Know Your Enemy: Establishing An Offensive Security Program
In this blog post, Anchoram’s Cyber Security Testing Director, Keiren Eckert discusses why establishing your own offensive security program can help you stay ahead of cybercriminals who are constantly evolving their tactics.
Share This Article:
IBM’s 2021 Data Breach report found that data breaches now cost companies an average of US$4.24 million per incident. Defensive measures alone cannot prevent threat actors from successfully breaching security. Preparation to detect and respond to security breaches is essential.
Offensive Security Programs
A good offensive security program tests and hardens your ability to prevent, detect, and respond to attackers. Inevitably each organisation will have its unique vulnerabilities and specific requirements. However, the following key services are a useful checklist for developing an effective offensive security program:
Red team operations are one of the best ways to strategise how to develop a comprehensive defensive capability.
The step-by-step process includes:
- Simulating the role of an attacker testing your perimeter and internal network
- Collaborate with the internal security team throughout the process
- Review the actions taken and identify the gaps
- Ask for feedback to discuss the experience with all who took part in the operation
- Make adjustments to improve the overall security posture of your organisation.
Security assessments ensure that your systems and their respective security controls are working as intended and are not susceptible to exploitation. With a thorough understanding of your attack surfaces and any weaknesses, you can help harden your system and apply methods to ensure the longer-lasting effectiveness of security controls. Early on in the design phase can be a good time to get feedback on how to improve security.
Research and development is important to understand vulnerabilities in your solutions over an extended period. This will identify any existing vulnerabilities, as well as any vulnerabilities introduced in new releases. During this process, develop proof-of-concept exploits to demonstrate the consequence of these vulnerabilities. This will provide insight into how the vulnerability manifested and present strategies and techniques to avoid new vulnerabilities in the future.
Threat simulation is a good alternative when live testing isn’t feasible and involves hosting tabletop exercises with key stakeholders to explore attack scenarios and identify any gaps in the response.
‘To know your Enemy, you must become your Enemy’
It may be a little cliché to quote Sun Tzu for a blog on offensive security, but it does fit. An essential component of a successful offensive security program is having the right people internally to analyse security controls through the lens of an attacker. This can help when planning for insider threats and is also important when defending a breach, identifying avenues for an attacker to move laterally in the network.
Some important steps in preparing your offensive strategy:
- Account for all your assets and prioritise the security of each
- Put yourselves in the shoes of an attacker targeting your organisation
- Look for weaknesses in the perimeter to gain a foothold in the network
- Do some discovery work to see how best to gain confidential data or cause disruptions while remaining undetected for as long as necessary. Depending on the type of organisation, this can mean many different things.
Case study
For example, a law firm that handles sensitive cases for a host of different clients could start with a Threat Simulation exercise. Imagine an attacker sitting in the network on the file server sifting through documents and exfiltrating them to their command and control server. How do you detect this kind of anomalous activity on the network? How were you breached in the first place? How can you eliminate the threat from the network and ensure it doesn’t persist? These are the sort of questions you might raise during the exercise. You might have answers for some of them, others you won’t, and those will require further investigation.
One of the benefits of an offensive security program is that you can build this kind of mentality into any number of solutions for whichever business or industry you are in.
Measuring success
Cyber security is constantly evolving, and given the diverse nature of the problems we’re trying to solve, it can be challenging to apply best practice solutions to fit every uniquely complex engagement. First and foremost, measuring success requires transparent communication. During engagements and simulations the findings need to be shared with key stakeholders. They need to be involved and have input on the business impact. This way they will both understand the risks the security findings present to the organisation and have ‘skin in the game’ to be part of the appropriate next steps.
Not every organisation will be able to measure its offensive security program success in terms of how many vulnerabilities were found and mitigated. Other broader metrics can include:
- Achieving a significantly lower PII breach than last year
- The success rate of detecting anomalous user activity
Increased retention rates due to improved system performance following remediation work from the team.
An offensive security program needs to bring value to an organisation’s mission and goals while remaining pragmatic when it comes to measurement. The key is to understand what you are trying to protect and then prioritising protection against that goal.
On a personal note
The first thing that drew me to the role of a penetration tester is the feeling of excitement I get when I am breaking into something. I love the challenge, seeing how long it takes me to find a vulnerability and then exploiting it. It’s so much fun! Offensive security programs can be a great team-building exercise because it gets people to work together and develop creative solutions to problems while having fun doing it.
An experienced tester is not just guessing or taking shots in the dark. They know what to do and why they’re doing it. They’ve done their homework on vulnerabilities. They have researched tools that would help them during an engagement, and they know precisely where to look when attacking a system. In this way, offensive security practitioners provide real value as they dedicate themselves to finding new weaknesses in the system before an attackers can use them to gain access.
In conclusion
An offensive security program is a critical component of any organisation’s cyber defence strategy. It increases cost-efficiencies, provides better detection rates, reduced PII breaches, and delivers a measurable business impact for all stakeholders involved.
In this blog post, Anchoram’s Cyber Security Testing Director, Keiren Eckert discusses why establishing your own offensive security program can help you stay ahead of cybercriminals who are constantly evolving their tactics.
Share This Article:
Categories
Subscribe
Subscribe to our newsletter and get the latest news and information from Anchoram.