Author Archives: cmartin

What is Ryuk Ransomware?


Throughout the summer and now into the fall, there have been many stories in the news about Ryuk, a targeted and powerful piece of ransomware that has been attacking countless organizations, including municipal governments, state courts, hospitals, enterprises, and large universities. Many of these organizations have paid hefty fees to recover their files following a Ryuk attack, only to find that countless files are still missing, or beyond repair.

How Does Ryuk Work?

What many people don’t understand about Ryuk is that Ryuk is not the beginning of the attack, but is instead the end product. Once Ryuk is triggered to encrypt and ransom files, the real damage has already been done.

 The attack begins as a phishing email or a drive-by download triggered by visiting a website or clicking on a popup. The threat actors use a dropper and a Trojan or bot to establish persistent access to the network. They use the tools of the typical Advanced Persistent Threat (APT) operators, from exploiting vulnerable machines to installing keyloggers and stealing credentials, to move around the infiltrated network. They look for information to steal, then gather and exfiltrate it, expanding their footprint as they go. They also install Ryuk on  each system they gain access.  Once they have accessed and exfiltrated everything they can, they trigger Ryuk to encrypt what’s left and ransom their victims.

 Victims of this Ryuk attack have paid hundreds of thousands of dollars to regain access to their information. Unfortunately, it is the the attack that comes before Ryuk is even deployed that wipes out most of their data.    

What to do After a Ryuk Attack

Unfortunately, as stated earlier, once you have been infected with Ryuk, there is very little to be done. However, it is still strongly recommended that you contact authorities.  For example, US companies can contact the FBI, either through their local office, or with an IC3 complaint form. With so many different strains of Ryuk out in the wild, it is vital that as much knowledge as possible be collected in order to find a way to put a stop to such attacks. Additionally, such agencies are often the most capable of widely disseminating information, putting other organizations on high alert. From there, the focus should be on rebuilding with stronger safeguards in place.

How to Prevent Ryuk Attacks

Many organizations, both public and private, already have the precursors of Ryuk in their network. It is the detection of this persistent access that can save an organization that already has an active attack underway. Early detection and remediation can minimize exfiltration and prevent Ryuk from being placed and deployed, thwarting the ransomware element completely. The answer to detecting this persistence is to know what to look for.

Core Security has been tracking this attack since early 2016. The presence of any of these threats is a good indicator that you are under an attack that will likely end up as a Ryuk ransom of your network. The good news is that Core Network Insight detects the Emotet dropper, the Trojan Trickbot, and other precursors of a Ryuk attack early in the infection so that you can get them clean up your IT environment, eliminating the persistent access to your network that gives the threat actors the opportunity to pillage your network and place Ryuk.

Core Network Insight is the only mature, purpose built, active threat detection solution on the market. It is agentless, as well as OS and platform agnostic. This means that it can detect Emotet, Trickbot, and other infections on such diverse network endpoints as workstations and servers, printers and multifunction devices, IP telephone and IP cameras, video conference units, HVAC and SCADA systems, point of sale terminals and ATMs, MRI, CT, and other DI systems and mobile medical devices, the Internet of Things, and even refrigerators with web panels and network connected coffee makers. If it has an IP address, is plugged into your network, and becomes infected, Core Network Insight will detect it fast and let you know early so you can get ahead of the attack before the damage occurs.

Network Insight
Attribute this content to a different author: 
Hank Carr, Sales Engineer, Technical Solutions
Big text: 
Resource type: 
Is Your Environment Infected?

Download our guide on how to identify compromised devices with certainty and get ahead of threats before it's too late.

You Can’t Protect What You Can’t See: Improving Cybersecurity with Monitoring Solutions


When a data breach hits the headlines, questions often arise for those not familiar with cybersecurity. How did the organization not realize what was going on? Why did they ignore all the warning signs? Those more familiar with just how massive IT infrastructures can be understand that the issue is not a matter of ignoring warning signs, it’s an inability to see them at all. Security monitoring solutions like a SIEM can provide valuable insights and prioritize alerts, distinguishing between those that could lead to thwarting a devastating breach, and those that are harmless incidents. Read on to find out how threat escalation, centralization, diverse integrations, and network monitoring can help clear the line of sight.

A Centralized Hub for Security Monitoring

A SIEM solution can consolidate any number of data streams, becoming your organization’s primary security monitoring tool. A solution like Event Manager provides a centralized hub with useful dashboards and information, ensuring that analysts don’t miss anything simply because they were looking at another screen. With 68% of those surveyed in the 2019 SIEM Report by Cybersecurity Insiders confirming that they used SIEM for monitoring, correlating, and analyzing activity across multiple systems and applications, it’s clear that SIEM solutions are a successful way to provide new insights with the added context of seeing security data pulled from a variety of systems.

Monitoring Datastreams without Exception

Unique or non-standard data sources can become a blind spot for organizations. Not all monitoring tools have the capability to support unusual assets like a homegrown database or third-party applications. If nearly all of your datastreams are being monitored, it’s easy to let the few applications that aren’t slip the cracks. Organizations should perform a thorough audit of the types of assets they have before choosing a monitoring tool. SIEM solutions like Event Manager can be tailored to integrate any type of datastream.

