While many companies are moving to the cloud, it's still common to find Active Directory (AD) deployed locally in Windows environments. During internal network pen tests, I was pretty comfortable with lateral movement and privilege escalation (via missing patches or LLMNR/NBT-NS/IPv6, open network shares, etc.) but felt lacking in how I could leverage attacks against AD to provide more impact during the assessment. In my journey to get better at attacking AD, I was able to enroll in different free and paid courses. This blog post will provide you with an overview of the four I found to be most beneficial personally.

Artificial intelligence (AI)—you’ve heard of it, you’re likely using it, and you know it’s already used everywhere and its reach will only likely increase. These days, the term "AI" is thrown around frequently, but because this technology is actually made up of many different subsets that generally all get thrown under the umbrella of AI, it can sometimes lead to confusion.

Generally, with new cybersecurity regulations, organizations affected are provided a “grace period” to make the necessary adjustments to achieve full compliance before enforcement begins. Looking toward the horizon and 2025, many new laws will be coming into full effect, which means organizations will now likely be subject to various penalties if they’re not ready and haven’t satisfied all relevant requirements.

While the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is technically just a set of guidelines, best practices, and standards intended to improve your infrastructure so that organizations can better manage and reduce cybersecurity risk, it’s possible to go through a five-step assessment process to make sure you really are adhering to those standards and provide independent assurance to your customers.

Since being published in December 2023, a lot of people are still wrapping their heads around the ISO 42001 standard. While designed to help all organizations who provide, develop, or use artificial intelligence (AI) products and services do so in a trustworthy and responsible manner with the requirements and safeguards that the standard defines—including defining your AI role.

With so much business now being done online and digitally, much—if not most—of organizational security concerns focus on beefing up technical controls. But, in fact, the human element of cybersecurity is often where the most impactful failures occur.

When seeking ISO 42001:2023 certification, you must ensure that your artificial intelligence management system (AIMS) aligns with the standard’s key clauses (4-10), each of which focuses on a specific facet—context, leadership, planning, support, operation, performance evaluation, and improvement.

Thinking Inside the Box Traditional red teaming approaches often focus on external threats—simulating how an outside attacker might breach a company’s defenses. This method is undeniably valuable, offering insights into how well an organization can withstand external cyberattacks. However, this "outside-in" perspective can sometimes overlook another aspect of security: the risks that arise from within the organization itself. While traditional red teaming is crucial for understanding external threats, thinking inside the box—examining internal processes, workflows, and implicit trusts—can reveal vulnerabilities that are just as dangerous, if not more so to an organization.