Cybersecurity Challenges and Insights on Penetration Testing, Attack Surface Management, Cloud Security, and Phishing Simulation

Mateusz Gierblinski

In today’s quickly evolving business world, organizations of all sizes face various cybersecurity threats. Not only are attackers working around the clock poking at everything they can attack but also insider threats are on the rise, phishing becomes more sophisticated, and timelines for developers leave organizations vulnerable to cyber threats.

To stay ahead of attackers, businesses must adopt proactive strategies to identify vulnerabilities, secure their attack surface, and strengthen their defenses.

In this blogpost, we delve into four critical areas of cybersecurity:

  • Penetration Testing
  • Attack Surface Management
  • Cloud Security
  • Phishing Simulations
  • Purple Teaming

These key practices not only help you mitigate risks but also strengthen your organization’s overall cybersecurity posture.

Whether you’re looking to understand the most frequent vulnerabilities lurking deep inside your environment, manage your expanding digital landscape, or protect cloud environments, this blog post offers valuable insights to help you build a more resilient security strategy and in turn, achieve a better overall security posture. With no further ado, let’s dive in.

Penetration Testing

First things first, we need to make sure we understand what Penetration testing is, Wikipedia provides us with a definition:

A penetration test, colloquially known as a pentest, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. The test is performed to identify weaknesses (or vulnerabilities), including the potential for unauthorized parties to gain access to the system’s features and data, as well as strengths, enabling a full risk assessment to be completed.

You might have heard the term Red Teaming, so it is important to know the difference between Penetration Testing and Red Teaming.

While both penetration testing and red teaming are offensive security practices aimed at identifying vulnerabilities in an organization’s security, and this can be everything, from a simple internal web application to an entire enterprise infrastructure, they differ in their scope, objectives, and methodology.

Here’s a breakdown:

  1. Objective
    • Penetration Testing: The primary goal of penetration testing is to identify and exploit vulnerabilities in specific systems, applications, and networks. It provides an assessment of security flaws to help organizations mitigate them before they can be exploited by attackers.
    • Red Teaming: Red Teaming goes beyond identifying vulnerabilities; it simulates a real-world, sophisticated, targeted attack scenario to assess an organization’s overall security posture, including its detection, prevention, and response capabilities.
  2. Scope
    • Penetration Testing: Typically narrow in focus, usually agreed by both parties, red teaming involves testing the entire organization, including technical, physical, and human defenses. The goal is to mimic an adversary’s modus operandi to understand weaknesses
  3. Outcome
    • Penetration Testing: Results in a detailed report identifying vulnerabilities, their severity, and recommendations for remediation. It also includes both technical and non-technical explanation of the reported vulnerabilities.
    • Red Teaming: Results in a comprehensive report assessing the organization’s overall resilience to an advanced attack and the effectiveness of detection and response mechanisms.

Which one does your organization need?

Based on our experience and what we have seen in real life we can recommend a pentest and if you’d like to test your organization’s detection and response capabilities, then we recommend a red teaming engagement. We at Curios can help you with both.

During our engagements with different customers, we compiled a list of the most frequent Active Directory misconfigurations

Most frequent Active Directory misconfigurations

Active Directory (AD) is the backbone of over 90% of Fortune 1000 companies, the AD environments are frequently misconfigured leaving environments vulnerable to cyber-attacks.

Let’s look at the most frequent AD misconfigurations:

Kerberoasting

Kerberoasting is a type of post-exploitation attack in which an attacker abuses Microsoft Active Directory’s Kerberos authentication protocol to extract service account credentials (hashes) from the domain. It specifically targets Service Principal Names (SPNs) that are linked to service accounts.

In such an attack, an authenticated domain user requests a Kerberos ticket for an SPN. The retrieved Kerberos ticket is encrypted with the hash of the service account password affiliated with the SPN.

The extracted hashes can be cracked offline, allowing the attacker to compromise service accounts and potentially escalate privileges.

Why is Kerberoasting dangerous?

  • Low Privilege Access: Even a low-privileged domain user can request service tickets for SPNs.
  • Offline Cracking: The attacker can take their time to crack the password without triggering alerts.
  • Targeting Privileged Accounts: Service accounts often have elevated privileges or are linked to domain admins, making them a valuable target.
  • Weak Passwords: Many service accounts use weak passwords, which makes cracking so much easier.

