot of inefficiencies and pain for penetration testers, therefore increasing risk and decreasing productivity. To solve this, you must either hire more penetration testers, (not an easy feat, such a specialized skill set!) or help the penetration testers at hand become more efficient. More efficient penetration testers means more thorough risk assessments and/or more risk assessments completed in general.
- Credential management can be simplified and streamlined – After speaking with internal and external penetration testers struggling to manage credentials, Rapid7 made it a priority to simplify the process. Penetration testers can now use Metasploit Pro to manage, validate, re-use, and report on credentials. Clear and concise reports will track everything a penetration tester is doing on a job so that actions taken and findings are comprehensively laid out at the end of an assessment. Automating credential management and reporting will allow penetration testers more time to use their brain power and unique skill set to anticipate new attack vectors and to think about how to stop attackers. They'll be better equipped to give the best risk assessment and recommendations possible to customers on how to secure their environments at the end of a job.
To learn about and see a demonstration on how you can use credentials in penetration tests to better secure and assess your networks: view the on-demand webcast now.