Automatically Discover New Devices with Network Monitoring Tools

Another potential blind spot that threat actors can take advantage of is the onboarding of new data sources. New assets are typically set up by members of IT staff outside of the security team. There is often a long delay between when a new device or application is deployed and when it is integrated into a security monitoring tool.

Network monitoring solutions like Intermapper create a network map, showing exactly what's happening on an organization’s network. Intermapper continuously monitors for performance issues, outages, bandwidth, and any other changes in the network, including the appearance of new devices. By integrating a solution like Intermapper into a SIEM like Event Manager, security analysts will immediately become aware of the presence of a new datasource that needs to be monitored for security events, ensuring that there isn’t a long absence of coverage that would allow for malicious activity to occur unnoticed.

Organizations have a portfolio of solutions dedicated to making sure their IT environment runs as smoothly as possible. Though these tools often work in isolation, solutions that can work together are truly powerful. Intermapper and Event Manager are a perfect example of how two solutions can collaborate to make an even safer security posture. Such tools are straightforward to deploy, intuitive to use, and also work for organizations with any budget, as free versions of both Event Manager and Intermapper are both available.

Ultimately, visibility into your IT infrastructure doesn’t merely come down to having all the raw data. This data must be filtered, given context, and prioritized in order for it to become useful information. Using monitoring tools like SIEM solutions to transform data into insights give security analysts a clear outlook, allowing them to take all the necessary measures to protect your organization effectively.



Improving Cybersecurity with Monitoring Solutions
Vulnerability Management
Big text: 
Resource type: 
Ready to Get Visibility Into Your Environment?

People often perceive the costs of implementing security solutions as being prohibitively high. Small businesses have limited budgets, larger organizations may just need to get started monitoring critical assets. Either way, HelpSystems has you covered with full featured free product usage.

The Human Element of Pen Testing and the Role Tools Can Play


Science fiction novels, TV shows, and movies often demonstrate the possibility of, and perhaps the danger of, computers and machines taking over the day to day jobs that humans once completed. While this has come to fruition in some instances, like with many factory jobs now being completed by highly specialized robots, more often than not, these inventions and innovations serve as tools to enhance human skills, not replace them. This is the case in the cybersecurity world, especially when it comes to penetration tests. Read on to find out about misconceptions about penetration tests, why they will always require the human element, and how tools can be an invaluable resource for pen testers.

Vulnerability Scan or Penetration Test?

Many use vulnerability scans or vulnerability assessments as terms that are synonymous with penetration tests. However, there are clear differences between the two. Vulnerability scans look for and report on if known vulnerabilities are present within an IT environment. These scans are great to run on a regular basis in order to make sure your infrastructure is up to snuff on basic security measures.  However, since vulnerability assessments only alert you to the existence of vulnerabilities in your systems, but do not take any further action, they often do not require anything more than a user to press “run.”

Penetration tests, on the other hand, are far more complex. Vulnerability scans identify potential risks, while penetration testers investigate that potential. While something may look like a risk at first glance, until you put it through its paces, you don’t know what kind of risk it is.

Pen testers evaluate an environment’s security by exploiting weaknesses, breaching systems using a variety of methods and tools in order to simulate what would happen if an organization was hit with a real-world attack. Penetration tests are more expansive and provide a roadmap for organizations to know exactly what needs to be remediated. Since these tests are unique to every environment and may require a combination of skills in order to successfully infiltrate an environment, they simply cannot be done without any human interaction. 

Automation Does Not Mean Automatic

As pen testing tools have become more widely available, there has been a growing misconception that pen testing will also be as simple as running some software and walking away. While pen testing tools do provide some automation, this does not mean the entire pen testing process is automatic. At the very least, humans must be involved to choose which automations should be run and tailor them to an organization.

For example, Core Impact features Rapid Penetration Tests (RPTs) which allow beginning pen testers to build and run step by step automations using user friendly wizards. These RPTs focus on completing high level tasks in specific areas. These automations are designed to make the pen testing process more efficient, but don’t replace the sophisticated detail and analysis that goes into an effective pen test. For instance, the act of deploying phishing emails and collecting data on who opened them for a social engineering campaign can be automated. Pen testers must still research phishes that are out in the wild, create the content of the emails, and analyze the collected data for deeper meaning and wider trends.

Human Adversaries Require Human Defenders

As described above, penetration tests are intended to imitate real world attack scenarios. Real world attacks are made by humans with set motivations. Computers don’t attack other systems of their own volition. In order to authentically replicate these attacks, human pen testers are needed to think like and act like attackers.

As security defenses become more sophisticated, threat actors have had to become more creative in order to achieve their end goals. In order to imitate these attackers, pen testers have to be equally creative. Part of what makes attackers and pen testers successful is by concentrating on a common blind spot of many organizations—lack of communication. Whether it’s a failure for departments to check in with one another on aligning practices, or systems not configured to know what the other parts of the IT environment are doing, or even failing to have centralized security, these issues leave an organization vulnerable to breach by a clever attacker. For instance, pen testers look for seemingly unrelated security weaknesses throughout their infrastructure and build on them to create composite attacks. On their own, these singular weaknesses may not cause any alarm. But when linked together, a pen tester can easily exploit a network’s defenses using only their skills of analytical observation.

