Cybersecurity is all over the news these days. Headlines about the latest hacks and software vulnerabilities affecting companies and government agencies abound. Over the last decade, business leaders have heard the message, and sales of security tools to defend everything from networks to endpoints, and from applications to identity management, have soared. That trend is not expected to change any time soon.
Defense, though, is only half of the equation.
As any good military strategist or sports enthusiast can attest, the best defense is a good offense. Cybersecurity is no exception to this adage. So let’s take a closer look at what offensive security is, and how can it help an organization.
Definitions
At its core, offensive security exists to identify issues before they are detected and utilized by external and malicious actors. The term offensive security is an umbrella term that covers several aspects of cybersecurity. Let’s explore a few of these, in order of the most basic offerings to the most sophisticated.
Vulnerability Scanning
Vulnerability scanning uses automated tools that probe an environment for the presence of known security risks. Though a robust vulnerability scanning program is an essential part of a mature cybersecurity program, such programs rely too heavily on automated scanners and repeatable and scalable processes to function as an offensive operations program.
Penetration Testing
Like a vulnerability scan, a penetration test, or PenTest, seeks to enumerate risks using a combination of automated tools and human ingenuity. By limiting its scope to a single application or environment, a PenTest can dive much deeper and identify risks likely to be missed by an automated scan.
Red Team
The term Red Team is often used interchangeably with PenTesting. While some of their tactics are the same, the two programs have very different strategies and goals. A PenTest is generally time boxed, established on a repeating cadence, with reports generated that are typically delivered to an external entity for compliance purposes.
A Red Team engagement, however, can follow any timeline and is often ongoing with a scope as wide as an enterprise. The results are not reported to any external entity. Instead, the Red Team testers take on the tactics of a real-world threat actor to reach the same end goals of that threat actor. Often, that means access, exfiltration, or manipulation of a company’s crown jewel assets. These are good guys using the tools and tactics of the bad guys, with permission, to learn what level of risk a company is truly facing.
Such engagements can be carried out with full transparency for the defensive teams, but often they’re done with minimal notification to test the enterprise’s true defensive response to a real attack. Reports generated are only sent internally and serve to identify and provide solutions for proven and executed real-world threats.
Important Considerations Related to Cybersecurity
As the market trends toward more intelligent and capable defensive tools, one must consider why Offensive Security is even relevant. Here are a few ideas to keep in mind.
People
Even the most secure door has a weakness in the form of a keyhole. Otherwise, it would be a wall. True also is that even the most robust cybersecurity program has a weakness to allow it to be functional and that comes in the form of rights granted to users. According to Splunk, 98% of cyberattacks rely on social engineering exposing a user’s access to the attacker. By borrowing the rights of the victim user, the attacker can bypass defenses enough to get a foothold in the environment.
Once inside, what can an attacker do?
Network Encryption
Network monitoring has long been one of the more reliable tools available to a defender. However, the efficacy of these tools is fading fast. In 2023, Google reported that 95% of Internet traffic was encrypted, while Firefox claimed a number closer to 80%.1 This was up from 2013, when a Google Transparency Report showed just 48% of web traffic was encrypted.
Encryption of Web Traffic
(According to Google)
To be inspected, traffic must first be intercepted and decrypted, then encrypted again before sent. The computational cost of this effort without impacting performance is several orders of magnitude, which translates to significant cost increases.
Further, Zscaler ThreatLabz researchers published findings that over 89.9% of encrypted threats involve malware. This traffic cannot be decrypted by an enterprise solution as it does not follow established standards and is not generated from inside the organization.
New and stronger encryption protocols are constantly being generated to combat the ever-increasing high-end processing. This means one of the most historically effective tools for detecting malice on the wire has been largely incapacitated and it’s only getting worse.
Limited Resources
In an ideal world, a cybersecurity budget would be endless. However, in the real world companies are forced to make risk-based decisions on where and how to spend budgetary dollars. As we emphasized in our discussion of network encryption, an enterprise must also consider computational costs in equations involving protection.
For instance, an enterprise may choose to move away from large, expensive network-based tools to inspect traffic and instead install software on every computer that will monitor traffic on each endpoint. This may save dollars up front, but the resulting hit to performance across all its computers may result in a measurable hit to enterprise efficacy and performance.
Using Offensive Cybersecurity to Address Challenges
When you’re forced to choose where to spend a limited budget, offensive security can help. It can be useful in identifying issues before they’re detected and used by external and threat actors. There are impactful steps you can take.
Targeted Offensive Security Steps
Use a vulnerability scanning solution.
- This helps you identify low-hanging fruit a novice can exploit.
- Once identified, you can begin patching, hardening, and decommission efforts.
Conduct a PenTest of an external-facing application.
- Identify all simple and complex risks that need to be addressed.
- Bonus: Provide a PenTest report to third-party entities to show the company’s cybersecurity commitment.
Have a Red Team stand in for an attacker.
- Determine exposure and recommend actions to defend against real-world scenarios.
- Implement identified solutions: they will be effective and lucrative, whether tuning a tool, training the defensive team, or purchasing a specialized tool.
Contact our team of experts.
A cybersecurity program must have many parts to be effective. The most robust will feature a mature offensive security team to identify issues before someone else does and find effective solutions to address problems. Remember: The best defense is a good offense.
Learn more about our information security expertise, or reach out to our proven team of experts for assistance with training, support, or services to protect your organization.
