Offensive Security


A conversation between two infamous Chris's

Chris Nickerson - CEO of LARES, International Infosec leader known for Red Teaming, Founder of PTES and BSides. VC, Advisor, Investor

Chris Roberts - vCISO, Researcher, Hacker, Consultant, Devils Advocate, etc.

Given that technology, security, and attacks are constantly in the news, there’s no wonder that there is a high level of interest in the realm of Offensive Security, however it’s more than just breaking into things for fun or profit and it’s a more complex and broad subject than simply sitting behind a keyboard, running reports, and thinking you are your chosen deity's greatest gift to the technology industry. Our industry should be more of an apprenticeship realm where you learn and hone your skills (both technical and soft) through years of work, dedication, interaction, and community/client interactions. Without that mentality, we find ourselves in a realm where anyone can claim to be an expert and the art of red teaming has, in some cases, been reduced to handing a rebadged tools report to a client because they are none the wiser.

Focus on the things that are solvable.
People are so accustomed to the negative without having an associated positive come along with the deliver. AS people in this industry, we should no longer simply explain that something is broken. We need to come with options for how to fix, resolve, mitigate, or otherwise help our clients. Be they technical, human, function, or other related solutions will depend upon both the client and the situation being discussed… this is the way.

We’ve all blamed everybody down to our grandmothers for breaking the internet. We need accountability. Rather than going, “Here's your routine test, good luck, and thanks for the check,” and walking off into the sunset, WE, the industry, need to own a path to resolution or maturity. WE need to be accountable to both our actions and our findings.

It’s time to get out of the “tick the box to barely meet the audit” mentality.
Assessments alone won’t get you where you need to be. It’s time to get out of the “tick the box to barely meet the audit” mentality. The goal is for you to understand where you are, where you want to be, need to be, should be, and how you're going to get there. AS we all know, just because you passed the audit, it doesn’t mean you are secure.

Also, it’s worth noting that the assessment you did today can be negated by an action taken tomorrow, so taking a more proactive and consistent approach to continuous testing and monitoring is something many of us are advocating for. After all, you don’t check to see that your website’s up and running just once a week, so why do the same for your security program?

Where to start with offensive testing:

  • First, start with tabletop exercises. Consider them games or D&D for business. Sit down, grab coffee and donuts, and just talk about how someone may break in, what might happen IF, etc.… Run some scenarios past HR, Legal, Compliance, IT, Ops, etc.

  • Next, run some checks, do some scanning, run some standard tools against your own systems, see IF you see the scans, see what you record and what you missed. Look for the gaps and remediate accordingly.

  • Then, when you think you have your ducks in order, do a penetration test, get someone from the inside to break in (from inside out OR outside in), and/or get someone external (a trusted 3rd party) to come and test your controls... Again, LEARN, remediate, rinse and repeat…
  • If your controls aren’t working properly, wash, rinse, repeat, fix and test again.
  • Keep doing this until you have fine-tuned your methodology, framework, and teams to be able to detect and remediate these types of attacks. (consistently)
  • After you are confident that all your procedures, controls, active defenses, and folks work as expected and they can recognize an attack and react accordingly THEN (and only then) it might be time to take off the gloves and bring in the red team.

What IS the purpose of an assessment or penetration test?
Do your security controls even work? You are testing the entire process, controls, humans, and tools that you have implemented to make sure they do what you think they are supposed to do. The engagement is meant to be an educational way at understanding IF (and where) your blind spots are in a friendly engagement type of way. This is not a test whether an adversary can get into your company, it’s simply to check if the tools you have can detect the attack.

What is the purpose of Red Teaming?
You believe that you have done everything possible to provide the necessary defenses for your organization and that all your controls are working. You have gone through and iterated every single TTP and attack for the last two years and compensated for research decay in every single one of these tactics. Now what? You are probably ready to invite the red team to challenge your defenses and break in. Their goal is to get in, often through any means possible (after all an adversary is NOT limited in their tactical options) and help you understand what you might have missed. This level of friendly adversarial action often comes with custom tools, frameworks, and methods.

When not to use a red team
When you yourself can walk in, or your 3rd party’s got remote access to your systems through TeamViewer or RDP OR when you don’t even know what you have on the network, let alone where it is or what it’s doing. When you can’t put your hand on your heart and truly say you have done everything you possible can at a human, policy, and technology level to protect your enterprise to the best OF your ability AND that sentiment isn’t also echoed by HR, legal, DevSecOps, compliance, and every user you protect…If you can’t do that, then don’t bring the red team in…work on iterating assessments and penetration testing along with a LOT of awareness!

Nobody (in their right mind) walks into a Dojo and taunts the black belt into a match until they, themselves have spent years training their mind, body, AND spirit…. The same goes for our world. Don’t think you are ready until you’ve taken the time to learn and test.

Bringing the human element back in.
At the end of the day, you can put as many tools, products, and pieces of technology that profess to solve ALL the problems between you and the adversary, but it always comes down to the human. TAKE the time to educate, help, and work with all the humans within your organization to help them understand they are part of the solution, NOT the problem.

If you are being attacked, should you attack back?
Absolutely not! You have no idea who you are up against so why would you even try? Especially, if they got into your system in the first place. You want to, you know you do, I know you do, but it’s what we call a “hiding to nothing.” Take that energy, focus it on improving, learn from the mistakes, learn from the experience, and work to ensure it can never happen the same way again.

Out-of-the-box solutions work only 50% of the time.
Those of you that sign on the dotted line for the next piece of ML/AI/Blinky technology are fooling yourselves if you think you can just implement it and breathe a sigh of relief. At best, it’ll give you “some” coverage. At worst, it’ll produce FUD, inconsistent results, and you’ll spend more time tuning it than you care to imagine. TAKE the time, invest in the professional services, and have it installed correctly, and custom tailored TO your environment by the folks that built it….. Less than 50% of solutions work out of the box. The moral of the story is that you cannot buy your way out of trouble. You need to put in the work to fine tune the tools you purchased.