That said, attackers also use tools in order to make their breach attempts more successful. The same is true for pen testers. These penetration testing tools are intended for human augmentation, not replacement—they allow pen testers to focus on thinking outside the box by taking over tasks that take time, but not brain power. When it comes to pen testing, it’s never a choice between penetration testing tools vs. penetration testers. Instead, it’s a choice of what penetration tools will help a penetration tester most.

A Winning Combination: Pen Testers and Core Impact

Core Impact empowers pen testers of all skill levels to replicate multi-staged attacks using commercially developed exploits in an easy to use environment. It helps pen testers that don’t have years of experience get up to speed by showing them all the ways to dynamically pen test with an intuitive interface, while also enabling senior pen testers to dive deeper and stay efficient. Take advantage of all of the red and purple teaming capabilities, utilize a vast threat library, and ensure that you leave no trace with programmable self-destruct capabilities for agents at different levels. Galvanize your security teams with the industry leading solution that will enable them to intelligently manage security weaknesses and safeguard your organization.



Human element of pen testing
Penetration testing
Big text: 
Resource type: 
Equip your pen testers with the most effective tools

See how Core Impact ensures comprehensive pen testing with a live demo from one of our experts.

When is a False Positive Not a False Positive in Cybersecurity?

The phrase “false positive” has become so ubiquitous in Information Security that we often don’t stop to consider what it means or how it is used. Many use the term to describe every alert generated by a tool that does not lead to the discovery of a true infection when investigated. If every alert activated for trivial information is considered a false positive, this may overstate the intention and function of the tool and may even give the user a false sense that the tool has more features than it actually does. It is worth establishing a distinction, calling this type of notification a “trivial alert,” reserving the phrase “false positive” for correlated, contextualized, and evidence supported positive identifications of active infections which prove to be false. Taking the time to establish clear definitions may lead to a better understanding of what security tools can do and ultimately improve information security.

What do we call a false positive?

Users of security tools often expect those tools to provide the one alert that will lead them to a true infection in their network. However, these tools are often placed in a location which prevents them from being able to definitively confirm infections.  Instead, they alert on everything that might be a marker of infection to avoid missing the one indicator that does lead to an infection. This results in security analysts being flooded with hundreds of thousands or even millions of alerts per day, none of which provide enough information on their own.  

 What’s the harm in not having a clear definition of a false positive?

Users of such security tools often refer to these trivial alerts as false positives. In order to use the common vernacular, vendors of those security tools may also refer to those alerts as false positives. Unfortunately, implying a product has false positives suggests that the product can verify an infection, which is outside the scope of most of these solutions.  Providing a more accurate definition and understanding of what constitutes a false positive  will give users of security tools a clearer method for evaluating the suitability of those tools for their environment.

What is a false positive?

The phrase “false positive” suggests that there was a positive that was proven false. However, these individual pieces of evidence, without context or correlation, are never actionable on their own. As noted above, alerts for such items are perhaps better termed trivial alerts. A true positive alert must be so serious that it gets the analyst out of their chair. A false positive must have gotten them out of their chair to investigate, only to find that nothing is actually wrong, proving that alert false.  A security solution of this nature should not only get the analyst out of their chair, it must also have a false positive rate low enough to maintain the trust of the user.

How do we get to that true positive alert?

In order to get an alert that can definitively prove an infection, a security solution must gather and analyze individual pieces of evidence, contextualizing them and gathering the requisite supporting evidence. From there, it must build an evidence-based case for an infection and provide a complete case, including all the evidence, to the user.

Does a security solution like that exist?

Core Network Insight is installed inside the perimeter, inside inner ring policy enforcement so that it can see the whole picture. It gathers the individual pieces of evidence that other tools alert on, weighs and analyzes them, building a case against each infected endpoint. This case includes evidence from twelve detection engines correlated, contextualized, and positively attributed to a specific endpoint. Network Insight also provides the name of the last user to log in to the infected endpoint, a full list of users who have logged into the infected endpoint, and a list of other endpoints each user has logged into.

Network Insight also calculates a business risk for each infection on each infected endpoint based on the infection related network activity, the value and risk posed by the endpoint, and the intent of the threat actor and activity of the malware. In other words, Network Insight connects the dots of all the various security events, creating a clear picture of a breach. These contextualized, correlated, and evidence supported alerts combined with a low false positive rate ensure that analysts don’t just get out of their chairs, they leap out of them.

Until users and vendors begin differentiating between trivial alerts and false positives, it’s important to remember that not all false positives are created equal.



False positive
Network Insight
Attribute this content to a different author: 
Hank Carr, Sales Engineer, Technical Solutions
Big text: 
Resource type: 
Ready to eliminate false positives?

See how Network Insight automatically and accurately identifies hidden infections in real time on live traffic with a personalized demo.

How to Use Social Engineering Penetration Tests to Protect Against Phishing Attacks


As long as you have an email address, you will forever be sent phishing emails attempting to lure you into some malicious activity. While we’re all familiar with the concept of these emails, it’s another thing entirely when it comes to designing one. Pen testers are given just such a task when they are charged with simulating a phishing campaign for an organization.