AS-REP Roasting

AS-REP Roasting is an attack that abuses the Kerberos authentication protocol in Microsoft Active Directory to extract and crack the password hashes of user accounts that do not require Pre-Authentication. Unlike Kerberoasting, which targets service accounts, AS-REP Roasting focuses on user accounts with weak or misconfigured authentication settings.

Why is AS-REP Roasting dangerous?

  • No Privilege Requirements: Any domain user (or even an anonymous user, depending on domain settings) can request an AS-REP ticket for accounts with Pre-Authentication disabled.
  • Offline Cracking: Once the AS-REP ticket is retrieved, the attacker can crack it offline without fear of detection or account lockout.
  • Weak Passwords: Many accounts have weak or guessable passwords, making it easier for attackers to crack them.
  • Privilege Escalation: If a account belongs to a privileged user, such as a service account or admin, it can lead to lateral movement and domain compromise.

Sensitive Files in Shares

Sensitive files, such as passwords, certificates, private keys, or other confidential data, being stored in shared folders can pose significant risks to an organization’s security. Users and even administrators can unintentionally leak sensitive information in various files, such as:

  1. Plaintext Password Files:
    • Passwords stored in .txt, .doc, or .xls files.
    • Commonly named files like passwords.txt, credentials.docx, etc.
  2. Private Keys and Certificates:
    • .pem, .crt, .pfx, .key files.
    • Keys for SSH, TLS/SSL, or API integrations.
  3. Configuration Files:
    • Files containing hardcoded credentials, such as config.json, .env, or web.config.
  4. Backup Files:
    • .bak or .zip files containing databases, configurations, or sensitive data.
  5. Database Files:
    • .db, .sqlite, or .mdf files that may contain sensitive information.
  6. API Keys or Tokens:
    • Files storing API keys, OAuth tokens, or other access credentials.
  7. Financial or Legal Documents:
    • Contracts, invoices, or other sensitive files that may be abused for fraud or extortion.

Shared folders, especially those accessible to multiple users or groups, are common targets for attackers seeking to escalate privileges, exfiltrate data, or compromise systems.

Open Shares

Open shares on a Windows Server refer to shared folders or resources that are accessible over a network. These shares allow multiple users or systems to access files and folders stored on a central server. Depending on the configuration, open shares may allow access to everyone on the network, or they may have specific permissions and restrictions.

There are two key aspects to consider regarding open shares:

  1. Intentionally Open Shares:
    • These are shared resources intentionally configured to allow access to all users (sometimes without requiring authentication, hence the name open share).
    • They are often used for collaboration or when ease of access is prioritized over strict security.
  2. Unintentionally Open Shares:
    • These occur when a folder is shared accidentally or improperly secured, leaving it open to unauthorized access.
    • This can happen due to:
      • Misconfigured share permissions.
      • Weak or non-existent access controls, for example “Everyone” group with full access – God help us all.
      • Lack of monitoring and auditing.

These shares pose a security risk as they could allow sensitive data to be exposed to unauthorized users. There’s even a greater risk associated with open shares: the ability to enumerate users.

Rid_enum is an RID cycling attack that attempts to enumerate user accounts through null sessions and the SID to RID enum. If you specify a password file, it will automatically attempt to brute force the user accounts when it’s finished enumerating.

This can be achieved by issuing the following command:

netexec smb -u guest -p '' --rid-brute 10000

Passwords in Description Field

As ridiculous as it sounds this happens in real life way too often that we’re comfortable with. Storing passwords in the Description field of an Active Directory (AD) user object is a security vulnerability and a bad practice for several reasons.

Here’s an explanation of the issue and potential risks:

  • Cleartext Storage: The Description field is not designed for sensitive information. It stores plain text, making any passwords stored there easily readable.
  • No Encryption: Data in the Description field is not encrypted, even when the AD database is encrypted. Any user or application with sufficient permissions can view the contents.
  • Accessible via LDAP: The Description field is typically accessible through LDAP queries. If permissions are misconfigured, unauthorized users could enumerate this field across user accounts and extract passwords.
  • Audit Trails: Storing passwords in this field is not logged or monitored in a way that tracks unauthorized access, making it a weak spot in security auditing.
  • Compliance Violations: Storing passwords in an insecure field may violate compliance standards (e.g., GDPR, HIPAA, PCI-DSS), exposing the organization to legal and financial penalties.

