The engagement concludes and the team presents the security findings to the RisottoCorp leadership. When it’s time to cover some of the technical details for how the DMZ server was compromised, you stand up to present.
“I identified a DMZ server that was running a web application with a set of weak credentials. I performed a careful brute force against this web application’s login portal and accessed the application’s admin dashboard. There, I used the interactive shell within the application to upload and execute a C2 agent so I could open an authenticated, secure communication channel. All data exfiltration occurred over authenticated, encrypted mTLS.
Unfortunately, we identified evidence of possible illegal activity attributed to an organizational insider. The scope document mandated that my team report this immediately, so we halted the engagement and reported it to the trusted agent. We were unable to continue with the testing.
We recommend either decommissioning the web application on the DMZ if it is not needed or increasing the strength of the password. Also, please consider using MFA for the application if it is available.”
The leadership asks you a few more questions and you answer them to the best of your capability. Finally, the RisottoCorp CISO has some final words.
“I thank you all for your hard work. We definitely do have some things to work on and a clear idea of what to fix first. I also want to call out the attention and care that your team paid towards keeping our data safe during this operation.”
The CISO adds “I also want to especially thank you for your vigilant and careful reporting of that evidence of insider threat activity. We’ve started an investigation into the individual. Without your report, we would have had no idea. So thank you again!”
You may have to give some statements over the next few months, but you know you did the right thing.