These campaigns are designed to give an organization data on how vulnerable they are to such attacks and serve as educational opportunities to teach employees about ways to recognize and avoid getting phished. Such campaigns can be the difference between a company that suffers a huge breach, and one that remains secure. With such high stakes, it’s important for pen testers to carefully craft their phish, just as a fly fisher carefully crafts each fly. Read on for key strategies pen testers keep in mind before deploying a social engineering campaign.

Think like an attacker.

In order to simulate a phishing attack, you have to keep the goals of a threat actor in mind. Phishing is typically used for one of two purposes. First, they may be trying to get malicious code past the perimeter. A target would click a link or attempt to open an attachment in an email, releasing malware into the entire organization. This malware could be used for any number of reasons, like creating a backdoor that the threat actor can then use to access the network.

Phishing is also used to convince a user to share their credentials, which can then be used for further attacks. This may be achieved by redirecting a user to a website that is designed to imitate a legitimate site that requires a login.

Design your phish to fit an attacker’s desired outcome. If the goal is to release a malicious payload, you may only need to entice a user to click on a link to a potentially interesting news article. On the other hand, if you need a login, you would want an email that imitates a service that you know they use.  

Have a few obvious phish.

Many people still associate phishing with the early days of email, which were fairly easy to spot, with email addresses like and vague, misspelled subject lines like “Pleeze Opne.” These days, phishing is usually much more sophisticated, with junk filters catching most of the obvious culprits. That said, some recognizable phish do still sneak through, so a campaign should include some of these easy-to-spot phishes. Having some easy wins along with progressively more challenging options helps to show the full spectrum of phishing. Additionally, if people open such transparent phish, it may show that some users aren’t paying any attention to what they’re opening.

Use phish that are active in the wild.

Sometimes you may not need to look any further than your own inbox to find phish to use in your next campaign. If any have been able to get past your spam filter, or even fooled you upon first glance, it may be a viable candidate to use in a campaign. However, it’s important to ensure that you’re only using an imitation of these real phish. That way you can be sure to strip any actual harmful files or links from these emails before sending them. 

Additionally, take the time to study active campaigns using sources like PhishTank to find the latest fish that are currently circulating around the web. Even news stories about phishing attacks can be used as inspiration for creating a phish.

Not only will using wild phish provide valuable data, users who were susceptible to the test version of it during the campaign will now be on the alert. If the real version actually does arrive in their inboxes once the campaign is over, users will think twice before clicking.

Create customized phish.

The more specific a phish is, the more likely it is to be opened. Doing research using open source intelligence resources like the white pages, social media, etc. is critical prep work before launching a phishing campaign. Personalize phish in any way that you can – names, addresses, location, interests, etc. The more specific you can be, the less a user takes time to scrutinize. Simulating a business you know someone uses is far less likely to garner suspicion than an email from a bank they don’t belong to.   

Have a variety of phish.

A social engineering penetration test should simulate a real-world situation as much as possible. The best way to do this is to have phish of every level – obvious phish, generic but well-constructed phish, and highly custom bespoke phish. These phish should also have variety in terms of their content – some should attempt to draw users towards a malicious site, others should be intended to get someone to open a link. Some should imitate internal coworkers; others should imitate external companies unrelated to the business. This will provide an organization with the best data in terms of how susceptible their employees are, and what they need to work on.

You aren’t limited to email.

While some organizations may focus entirely on email-based pen testing, it’s good to keep in mind that phishing can be done with other forms of communication. Voice phishing can be used to acquire important pin numbers, for example. Text messages are also becoming increasingly popular, and can be particularly dangerous when used on a company issued cell phone, or even a personal device that is connected to the organization’s network. 

Keep phishing.

Take the time to keep up with the latest techniques and think creatively on different methods. Ensure that you’re using tools that help you get the most out of these tests, like Core Impact. Doing post campaign analysis with metrics like click rates, login numbers, and flagging instances will help show what an organization needs to work on. Additionally, these reports will become even more valuable to show progress after regular retesting.

Ultimately, the most important part of social engineering tests like phishing campaigns is to not rest on your laurels. Since attackers are constantly retooling and trying different tactics, pen testers must do so as well.



Phishing best practices
Penetration testing
Big text: 
Resource type: 
Ready to build a phishing campaign?

See how Core Impact can help you create a full scope of penetration tests with a live demo from one of our experts.

How to Manage Identities for Contractors, Consultants, and Other Non-Employees


For years, organizations have recognized the need to pay close attention to and manage the access that their employees have with the help of identity governance and administration solutions.  More recently, organizations are also being faced with the reality that they need to apply the same level of governance to non-employees as well. According to a 2018 Opus-sponsored Ponemon study, 59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. Many of these breaches go undetected. With most organizations agreeing that third-party cybersecurity incidents are on the rise, non-employee access management is more important than ever.   

Access by non-employees like contractors, vendors, students, or consultants face additional challenges when it comes to entitlements. How does an organization ensure that a non-employee can get into the systems they need to do their job, while still enforcing enough limitations to avoid becoming a security risk? Read on to learn more about why non-employees present a unique challenge to identity and access management programs, how industries like healthcare handle managing their privileges, and best practices to find the balance between granting permissions and reducing risk.

What makes access for non-employee so challenging?