Here’s an overview of potential security risks:

  • Insider Threats: Malicious insiders with read access to AD attributes could extract and abuse the passwords.
  • Credential Compromise: Stolen credentials can lead to further attacks, such as lateral movement, data theft, or ransomware deployment.
  • Privilege Escalation: Attackers who gain access to AD could use the passwords to elevate privileges or pivot within the network.

During an assessment, we discovered such misconfiguration, and a system administrator forgot this artifact was there and thought only privileged accounts were allowed to retrieve information stored in the Description field.

In most environments, most users can run PowerShell to read the Description field information:

Get-ADUser -Identity "username" -Properties Description | Select-Object Name, Description

An attacker would have to replace “username” with the actual username of which he wants to read the description.

AD-DACL Misconfigurations

In Active Directory (AD), Discretionary Access Control Lists (DACLs) are used to control permissions for AD objects. Misconfigurations in DACLs can lead to serious security vulnerabilities, allowing unauthorized users to escalate privileges, access sensitive resources, or compromise the entire AD infrastructure.

The purpose of DACLs in Active Directory:

  • A DACL is part of the Security Descriptor for an AD object and defines which users or groups have specific permissions (e.g., read, write, modify, delete) on that object.
  • Permissions are granted using Access Control Entries (ACEs) within the DACL.
  • Misconfigured DACLs can result in excessive or unintended permissions, creating potential attack vectors.

We frequently see the following AD-DACL misconfigurations:

  1. Over-Permissive Permissions: Granting excessive permissions, because it’s easier, like Full Control or Write to broad groups such as Everyone, Authenticated Users, or Domain Users.
  2. Write Permissions on Admin Accounts: Assigning Write or Reset Password permissions on privileged accounts (e.g., Domain Admins, Enterprise Admins) to lower-privileged users or groups.
  3. Unrestricted Group Membership Modification: Allowing non-privileged users to modify group memberships of sensitive groups like Domain Admins, Enterprise Admins, or Backup Operators.
  4. Weak Permissions on Organizational Units (OUs): Misconfiguring permissions on OUs, such as granting Create/Delete Child Objects or Full Control to non-administrative accounts.
  5. Delegated Permissions Misuse: Improper delegation of administrative tasks (e.g., allowing Help Desk or junior admins to perform privileged operations without adequate restrictions.
  6. Permissions on Service Accounts: Granting excessive permissions on service accounts, especially those running critical services with elevated privileges.
  7. Allowing Unnecessary Permissions on GPOs: Misconfigured permissions on Group Policy Objects (GPOs) allow unauthorized users to modify or link GPOs.
  8. Weak Ownership of Objects: Assigning ownership of critical AD objects (e.g., admin accounts, groups, or OUs) to non-administrative accounts.

It’s worth noting that we make a distinction between different rights:

  • GenericAll: Grants full control over an object.
  • GenericWrite: Allows modification of some object properties.
  • WriteDACL: Lets the user modify the DACL itself, potentially escalating privileges.
  • WriteOwner: Grants the ability to take ownership of the object, allowing further privilege modification.
  • ReadProperty: Allows reading of object properties (e.g., attributes in a user object).
  • AllExtendedRights: Grants special rights for advanced operations, like resetting passwords or enabling delegation.
  • Delete: Grants the ability to delete the object.
  • ReadDACL: Allows reading the object’s access permissions without being able to change them.
  • ForceChangePassword: Allows forcing a user to change their password without knowing the current one.

Misconfigured Active Directory (AD) environments, particularly those involving Discretionary Access Control Lists (DACLs), pose significant risks to organizational security. These risks include privilege escalation, lateral movement, data theft, and persistence by attackers. Given that AD is the backbone of most enterprise IT infrastructures, ensuring proper configurations and permissions is essential to safeguard sensitive data and critical systems.

Curios is a comprehensive security company that can assist organizations in identifying, mitigating, and preventing risks associated with misconfigured AD environments.

