Is Offensive Security the Future?

Having been the only UK person to attend, sit on a Panel and to have presented at the ISMG APT Summit in Atlanta, I have returned home refreshed, invigorated, and completely motivated by the multiple experiences I enjoyed with my US colleagues, who again demonstrated they do ‘git-it’ when it comes to the "cyber challenge." My own participation related to the elements of incident response, and the operational lifecycles which can be deployed to accommodate robust first responder engagements when dealing with security breaches and compromises resulting from all forms of encountered malicious, and accidental cyber events which impose adverse conditions on the organisation/business. However, having recently attended a webinar held in the UK, I was very much aware that one of the subject areas I was introducing in the US had been met with a distinct misunderstanding and ignorance by 75% of the delegates on the panel, leaving me a little worried about the inclusion of "Offensive Security." To get this conversation moving, please allow me to share an opinion of a company who serves their clients with security services along with penetration testing, who to my amazement eluded that most of their clients were only seeking a base level of security, and were not willing to pay for any higher level of assurance, and simply wished to achieve a "Tick-in-the-Box," accepting that mediocrity was acceptable. I also believe this sad state is further reflected by a highly credible member of SANS who commented:

‘How can it be that an organisation who had been pen tested in month one, be compromised in month two out of a well-known vulnerability which had been missed by the tester, but located and exploited by hackers?’

A situation I have now seen on more occasions than I care to recall – and begs the question, is mediocrity becoming the new norm with some security professionals in the multi-million/billion dollar industry which is seeking to help secure our electronic planet? And could it be this Accepted Professional Treachery (APT) is a representational aspect in some well-known and documented security breaches? Again, here I can attest this is the case in at least two security compromises I am aware of from the year of 2014 – which exposed PCI-DSS data, personal and business client information, and multiples of other unknown sensitive artifacts of compromise. And before you ask, neither of these successful security breaches were reported under the requirements of the interested agencies, such as the Data Protection Commissioner, and the PCI-DSS Standard! The fact of the matter simply put are, we are seeing far too many successful attacks take place against organisations who are actually spending small fortunes on their security defences and capabilities, which at the same time are still leaving them insecure post the granting of a valued ‘tick’, which leave the assessed organisation still exposed to the nightmare of their unknown unknowns – enter Offensive Security. When we refer to the subject of Offensive Security, we look beyond what is seen as red-team testing, and embrace an activity which encompasses the dark-arts of our adversaries, which goes well before the world of penetration testing, and over focuses on what we already know, or think we need – to subject it to a programme of security testing. In fact, here when representing a client, I asked the assigned penetration tester what they felt the client should include in the testing schedules, and they responded: "Just tell us the IP range, and we will run this testing based on that input." However, when talking about Offensive Security, I am looking for an operation which leverages cyber threat intelligence, its output and a continuous operation, through to the aggressive iterations of a footprinting and discovery mission lifecycles, which seek to leverage the adverse output of intelligence to accommodate input into the enhanced form of infiltration based on the discovery of some unknown unknowns (now known) revelations. I am talking about the operational black-team, working under the same rules as would hackers, attackers, hacktivists, organised cyber-criminals, and those state-sponsored attackers. I am referring to a mission that appreciates the organisational security policies, but who at the same time throw convention to the wind and work outside the bag (or box for the conventional). Above all, I am considering high grade, high value operations that will look to accommodate a much increased level of cyber-protection beyond the assumed protection that is served up out of standardized directives, such as PCI-DSS, security polices, and other tamed security missions. But the absolute ultimate goal of using such a black-team to operate under the unconventional terms of reference of Offensive Security, is to take the pen, pencil and any document which accommodates the placing of a tick, and committing it to the tray of compliance led ‘Soft Security.' So, back to the APT Summit—there I was, a little knotted up, and worried about this topic with an expectation of kick-back when it soon became spookily evident that the US world of state-side cyber operations, they were very much on the page as my own thoughts, and in a number of cases, at the leading edge of driving a change. It was also clear that the message that was coming through from Lance James (Deloitte) through to Garet Moravec, who was one of the key responders to the Lockheed Martin breach, was quite clear in that what we are doing today to deploy cyber defences needs to go up to a complete new level of appreciation if we are to robustly counter what may be referred to as the Criminal-Cyber-Success-Chain (CCSC). To compliment these valued opinions from the highly respect late Steve Gold (RIP), he told me that, when he asked the question of an accomplished set of German hackers about their skills and cyber capabilities, they responded ‘it is not the case that we are so smart, but more a case of the average organisation is deploying inadequate security’. Add to this a comment which was shared between a number of hackers, and other specialty groups on social media, which said:

‘Just listened to some ‘experts’ who were confused – this gives inspiration to hackers – as they [the security pro’s] don’t seem to understand the real threats :-) ’

It may be for some that conventional security, and tick-box security are enough to get them by on a wish-and-a-promise, and that the lustful eyes of accomplished cyber adversaries will miss them as a target. However, the opposing side may well be, if we are to reduce the overall impact of the current state of cyber threats; and we are to reduce the compensations that the ordinary users of banks and other such services suffer being impose to offset the losses we must try harder. And if we are still of the opinion that standardized security, policies and other soft mechanisms will accommodate the robust levels of security we are seeking – sorry to report, but they will not. When I went out to the US this last month, I was of the opinion I was a lone voice in the wilderness, but came back realising that at the APT Summit, I was in the company of some very forward-thinking and imaginative professionals, and thus when it comes to being offensive, the US and their approach to security should be viewed with an open mind when they follow the route of utilising legal offensive security to maximise the delivery of real-world, real-time robust levels of security – it is without doubt thankfully getting to be a very offensive place indeed. My closing remarks are thus. It was some years ago when I saw a CTO from McAfee comment on TV that ‘we are winning the cyber battle’ but I am left wondering just what went wrong? Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.