Non-employees often need to be onboarded quickly, since they may only be temporary members of the organization. Contractors or consultants, for example, need to quickly be able to log on and get to work. Organizations with no identity governance and administration (IGA) solution, or a very limited identity and access management (IAM) program, likely do not have a way to easily limit access or keep track of those with non-employee status. Oftentimes there is no “non-employee” designation in the system, or security teams lack a centralized inventory of users, allowing atypical IDs to slip through the cracks.

Even businesses with IGA solutions may end up quickly classifying consultants as employees as far as IT is concerned. Since these roles are typically not vetted as thoroughly as a full-fledged employee would be, giving them standard access may open the door to serious security issues. Providing a contractor with full employee access defies the principle of least privilege, since contractors don’t require access to nearly as many systems and applications but will be able to log into them anyway.

Additionally, non-employees may be not be working in your specific infrastructure as often, making them more prone to mistakes, making full access to sensitive information or data particularly risky. Some of the largest breaches have come from stolen non-employee credentials that allowed a hacker to get in through the front door.

Finally, non-employees tend to come and go far more frequently than employees, leaving behind an unused, but still active account. These orphaned accounts are key targets for threat actors looking for a way to get inside a system without setting off any alarms. Since the owner of the account isn’t using it, it may be too late before it’s noticed that it’s being utilized for malicious purposes.

Best practices for non-employee access

Luckily, there are a few tangible ways to solve the potential challenges related to non-employee access. An organization with a solid IGA program can safeguard their infrastructure by a few important guidelines:

  1. Have a way to identify and manage non-employees.

There are many ways to manage non-employees. For example, you could add non-employees to your HR system, segment them appropriately, and manage their contract status. If this is not possible within an organization, the right IGA solution can be configured to be the central repository for non-employee identities and have convenient methods for inputting relevant information about them as well as enforce appropriate controls to manage them more closely.

Whatever approach an organization chooses, the most important part is to regularly ensure these non-employee user accounts are correct and up to date. The work of a contract employee can often vary depending on the project. Without regular check-ins, entitlement creep and orphaned accounts may begin to occur. That is, a contractor simply gains additional access without removing privileges they no longer need, or the account is left active after the contractor has left the organization.

  1. Follow the principle of least privilege.

All IGA identity governance and administration programs should begin with the principle of least privilege. That is, no employee or non-employee should have more access than needed to get their job done. This is best achieved through role-based access, which provides permissions based on roles, instead of individual entitlements.  Roles can easily be applied to well-managed non-employees as well as employees.

  1. Have processes in place for efficient, but accurate onboarding and offboarding.

Manual provisioning can be labor intensive and take weeks before a new employee has access to every area they’ll need. This can lead to a frustrating experience for both the employee and non-employee and will cost the organization time and money. However, sloppy onboarding for the sake of speed can lead to security risks. While off boarding does not seem as time sensitive since no one is waiting on access, it is even more important from a security perspective.


Use Case: Non-Employees in Healthcare

Healthcare is a perfect example of an industry that needs to have a comprehensive yet flexible way of managing non-employees. It is highly regulated industry with a significant number of non-employees  Potentially challenging use cases include the following:


Many doctors and clinicians that work in hospital systems are not actually employed by the hospitals themselves. They may be employed by a clinic or medical group that has established a partnership allowing them privileges at the hospital.

While they may not be official employees, this group need access to many of the systems within the hospital network. Not having access to scheduling software, communication applications, alerting systems, and of course, electronic health records (EHR) can put lives as risk. It is also important to make certain that the status of a physician’s relationship with the hospital is up to date and that access is removed when it is appropriate.

However, these doctors do not require access to employee portals that provide benefit and payment information or other human resources related applications. Granularity and visibility into the access via roles is important.

Physicians are perfect examples of a non-employee who will require longer term access, but do not require full access. Best practices and role-based access would ensure that regular entitlement reviews would renew this access as needed, verifying compliance without disrupting patient care.


Whether it be as part of a program to interact with and assist patients, or as part of an emergency response plan, hospitals often have a need to allow volunteers to have access to their resources and patient data. Some may be long-term; others may only last a week. Some come in large groups, others volunteer on their own. Regardless, volunteers still require a certain amount of access. It may be very minimal, perhaps to sign in to track hours and verify that they’re in the building.

With volunteers, it is imperative that their access be managed to a level corresponding with the significance of data they require. Most will not have any medical certifications and should not have any access to health records. It is important to consider the definition of roles for volunteers as well as a repository that can be used to understand their precise needs in relationship with the healthcare systems. Removing even minimal access for volunteers is important when it is no longer needed.

Medical Students

Medical students provide a unique middle ground between physicians and volunteers when it comes to access. While they need access to the EHR system, they may not require the privileges that nurses and doctors are entitled to. For example, a medical student may not need to be able to put through an order for a test or send a prescription to a pharmacy.

Administrators face additional challenges  because large groups of students typically start on the same day.  Since the window in which they will be working at the hospital is so short, it is important for them to have all of their access needs sorted by day one. Similarly, most students have a shared end date, so offboarding must also be well organized and efficient. Automated deprovisioning is ideal in this scenario, so that orphaned accounts don’t linger for longer than necessary. Continuous review is also still necessary in case a student drops out or transfers.