Here’s how Curios can help:

  1. Detection of Misconfigurations:
    • Automated Scans: Curios can scan the entire AD environment to identify misconfigurations in DACLs, such as over-permissive permissions, weak delegation, or sensitive object exposures, shares, sensitive files, and any other security misconfiguration.
    • Risk Prioritization: It prioritizes identified issues based on their potential impact, enabling organizations to focus on high-risk vulnerabilities (e.g., permissions on privileged accounts or groups like Domain Admins).
    • Real-Time Alerts: Curios can monitor changes to AD permissions and security descriptors in real time, alerting administrators to any unauthorized or suspicious modifications.
  2. Analysis and Reporting:
    • Comprehensive Reporting: Curios will generate detailed reports of misconfigured permissions, ownership issues, and risky delegations easily understandable to all stakeholders.
    • Graphical Mapping: Visualize AD relationships (tools such as BloodHound) to uncover privilege escalation paths and lateral movement opportunities.
    • Historical Insights: Curios will track changes over time to identify patterns or potential insider threats.
  3. Risk Mitigation:
    • Remediation Support: Curios provides actionable recommendations for fixing misconfigurations and, in some cases, automates remediation (e.g., revoking excessive permission or transferring ownership of sensitive objects).
    • Policy Enforcement: Enforce the least privileged and role-based access control (RBAC) by validating permissions against security policies and compliance standards.
    • Prevention of New Risks: Curios can enforce secure configurations by applying policy templates that prevent misconfigurations from recurring.
  4. Compliance and Governance:
    • Compliancy Standards: Curios helps organizations align their AD configurations with compliance standards like GDPR, HIPAA, PCI-DSS, and DORA.
    • Audit Readiness: Curios ensures that permissions, access controls, and configurations are audit-ready by providing detailed reports and documentation.
  5. Integration with Existing Security Solutions:
    • SIEM Integration: Curios can integrate with Security Information and Event Management (SIEM) solutions (ELK, Splunk, Azure Sentinel) to provide centralized visibility and cross-platform threat detection.
    • Incident Response: Curios can integrate with incident response workflows to quickly remediate vulnerabilities detected during an attack.

Securing Active Directory environments requires a proactive approach to detect, analyze, and mitigate misconfigurations, particularly those involving DACLs. Curios provides organizations with the tools and insights needed to secure their AD infrastructure effectively. By automating detection, prioritizing remediation, and enforcing best practices, Curios helps organizations minimize risks, maintain compliance, and protect their critical IT infrastructure from threats.

Attack Surface Management

Attack Surface Management (ASM) is a proactive cybersecurity practice focused on identifying, monitoring, and reducing an organization’s attack surface—the collection of all possible entry points (both known and unknown) that could be exploited by attackers. ASM enables organizations to understand their exposure to risks and vulnerabilities, prioritize remediation, and continuously improve their security posture.

The attack surface is the sum of an organization’s digital exposure, which can be categorized into:

  • External Attack Surface: Public-facing assets such as web applications, APIs, DNS, cloud instances, IP addresses, and third-party vendor connections.
  • Internal Attack Surface: Internal-facing systems, such as on-premises servers, internal applications, network shares, and user devices.
  • Human Attack Surface: Employees, contractors, and other individuals who might be susceptible to phishing, social engineering, or credential theft.

Why is ASM important?

First, you can’t secure what you don’t know exists. One of the most important solutions Curios can provide you in terms of ASM is providing organizations, such as yours, with visibility, understanding, and the means to defend against an increasingly complex and dynamic threat landscape.

Here are key reasons why ASM is essential:

  1. Dynamic Environments:
    • With the shift to cloud computing, hybrid infrastructures, and remote work, an organization’s attack surface is constantly evolving.
    • New systems, applications, APIs, and devices are added regularly, often without centralized control or oversight.
  2. Shadow IT:
    • Employees and departments frequently deploy unauthorized tools and systems, creating unknown risks.
  3. Third-Party Dependencies:
    • Organizations rely on third-party vendors, SaaS platforms, and supply chains, which add external attack vectors.

ASM ensures that organizations can continuously monitor and secure their expanding attack surface.

Organizations of all sizes face a wide range of vulnerabilities across their attack surfaces. Let’s look at the most frequent vulnerabilities we noticed within the ASM domain:

