This post consists of sarcasm and irony, please keep this in mind while reading it. Any similarity to actual persons, companies and cybersecurity professionals is purely coincidental because we all know that companies want to be cyber safe and they will give us a reasonable budget to achieve it.
Vulnerability Mapping
“We just checking things, don’t worry, we won’t touch anything! Also, we cant be sure if these vulnerabilities could be exploited or not bet we will try to calculate the impact of the exploitation anyway.”
Vulnerability Assessment
“We need to touch some assets of your infrastructure, but we will have a meeting with your team (ITops) and decide which things shouldn’t be touched. Also, we are more likely to find vulnerabilities and report them.”
Penetration Test
“So we are gonna make some noise, but we will find all of the vulnerabilities in your systems and write a 150 pages report of them and of course do a one-hour debrief where you will have absolutely no idea what the heck are we talking about. Also, we don’t have any responsibility if your fragile, freacking plain network decides to collapse from minimal additional traffic. Anyway, sign here, here, here and there.”
Red Team engagement
“We saw that you have some cybersecurity solutions and a SOC team in place, testing their capabilities would be awesome! So we are going to exploit obvious, reported vulnerabilities of your system with basic evading techniques and come for our paycheck. After this, you will call us 4 months later and we are going to exploit the same vulnerability because your team won’t have the time and budget to patch things up.”
Purple team engagement
“It won’t take too long, just about a year to find and patch up every one of your critical vulnerabilities and another one for high ones, but believe me, this is the only thing that is currently functioning in the industry.”
Threat hunt
“Penetration testers call us because you don’t know what you want, but no problem. We analyze logs and samples gathered from your network to decide if you are compromised or not. But most of your user’s passwords are found on the Dark Web so you won’t need us anyway. I am just here for the paycheck.”
Security Awareness training
“We help your users get an hour break from their job every half of a year, we click through some slides and explain everything in the most understandable way possible, so Carl from Sales wouldn’t click around, download malware and infect your whole corporate network. Eventually, he will, but there are no solutions who works 100%, anyway here is my paycheck.”
Cyber Security Consulting
“We do a lot of meetings and offer awesome cybersecurity solutions tailored for your needs, we design them and usually have a team who can implement them. But you wasted all of the budget on the Christmas party, so all we can do is just set up some open-source solutions, good luck with them!”
Incident Response
“Shutting down the infected assets was a very nice idea indeed, you just eliminated half of the artefacts we could recover! Also, we like to work long hours with pizza and cola backing up your systems because Jenn from Sales had to download that picture of a cute cat.”
In one phrase: “What is weekend?”
Digital Forensics
“We are working with IR, but in reality with nobody, let me collect my copies of the affected systems and leave me be, okay?”