Managing Everyone with Core Access Assurance Suite

The best way to manage non-employees is with a robust IGA solution that can manage non-employees in addition to standard full-time employee. Core Access Assurance Suite provides the complete context of relationships between users, access rights, resources, user activity, and compliance policies so that you can efficiently use access provisioning to manage a user appropriately from the beginning, using roles as necessary.

Automate the process of creating and managing non-employee accounts and identities as well as their associated access rights across the enterprise. Core Access Assurance Suite also ensures immediate disablement of access rights upon termination for increased security and regulatory compliance.

From long-term employees to short term contractors, our IGA solution will streamline access control and manage risk to provide a secure environment for your organization.

Core Access Assurance Suite provides complete identity, access risk, and compliance management, easily identifying, quantifying and managing the risks associated with information access.


How to Manage Identities for Contractors, Consultants, and Other Non-Employees
Identity and Access Management
Big text: 
Resource type: 
Want to learn more about identity governance?

Find out how to manage identites for everyone in your organization with the Identity Governance Toolkit.

What’s Your Defense Strategy? Best Practices for Red Teams, Blue Teams, Purple Teams


Want to determine the safety of a car? Perform a crash test. One of the most common ways to test the strength of something, particularly when it comes to technology, is by putting it through a stress test. Naturally, this same principle is a critical component of cybersecurity. One of the most effective ways to try and find your security infrastructure’s weaknesses, and your security team’s ability to detect and respond to attacks, is through red team/blue team tests. Read on to find out the differences between these teams, the emergence of purple teams, and the most effective ways to utilize them.

Red team and blue team tests are named and modeled after military exercises. In order to ensure soldiers are battle ready, simulations are run to test out the effectiveness of their defense strategies. In these simulations, red teams take on the offensive role of the enemy, while the blue team is on the defensive, shielding their position. In the cybersecurity realm, the roles are the same, but the battlefield is in the digital sphere.


What is a Red Team?

Red teams are designed to think like attackers, and are brought on specifically to put the organization’s cybersecurity posture to the test, utilizing multiple strategies in order to breach defenses. Some of these approaches include vulnerability assessments, penetration tests, or even social engineering attacks like phishing. Red teams use a variety of tools, such as pen testing solutions like Core Impact, to create the most effective simulation they can.

Though key parties may be informed that a red team campaign is taking place, most employees, including the organization’s IT team, won’t be notified until after the fact, making it as authentic as possible.

Red teams can be internal, which helps set up long term goals and ensures frequent testing. Oftentimes, however, they are hired from an external firm. Having an outside team, like Security Consulting Services, come in can also be ideal since they provide a fresh pair of expert eyes, often seeing vulnerabilities that internal security personnel may miss, simply because internal teams have such frequent exposure to the environment they’re testing.

What is a Blue Team?

Blue teams are in charge of building up an organization’s protective measures, and taking action when needed. This is done in a variety of ways. Regular system hardening procedures include updates, patching, eliminating unused software or features, or changing passwords. Additionally, new security tools can be deployed, like SIEM solutions that help blue teams monitor data logs from different assets for security alerts.

What is a Purple Team?

More recently, the idea of a purple team has become the latest buzzword in the cybersecurity world. While there is some confusion surrounding the usage and definition of the term, it’s best to focus on the ideal it is promoting. Ultimately, the concept of a purple team is the mindset of seeing and treating red and blue teams as symbiotic.  It’s not red teams vs. blue teams, but rather one large team focusing on the one overarching goal: improving security. The key to becoming a purple team comes down to communication.

One of the purposes of a red team is to act as a training function for the blue team. Infiltrating and testing the environment is only part of the job. Measuring and improving the ability to detect and respond to attacks is a key part of living up to the ideal of being a purple team. Red teams must prioritize documentation and education efforts so that blue teams can take appropriate action towards remediation and build up resiliency.

Blue teams, in turn, should view the findings of a red team as a guide for where to focus their efforts, and as a roadmap to find vulnerabilities before the next exercise. In a perfect scenario, red teams wouldn’t find the same vulnerability twice.

Best Practices, No Matter the Color

Operating like a purple team is simply adhering to best practices in order to create an environment that is a stronghold against cyber-attacks. As mentioned above, communication between teams is the most critical element in this, but here are a few other ways to get the most out your red team and blue team exercises:

Have a plan of action.

The planning stages of simulation exercises are just as important as the exercises themselves. There are endless scenarios and methodologies to use when attempting to exploit a system, so it’s vital to limit your scope. Red teams should have set objectives and measurable goals that will provide helpful data for blue teams to analyze. Blue teams should use this data to create their own objectives and goals for remediation.

Always follow up.

While it’s tempting to simply move on to the next task, it’s critical to follow up after every exercise. Retrospectives are a great way for teams to learn from one another and can shed further light on patching and preventing weaknesses. Additionally, fixes themselves must also be verified, so following up with retesting efforts is crucial.

Think outside the box.

Threat actors aren’t following a set of rules when they break into a system. Red teamers can stay within the scope of the exercise while still having the freedom to be equally creative. However, remember to show your work – blue teams can only prevent an attack if they can understand how it was done.

Never stop learning.