  1. Misconfigured Cloud Resources:
    • Publicly accessible cloud storage (e.g., AWS S3 buckets, Azure Blob Storage, GCP Buckets).
    • Overly permissive IAM roles and policies.
    • Unsecured cloud databases.
    • Misconfigured Kubernetes clusters with open dashboards or API endpoints.
  2. Unpatched Vulnerabilities:
    • Outdated operating systems, libraries, or applications with known CVEs (Common Vulnerabilities and Exposures).
    • Exploitable vulnerabilities in widely used software like Apache Log4j (Log4Shell), Microsoft Exchange, or VPNs.
  3. Open Ports and Services:
    • Exposed ports like 22 (SSH), 3389 (RDP), 445 (SMB), or 80/443 (HTTP/HTTPS) without proper security controls.
    • Open services like FTP, Telnet, or legacy protocols that should be disabled.
  4. Weak or Default Credentials:
    • Using default passwords for systems, devices, or applications (e.g., admin/admin).
    • Weak passwords that are easily brute-forced or guessed.
    • Credential reuse across multiple systems.
  5. Exposed APIs:
    • Public APIs without proper authentication or authorization.
    • APIs leaking sensitive data due to poor coding practices.
    • Lack of rate limiting, making APIs vulnerable to abuse.
  6. Shadow IT:
    • Unapproved systems, applications, or cloud instances deployed by employees.
    • Forgotten or unmanaged assets.
  7. Subdomain Takeovers:
    • Subdomains pointing to decommissioned services like cloud storage, hosting platforms, or Content Delivery Networks (CDNs).
  8. Insecure Third-Party Integrations:
    • Reliance on third-party vendors or SaaS platforms with poor security practices.
    • Vulnerable dependencies in software supply chains.
  9. Certificate Mismanagement:
    • Expired SSL/TLS certificates on websites or services.
    • Self-signed or weakly encrypted certificates.
  10. Unsecured DevOps and CI/CD Pipelines:
    • Secrets (e.g., API keys, credentials) stored in code repositories.
    • Poorly secured build systems or automation tools.
    • Overly permissive access to CI/CD tools (e.g., Jenkins, GitLab).
  11. Data Exposures via Public Repositories:
    • Sensitive information (e.g., passwords, API keys, database connection strings) accidentally committed to GitHub, GitLab, or Bitbucket.
  12. DNS Misconfigurations:
    • Missing DNSSEC (Domain Name System Security Extension.
    • Outdated or incorrect DNS records.
  13. Lack of Asset Inventory and Visibility:
    • Unknown or forgotten assets, including domains, servers, and cloud instances.
  14. Over-Permissive Permissions:
    • Excessive permissions on cloud buckets, file shares, or internal resource.
    • Allowing “Everyone” or “Authenticated Users” unnecessary access.
  15. Vulnerable Legacy Systems:
    • Unsupported operating systems or applications (e.g., Windows XP, outdated Java versions.

Curios empowers organizations to take control of their attack surface by providing full visibility, continuous monitoring, and automated risk mitigation. With Curios, you can ensure that your digital environment is secure, compliant, and resilient against modern cyber threats. By integrating ASM efforts into your security operations, Curios helps minimize your attack surface, reduce vulnerabilities, and enhance your overall cybersecurity posture.

Cloud Security

Misconfigurations in cloud environments are one of the most common and critical security risks. These occur when cloud resources, such as storage buckets, databases, or virtual machines, are set up with weak security controls or improper access permissions.

Both Azure and AWS are popular cloud platforms, allowing organizations to concentrate on their products and services instead of wasting time and money on buying and maintaining on-premises hardware and software. However, cloud environments are prone to security misconfigurations and risk if not properly managed.

Below are some of the most common security misconfigurations and risk for both Azure and AWS cloud environments:

Azure Security Misconfigurations and Risks:

  1. Overly Permissive Role Assignments:
    • Using roles like “Owner” or “Contributor” instead of least-privileged roles.
    • Assigning roles at the subscription level rather than at the resource level.
  2. Insecure Default Settings:
    • Leaving the Azure Key Vault accessible from any IP address.
    • Allowing public access to Azure Blog Storage containers.
  3. Unrestricted Network Access:
    • Misconfigured Network Security Groups (NSGs) allowing open ports, for example RDP/SSH on 0.0.0.0/0.
    • Not leveraging Azure Firewall or Web Application Firewall (WAF).
  4. Weak Identity and Access Management:
    • Failing to enforce Multi-Factor Authentication (MFA) for users and administrators.
    • Using shared accounts instead of individual user identities in Azure Entra ID.
  5. Monitoring and Logging:
    • Not enabling Azure Security Center or Azure Defender.
    • Lack of logging for key services like Azure Key Vault and Storage accounts.
    • Failing to configure diagnostics logs and monitoring in Log Analysis.
  6. Improper Storage Account Configuration:
    • Exposing storage accounts with public access.
    • Using shared keys for authentication instead of more secure mechanisms like Azure Managed Identity.
  7. Vulnerability in Applications or Virtual Machines:
    • Not updating or patching Azure-hosted VMs.
    • Using unsupported or out-of-date operating systems.
  8. Default Security Settings in Azure App Services:
    • Lack of SSL enforcement for web applications.
    • Improper CORS (Cross-Origin Resource Sharing) configurations exposing APIs

