In assessing or testing an internal infrastructure, the assumption is that we are starting from an "already compromised" position - in most cases we'll start from an AD member workstation in your domain, and use techniques that malware or attackers might use to "pivot" to a higher privileged position (often Domain or Database administrator rights). The goal of these assessments is to find as many ways as possible in the time alloted to gain access to data or infrastructure that you wouldn't want an attacker (or even a trusted user account) to gain.
The goal of an internal assessment or penetration Test is to improve your protections, to give your real attacker (or their malware) a bad day, and to give your team the tools to see malicious activity on your network before an attacker can gain enough access to do real damage.
Active Directory gives an attacker many "hooks" to leverage an initial malware installation to local administrator, domain administrator or rights to data they shouldn't have. In a project of this type, we will exploit many of these avenues, and outline how they can be remediated to give your attacker (and their malware) as tough a time as possible. Remediations will generally involve additional Group Policy settings, Windows settings, free or commercial tools to consider, and in particular, better logging and alerting on those logs.
Windows isn't the only infrastructure that's vulnerable to attack in most companies. It's important to look in some detail at routers, switches, firewalls and the like. Host management application services such as iLo, iDRAC, BMC and similar applications can gain an attacker full rights to the hardware in your datacenter. Exploiting issues in Hypervisor or Storage infrastructures can put your attacker in the position of being able to steal entire hosts in your datacenter. Gaining rights to routers or switches put attackers in a good position to steal or modify data in transit. When we say "Non-AD", we mean real infrastructure, no printers or IoT products (though those can be used by attackers as well)
At it's heart, any IT group is responsible for implementing changes while maximizing availabilty to services that any organization needs to do business. What that usually means is that there is always some method of controlling or approving changes, whether the organization has implemented a full ITIL framework, has embraced a DevOps philosophy, or if Change Control is a simple email exchange. We can help improve your processes from a Security point of view, ensuring that changes are properly assessed for security issues prior to implementation, that they are implemented correctly and that backing out any errors is simplified. These are all critical things, whether you are implementing large, extended projects, or if you are rolling changes in a Dev-Ops process.
In a project of this type, we can assess specific areas of your infrastructure against known benchmarks or controls. Often these will include the CIS (Center for Internet) Critical Controls, CIS Security Benchmarks for your infrastructure, the Mitre ATT&CK Framework, or regulatory controls that might apply specifically to your industry. In most cases we'll use several (or all) of these to recommend changes to enhance the overall security of your organization.