Cybersecurity is all over the news these days. Headlines about the latest hacks and software vulnerabilities affecting companies and government agencies abound. Over the last decade, business leaders have heard the message, and sales of security tools to defend everything from networks to endpoints, and from applications to identity management, have soared. That trend is not expected to change any time soon.
Defense, though, is only half of the equation.
As any good military strategist or sports enthusiast can attest, the best defense is a good offense. Cybersecurity is no exception to this adage. So let’s take a closer look at what Offensive Security is, and how can it help an organization.
At its core, Offensive Security exists to identify issues before they are detected and utilized by external and malicious actors. The term Offensive Security is an umbrella term that covers several aspects of cybersecurity. Let’s explore a few of these, in order of the most basic offerings to the most mature.
Vulnerability scanning uses automated tools that probe an environment for the presence of known security risks. Though a robust vulnerability scanning program is an essential part of a mature cybersecurity program, such programs rely too heavily on automated scanners and repeatable and scalable processes to function as an Offensive Operations program.
Like a vulnerability scan, a penetration test, or PenTest, seeks to enumerate risks using a combination of automated tools and human ingenuity. By limiting its scope to a single application or environment, a PenTest can dive much deeper and identify risks likely to be missed by an automated scan.
The term Red Team is often used interchangeably with PenTesting. While some of their tactics are the same, the two programs have very different strategies and goals. A PenTest is generally time boxed, established on a repeating cadence, with reports generated that are typically delivered to an external entity for compliance purposes. A Red Team engagement, however, can follow any timeline and is often ongoing with a scope as wide as an enterprise. The results are not reported to any external entity. Instead, the Red Team testers take on the tactics of a real-world threat actor to reach the same end goals of that threat actor. Often, that means access, exfiltration, or manipulation of a company’s crown jewel assets. These are good guys using the tools and tactics of the bad guys, with permission, to learn what level of risk a company is truly facing.
Such engagements can be carried out with full transparency for the defensive teams, but often they’re done with minimal notification so as to test the enterprise’s true defensive response to a real attack. Reports generated are only sent internally and serve to identify and provide solutions for proven and executed real-world threats.
Why Does It Matter?
As the market trends toward more intelligent and capable defensive tools, one must consider why Offensive Security is even relevant. Here are a few ideas to keep in mind.
Even the most secure door has a weakness in the form of a key hole. Otherwise, it would be a wall. True also is that even the most robust cybersecurity program has a weakness to allow it to be functional and that comes in the form of rights granted to users. Seventy percent of successful cyberattacks involve some sort of social engineering exposing a user’s access to the attacker. By borrowing the rights of the victim user, the attacker can bypass defenses enough to get a foothold in the environment.
Once inside, what can an attack do?
Network monitoring has long been one of the more reliable tools available to a defender. However, the efficacy of these tools is fading fast. As recently as 2014, only about 50% of Internet traffic was encrypted. That number is now about 95%.
To be inspected, traffic must first be intercepted and decrypted, then encrypted again before sent. The computational cost of this effort without impacting performance is several orders of magnitude, which translates to significant cost increases.
Further, 70% of malware and associated traffic is encrypted. This traffic cannot be decrypted by an enterprise solution as it does not follow established standards and is not generated from inside the organization.
New and stronger encryption protocols are constantly being generated to combat the ever-increasing high-end processing. This means one of the most historically effective tools for detecting malice on the wire has been largely incapacitated and it’s only getting worse.
In an ideal world, a cybersecurity budget would be endless. However, in the real world companies are forced to make risk-based decisions on where and how to spend budgetary dollars. As highlighted in the Network Encryption section above, an enterprise must also consider computational costs in equations involving protection.
For instance, an enterprise may choose to move away from large, expensive network-based tools to inspect traffic and instead install software on every computer that will monitor traffic on each endpoint. This may save dollars up front, but the resulting hit to performance across all its computers may result in a measurable hit to enterprise efficacy and performance.
What Can Be Done?
Not enough budget? Confused on where to spend what budget you have? Unsure where those dollars should be spent? Offensive Security can help. Remember, at its core, Offensive Security exists to identify issues before they are detected and utilized by external and malicious actors. With a limited budget, an enterprise must choose how and where to spend their money on its defense.
Does the environment have any low-hanging fruit a novice attacker can exploit? A vulnerability scanning solution can identify this and its location. Once these issues have been identified, patching, hardening, and decommission efforts can begin.
Is that externally facing application sufficiently protected? A PenTest against the application will enumerate all the risks, both simplistic and complex, that need to be addressed. As a bonus, a PenTest report or summary can be provided to third-party entities to show the company’s commitment to cybersecurity.
What can attackers actually do against the company? What would they want, and what can be done to stop them? A Red Team can stand in for the attacker and determine exposure of the crown jewels and recommend actions to defend against real-world scenarios. Solutions identified by a Red Team engagement are tailored to the environment so dollars and time spent implementing them are going to be some of the most effective and lucrative possible, whether it’s tuning a tool, training the defensive team, or purchasing a specialized tool.
A Cybersecurity Program must have many parts to be effective. The most robust will feature a mature Offensive Security team to identify issues before someone else does and find effective solutions to address problems. Remember: The best defense is a good offense.