AWS Security Misconfigurations and Risks:

  1. Exposed S3 Buckets:
    • Making S3 buckets public unintentionally.
    • Failing to enable bucket encryption.
  2. Overly Permissive IAM Policies:
    • Use of overly broad permissions in IAM policies.
    • Lack of role-based access control, leading to excessive privileges.
  3. Misconfigured Security Groups:
    • Allowing inbound traffic from any IP address (0.0.0.0/0) for sensitive ports like SSH (22) or RDP (3389).
  4. Failure to Enable CloudTrail or GuardDuty:
    • Not enabling AWS CloudTrail for account activity monitoring.
    • Failure to enable GuardDuty for threat detection.
  5. Insecure API Gateway or Lambda Configurations:
    • Not restricting access to API Gateway endpoints.
    • Lambda functions with excessive IAM permissions.
  6. EC2 Instance Misconfigurations:
    • Leaving default credentials or SSH keys accessible.
    • Not enabling VPC Flow Logs for network traffic monitoring.
  7. Lack of Encryption:
    • Not enabling encryption for RDS databases or EBS volumes.
    • Failure to enforce HTTPS for data in transit.
  8. Unused Resources with Open Ports:
    • Leaving old EC2 instances or load balancers running with open ports.
    • Failure to regularly review and close unused security group roles.
  9. Default VPC Usage:
    • Deploying resources in the default VPC without proper segmentation.
    • No network isolation between critical and non-critical workloads.
  10. Insufficient Backup and Disaster Recovery:
    • Lack of regular backups for critical data.
    • No disaster recovery plan for AWS resources.

General Security Risks for Both Cloud Environments:

  1. Lack of Identity Federation and SSO:
    • Not integrating with centralized identity providers for authentication.
  2. Credential Exposure:
    • Exposing API keys or secrets in public repositories.
    • Not rotating access keys regularly.
  3. Poor Patch Management:
    • Failure to patch underlying systems or software promptly.
  4. Shadow IT:
    • Teams deploying cloud resources without adhering to organization security policies.
  5. Misconfigured CI/CD Pipelines:
    • Insecure pipelines that inadvertently expose credentials or deploy vulnerable code
    • Lastly, it is essential to verify.

Lastly, it is essential to verify whether your guest accounts are still needed as they can be used to enumerate your cloud environment.

Curios is uniquely positioned to help organizations assess and mitigate cloud-related misconfigurations and security issues by leveraging its proven expertise and cutting-edge solutions. With a deep understanding of cloud environments like Azure and AWS, Curios offers comprehensive assessments that identify vulnerabilities, misconfigurations, and compliance gaps across cloud infrastructures. By employing industry best practices, automated tools, and expert-driven insights, Curios ensures that organizations can effectively prioritize and remediate risks before they lead to potential breaches or disruptions.

Curios’ approach extends beyond just identifying issues – it provides tailored strategies and actionable recommendations to strengthen the organization’s cloud security posture. Whether it’s implementing the principle of least privilege, enabling robust monitoring and logging, or optimizing network and identity configurations, Curios equips organizations with the tools and guidance needed to enhance their resilience against evolving threats. By partnering with Curios, organizations gain a trusted ally capable of not only addressing existing challenges but also fostering a culture of proactive security in the dynamic cloud landscape.

It is worth noting that we at Curios have created a comprehensive framework for Cloud Security that is in line with CIS, ISO27001, NIS2, and our experience.

Phishing Simulations

Phishing simulations are a vital tool in assessing and improving an organization’s resilience to one of the most common cyber threats—phishing attacks. These simulated exercises mimic real-world phishing attempts to educate employees, identify vulnerabilities, and reinforce cybersecurity best practices.

Here’s an overview of their importance, process, and benefits:

  1. Awareness and Training:
    • Simulations raise awareness among employees about phishing techniques, such as deceptive emails, links, or attachments.
  2. Proactive Defense:
    • They help organizations assess employee readiness and identify gaps in security awareness before a real attack occurs.
  3. Compliance:
    • Many regulatory frameworks (e.g., GDPR, PCI DSS, HIPAA) mandate or encourage security awareness training, including phishing simulations.
  4. Reduced Human Error:
    • Since employees are often the weakest link in cybersecurity, simulations aim to turn them into the first line of defense.

