In Episode 178 of the Cyber Threat Perspective podcast, hosts Spencer and Tyler take a practitioner-first look at the internal security controls that genuinely make attackers' lives difficult, drawing directly from their experience conducting hundreds of internal penetration tests every year.
This isn't a vendor comparison or a theoretical framework. It's an honest account of what works, what gets misconfigured, and what separates organizations that slow attackers down from those that don't.
Topics covered include:
- Application Control — ThreatLocker and Magic Sword — why app control is probably the single most effective endpoint control against attackers, how the learning period works, why jumping straight to enforcement mode is a mistake, and why executive buy-in is as critical as the technical implementation
- WDAC vs. traditional App Locker — the differences, what closed-book enforcement actually means for attackers, and the two schools of thought on allow-list vs. block-list approaches
- Strong identity controls — MFA beyond RDP including SMB, WinRM, and HTTP via products like Silverfort, why push notification MFA falls short, and why number matching matters
- Protected Users Group — one of the most powerful and underused Active Directory controls, with a real-world story of how it nearly matched a full third-party identity product in effectiveness during a law firm pen test
- Least privilege and admin tiering — why Help Desk is one of the most targeted groups for social engineering, how over-permissioned service accounts hand attackers domain admin in minutes, and the real cost of control path vulnerabilities
- Network segmentation and zero trust — why domain controllers don't need internet access, how segmentation limits attacker recon, and where products like Zscaler fit in
- EDR baselining and UEBA — why plugging in an EDR tool and expecting it to work isn't enough, the case for getting back to behavior-based detection, and why catching recon activity matters more than catching execution
- Deception — honeypots, canaries, and fake assets — why deception is underrated, why high-fidelity low-false-positive alerts change the game, and what it actually feels like as a pen tester to trip on a well-placed decoy without knowing it
Also mentioned: Spencer and Brad's Tools of the Trade workshop at ILTA Evolve — Denver, end of April.
Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov
Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com
Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.