Promote a culture of learning and encourage both red and blue teams to stay up to date on the latest tools and tricks to prevent being caught off guard. Hackers are always evolving, and true purple teams evolve right along with them.



Penetration testing
Big text: 
Resource type: 
Get the Most Out of Your Red Team

Equip your red team with a comprehensive pen testing solution that can safely exploit vulnerabilities. Get a live demo of Core Impact today.

One (Big) Way to Reduce Helpdesk Costs While Increasing Security


IT teams handle a great number of tasks that enable an organization to run smoothly. These include handling questions related to technical support for the company’s computer systems, software, and hardware, in addition to performing regular system updates and meeting periodic training needs. Yet research shows that helpdesks are also spending anywhere from 20-50 percent of their time dealing with password requests. Why are helpdesks so bogged down with password management tasks, and how can you free up their time while also prioritizing security?

A Never-Ending To-Do List

Password resets are costly, primarily because they are time-consuming when done manually. Every issue results in a support ticket that must be opened, filled out, and eventually closed. Then there is the act of resetting the password and confirming with the user that everything has been resolved, or if further troubleshooting is necessary. This process can take ten minutes or longer, which, at first, doesn’t seem like much. However, if you multiply that by the number of employees in a large organization, the labor time quickly begins to add up.

Additionally, since helpdesk staff know that lockouts prevent productivity, they tend to drop what they are doing and tend to the issue. Constant disruptions can prevent other tasks from getting done, or done well, simply because of the time it takes to settle back into work and remember where you were in the process.

Self-service password reset solutions like Core Password enable users to securely reset passwords themselves, freeing up helpdesk employee time and allowing them to work on other important IT needs. Additionally, these solutions not only maintain security, but also can improve it by enforcing reliable authentication, and consistent, stronger password policies. Detailed audit trails also help monitor for any abnormal activity, like mulitple resets.

Enabling Immediacy Through Self Service

While the helpdesk team may be shouldering the burden of reset tasks, they aren’t the only ones dealing with the problems that password issues cause. Users who are locked out of critical business applications and resources are severely limited in the work they can accomplish. Having to call the helpdesk or file a ticket puts that work on hold, disrupting the day of the user and using valuable labor time of a helpdesk employee.

 Additionally, these lockouts and reset needs do not always occur during regular business hours. Depending on the industry or organization, helpdesk employees may not be on-call in off hours, meaning the user remains locked out until regular business hours resume. A self-service password reset solution eliminates these problems by allowing the user to reset their own password securely, and then get back to work.

Being locked out of critical applications like email is one thing, but getting locked out of your workstation doesn’t merely reduce productivity, it grinds it to a complete halt. An effective self-service solution needs to provide a way to reset a password even when the user is locked out of the workstation and stuck at the log in screen. Core Password provides several options for solving this problem. This includes a Windows Credential Provider, telephone-based keypad authentication, voice biometric authentication, and mobile phone apps. These solutions also enable users of non-Windows-based applications, like a shop floor terminal or other devices, to take advantage of password self-service.

Calculating Savings for Helpdesk Bandwidth and Budget

Using our budget calculator will provide a high-level overview of potential savings your organization can gain from implementing a self-service password reset solution. Using your own organizational values makes the output more meaningful, allowing you to get an understanding of how your business can benefit from a solution like Core Password.  

Integrating Solutions for Holistic Identity Governance and Administration

IT teams greatly benefit from dedicating less time to constant password management, and employees no longer have to waste time waiting to get back to work. However, even more access management tasks can be streamlined, giving IT teams more time to tend to critical security issues while also ensuring employees have all the access they need to do their jobs.

Core Password is part of Access Assurance Suite, a bundle of robust Identity Governance and Administration (IGA) solutions that improves efficiency while also strengthening  security. See how your organization can benefit with a personalized demo.



Identity and Access Management Password
Big text: 
Resource type: 
What could your savings be?

Get an overview of potential savings your organization can gain from implementing a self-service password reset solution with our budget calculator.

15 Things Every Customer Should Know About Core Impact


Just like in any good relationship, it takes time to get to know one another. Even when you’ve been together for a while, you still may learn new things that surprise you. It’s no different when you begin a relationship with a new product or solution. Over time, you will discover new features and tricks you didn’t even know existed. With this in mind, we’ve compiled a list of the top 15 things every customer should know about Core Impact. Take a look and see what you may have been missing.

#1: The Core Impact Customer Community

The Core Impact Customer Community is a place you can go to ask and answer questions about Impact and penetration testing, chat real-time with other Impact users, and take training courses to better leverage Impact for multiple types of testing. It also serves as a repository where you can post or download custom modules. This invaluable community resource exists to empower you to continue to get the most out of Impact.

#2: Flexible Licensing

Did you know that Impact has a flexible licensing model? We have many different license types that enable flexible use of the product, and ensure we can support multiple use cases, including:

  •     Machine-based unlimited licenses for those with a small, rotating team
  •     Named user unlimited licenses for those with dedicated, full time users
  •     Educational and lab licenses for those who want to use Impact in an educational capacity or tightly controlled lab environments

Our goal is to make sure you get the right combination of licenses that will work best for you and your team.