Features of Phishing Simulations:

  1. Realistic Scenarios: Emails designed to closely replicate actual phishing tactics, such as fake login requests, invoice notifications, or urgent security alerts.
  2. Customizability: Simulations tailored to specific industries, departments, or threat models.
  3. Metrics and Reporting: Tools to measure key performance indicators (KPIs), such as the click rate on phishing links, submission of credentials, or reporting of suspicious emails.
  4. Ongoing Improvement: Results are used to enhance training programs and refine email filters and policies.

Curios offers a comprehensive phishing simulation service designed to assess and enhance your organization’s cybersecurity posture. With a proven track record in delivering tailored security awareness programs, Curios provides end-to-end support, including scenario design, campaign execution, results analysis, and employee training. By leveraging Curios’ expertise, organizations can cultivate a culture of vigilance, ensuring employees are equipped to detect and respond to phishing attempts effectively. Together, Curios and your team can mitigate phishing risks, improve security awareness, and safeguard your business against evolving cyber threats.

During our Phishing Assessments, we usually see between 30 and 60% of all users falling victim indicating a strong need for Layer 8 security.

Purple Teaming

Purple teaming is a collaborative cybersecurity exercise that combines the offensive tactics of red teams (attackers) and the defensive strategies of blue teams (defenders). The goal is to assess and improve an organization’s security posture by identifying vulnerabilities, testing detection and response capabilities, and fostering cooperation between the two teams. Purple teaming exercises are structured, iterative, and focused on measurable outcomes to enhance an organization’s overall resilience to cyber threats.

You may ask yourself, why is purple teaming important? Well, we often see fantastic penetration testers finding vulnerabilities but unfortunately, they have not the necessary knowledge nor experience to successfully remediate them. Similarly, on the other hand we have blue teamers who are incredible at building and maintaining systems operational. And for this reason, we believe purple teaming is the proper way forward as we combined both sides into one, allowing us to correctly help organizations keep their infrastructure secure allowing business to thrive.

To summarize, here’s a list of why Purple Teaming is important:

  1. Improved Detection and Response Capabilities: Purple teaming helps organizations test and refine their ability to detect and respond to real-world threats.
  2. Collaboration Between Teams: It bridges the gap between offensive and defensive teams, ensuring knowledge sharing and aligned objectives.
  3. Proactive Defense: By testing against realistic attack scenarios, organizations can identify and address vulnerabilities before they are exploited.
  4. Compliance and Risk Reduction: Many compliance frameworks require organizations to regularly test their security controls. Purple teaming ensures these tests are both thorough and collaborative.
  5. Adaptability to Emerging Threats: Purple teams simulate the tactics, techniques, and procedures (TTPs) of advanced threat actors, ensuring defense stays up to date.

It is also important to know the benefits of Purple Teaming:

  1. Enhanced Collaboration: Fosters teamwork and knowledge sharing between red and blue teams, reducing silos within the organization.
  2. Improved Detection and Response: Testing real-world attack scenarios ensures defenses are robust and capable of detecting advanced threats.
  3. Faster Incident Response: Exercises reveal inefficiencies in current processes, enabling faster and more effective responses to incidents.
  4. Comprehensive Security Validation: Purple teaming validates the effectiveness of tools, processes, and people in defending against threats.
  5. Proactive Threat Mitigation: By continuously testing and adapting defenses, organizations stay ahead of evolving threat landscapes.
  6. Cost-Effective Security Enhancement: Focused, collaborative exercises provide measurable improvements without the need for expensive or disruptive measures.

Curios brings extensive expertise in both offensive and defensive security to deliver effective and impactful purple teaming exercises. By simulating realistic adversarial behaviors and facilitating real-time collaboration between your red and blue teams, Curios helps identify gaps in your security posture and provides actionable recommendations for improvement. With a focus on frameworks like MITRE ATT&CK, Curios ensures that your organization’s defenses are tested against the most relevant and advanced threat scenarios.

Curios also emphasizes knowledge transfer, enabling your teams to build on lessons learned during the exercise and continuously enhance your detection and response capabilities. By partnering with Curios for purple teaming, your organization can proactively defend against cyber threats, improve cross-team collaboration, and establish a more resilient security posture to protect critical assets and operations.