Sveriges mest populära poddar
The Cyber Threat Perspective
Teknologi

Episode 178: Internal Security Controls That Actually Frustrate Attackers

31 min22 april 2026

In Episode 178 of the Cyber Threat Perspective podcast, hosts Spencer and Tyler take a practitioner-first look at the internal security controls that genuinely make attackers' lives difficult, drawing directly from their experience conducting hundreds of internal penetration tests every year.

This isn't a vendor comparison or a theoretical framework. It's an honest account of what works, what gets misconfigured, and what separates organizations that slow attackers down from those that don't.

Topics covered include:

  • Application Control — ThreatLocker and Magic Sword — why app control is probably the single most effective endpoint control against attackers, how the learning period works, why jumping straight to enforcement mode is a mistake, and why executive buy-in is as critical as the technical implementation
  • WDAC vs. traditional App Locker — the differences, what closed-book enforcement actually means for attackers, and the two schools of thought on allow-list vs. block-list approaches
  • Strong identity controls — MFA beyond RDP including SMB, WinRM, and HTTP via products like Silverfort, why push notification MFA falls short, and why number matching matters
  • Protected Users Group — one of the most powerful and underused Active Directory controls, with a real-world story of how it nearly matched a full third-party identity product in effectiveness during a law firm pen test
  • Least privilege and admin tiering — why Help Desk is one of the most targeted groups for social engineering, how over-permissioned service accounts hand attackers domain admin in minutes, and the real cost of control path vulnerabilities
  • Network segmentation and zero trust — why domain controllers don't need internet access, how segmentation limits attacker recon, and where products like Zscaler fit in
  • EDR baselining and UEBA — why plugging in an EDR tool and expecting it to work isn't enough, the case for getting back to behavior-based detection, and why catching recon activity matters more than catching execution
  • Deception — honeypots, canaries, and fake assets — why deception is underrated, why high-fidelity low-false-positive alerts change the game, and what it actually feels like as a pen tester to trip on a well-placed decoy without knowing it

Also mentioned: Spencer and Brad's Tools of the Trade workshop at ILTA Evolve — Denver, end of April.

Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov

Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com

Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

Fler avsnitt av The Cyber Threat Perspective

Visa alla avsnitt av The Cyber Threat Perspective
Episode 185 | A Toddler with a Bazooka: The Real Risk of AI Agents
46 min
Episode 184 | Active Directory Isn't Dead. It's Just Undefended.
29 min
Episode 183 | OWASP Top 10 Part 2: Security Misconfigurations That Get You Hacked
29 min
Episode 182: Patching Crisis — Vulns Now #1 Attack Vector (2026 Verizon DBIR)
31 min
[Replay] Episode 159: How to Break Into Cybersecurity — What Actually Works
45 min
Episode 181: AI Zero Days (Google Threat Intelligence Report)
41 min
Episode 180: Cybersecurity Echo Chambers — How to Think Critically in a Hype-Driven Industry
29 min
Episode 179: OWASP Top 10 Part 1 - Broken Access Control, IDOR, and CORS Explained
29 min
Episode 177: Claude Mythos — What It Actually Does, What It Doesn't, and What Your Organization Should Do Now
42 min
Episode 176: Cybersecurity Advice That Sounds Smart But Fails in Practice
38 min

The Cyber Threat Perspective med SecurIT360 finns tillgänglig på flera plattformar. Informationen på denna sida kommer från offentliga podd-flöden.