#3: Encrypting Agent Communications

All communication between Impact and its agents is both encrypted and authenticated. These robust protections allow us to provide secure communications between Impact and its agents. Other solutions have a higher risk of potential attackers ‘breaking in’ to the communications or hijacking their agents for nefarious purposes. Perform better, more detailed testing with the peace of mind that your communications will remain secure.

#4: Command and Control Options

Core Impact has a variety of command and control options that you can leverage. Whether connecting to or from a target or hiding the communications in DNS traffic, Impact has a variety of communication methods to better support different ways you might want to test. For example, using the DNS channel allows you to mask and disguise the communications inside DNS packets. All you have to do is select the type of communication you want the agents to use, and then deploy them. Every communication method features encryption and mutual authentication between Impact and its agents.

#5: Self-Terminating Agents

With Impact, you never have to worry about an agent hanging around longer than you want. Impact agents are configured to automatically clean themselves up at a time you set. Plus, Impact gives you the ability to set an expiration time when you deploy an agent, giving you control and minimizing artifacts left by your test. Even if a target is hibernated during a test, and misses the cleanup signal, Impact agents will see that it’s past due and clean itself up. You can pen test with confidence and know that Impact won’t let you be the reason for an incident response.

#6: Rapid Penetration Tests

Another great feature is that Impact can quickly find ‘low hanging fruit’ for you to act upon. Impact’s rapid penetration testing wizards can automatically find common weaknesses, while letting you choose how risky you want to be. This will free up time for you to do more in-depth testing and can even provide a short list of items to quickly prioritize for remediation.

#7: Intelligently Exploit Identities

Were you aware that Impact also enables you to easily leverage identities found during a test? With many identities in any given network, chances are you will come across them during testing. Impact enables you to securely store these identities. With Impact’s central identity store, it’s simple to use these identities to further your testing, allowing you to easily move and get access to more information.

#8: Stealthy PowerShell Attacks

Did you know that Impact can natively leverage PowerShell on remote hosts? Not just that, it can also do it stealthily, without using the PowerShell executable. PowerShell is a very powerful management framework for Windows machines and Impact’s ability to easily interface with it opens state-of-the-art attack methods preferred by advanced adversaries.

#9: Phishing Built for Pen Testers

Impact actually evolved from the suite of tools used by one of the first teams to offer third-party pen testing. In fact, Impact was created by a team of pen testing professionals to help make them more effective and efficient at their job. They recognized that there was great value in standardizing the process of how to conduct a pen test, and built this into their tools. As a result, Impact emphasizes an easy-to-use, repeatable, and consistent methodology.

Impact also has extensive phishing capabilities, built from the beginning with pen testing in mind, so you can do more than just report on who is susceptible to phishing. You can also gather additional information to help plan further testing and exploitation activities. Impact’s phishing functionality is often leveraged to ‘trick’ victims into giving you access to the network. If you are looking for pen testing with focused phishing capabilities, Impact is definitely the solution for you.

#10: A Python Framework

Here is something you may not know either: Impact is actually a Python framework. All modules, exploits, and tools are written in Python and are user customizable. You can write your own modules for things like integrations with third party tools, or modify existing ones to better suit your specific needs. This gives you a significant amount of flexibility to extend and enhance the value of investments you have already made.

#11: Ongoing Logging and Reporting

Another key feature to be aware of is that Impact automatically logs everything you do over the course of your pen test. This includes all the modules you run, all the files you upload or download, and even all the commands you run on remote hosts. Impact automatically captures this input and output, providing an audit trail and ensuring that you do not have to keep your own detailed notes during the test.

Impact also has a powerful and flexible built-in reporting engine that allows you to create reports for any type of audience, whether they are Chief Executives, the Patching Team or even the Audit Team. These reports are also fully customizable and the templates can be saved for future use.

#12: Validating Vulnerability Scans

Impact automatically validates the results of a vulnerability scan. You can import the results from the most vulnerable scanners and Impact will automatically attempt to validate the scanner’s findings by attempting to exploit the vulnerabilities that were reported. You will then get a report of what Impact was and was not able to exploit. Confirming exploitations can help speed up remediation processes by having Impact prioritize the list of vulnerabilities that your scanners are spitting out.

#13: Validating Remediation

With the remediation validation option, you can have Impact automatically re-run a previous pen test that can provide a change report on any differences between the two. Impact will execute exactly as you did on the previous test, including info gathering, exploitation, and pivoting. You can use this to easily test if remediation efforts have been successful rather than having to do the entire test over again, saving tremendous time in re-testing.

#14: Multi-Vector Pivoting

Impact also enables you to pivot from one vector to another, dramatically improving your capabilities and efficiency through multi-vector pivoting. For example, when you exploit a weakness in a web application, you can then leverage it to pivot to the network.  Or you can even leverage Impact to trick victims into giving you access to the network.

#15: Moving from One Host to Another

And last, but definitely not least, Impact makes it easy to pivot from one host to another. It is as simple as a right click. Impact has a wealth of additional features, like the Remote Interface, which you can leverage with the pivoting capabilities to make you more efficient and effective during your testing.

Getting the Most Out of Core Impact

This list will help you more intelligently manage your vulnerabilities and get the most out of Impact.  After all, the more you get to know Core Impact, the more it can do to secure your business.

Penetration testing
Big text: 
Resource type: