Offensive Security

Security measures like firewalls and scanners, which are parts of defensive security, may help protect against known exploits, but they are ineffective against the constant barrage of new exploits. Offensive security measures are the only methods that help companies find and patch new exploits. As such, offensive security is a necessary component of a robust security strategy. Without it, a company can’t stay ahead of threat actors.

What is offensive security?

Offensive security experts use threat actors’ methods on your systems. These experts simulate attacks to identify hidden exploits. With knowledge of exploits and attack vectors, you can then patch these exploits before threat actors get to them.

Another way to think about offensive security is to compare it to other familiar security practices, specifically defensive security. Defensive security focuses on building robust defenses to prevent and ward off attacks. In contrast, offensive security is about discovering what attacks and exploits are possible. 

A successful security strategy isn’t an either/or—it should contain both offensive and defensive methods. Offensive security helps discover new exploits. Once those exploits are found, defensive security helps address the gaps.

Why pursue offensive security?

Offensive security is the only method that allows companies to identify new exploits before threat actors do. In security, unknown exploits can be the biggest cause for concern, primarily because most companies won’t have the defenses in place for these kinds of attacks. In contrast, while known attacks (like spear phishing) are worrisome, there are best practices to minimize the likelihood and fallout from these attacks.

Unfortunately, there are always new findings being added to the exploits list. This is in large part because security is a cat-and-mouse game. Companies patch their vulnerabilities and beef up their security. Subsequently, threat actors account for this and try new tactics, techniques, and procedures (TTPs) to find other exploits. Companies then patch up the new exploit before the cycle continues endlessly. Accordingly, companies can never rest on their laurels. However, by employing offensive security, the cat-and-mouse game can actually become an advantage to be leveraged by security experts. Hackers can be employed to probe systems with the TTPs that threat actors use. 

Offensive security is also technology-agnostic. Each offensive security test may be limited to probing only one specific technology, but the overall offensive security process transfers to new technologies immediately. Defenses for cloud exploits don’t transfer at all to AI exploits, but having a pen testing process allows you to swap in an AI security practitioner for a cloud security practitioner with minimal effort.

Lastly, offensive security improves with scale. The chances that any singular offensive security test will reveal serious exploits are low. But, by working with different experts, all with their niche methods, the chances increase significantly. In contrast, scale has a more limited effect on defensive security. Increasing the number of people working on a firewall might only increase its effectiveness by small amounts.

How does offensive security fit into your strategy?

Offensive security needs to be part of a larger risk management strategy, with defensive security playing a critical part. It doesn’t matter if you find every exploit possible if you don’t actually patch those exploits in your systems. When exploits are inevitably found and abused by threat actors, you will also need reactionary security measures to both minimize damage and implement mitigations for the future.

In the larger security scheme, offensive security works best as a complement to defensive security. Offensive security tests identify weak points and vulnerabilities in your systems. Additionally, they also reveal the exact methods used to take advantage of the vulnerabilities. With this information, you can set up defensive measures against these specific attack vectors. An ideal security process would be a loop. In this loop, the newly beefed up system (the output of the defensive security phase) can be fed as the input to the offensive security phase to both measure the new defenses’ effectiveness and to find new vulnerabilities. The cycle can then repeat.

Offensive security techniques and tools

Now that we understand the general offensive security methodology, let’s discuss how offensive security practices are actually carried out. First, we’ll cover the common methods used, and then we’ll go over useful offensive security tools. To use these methods and tools, specialized knowledge is required, so their implementation generally relies on collaborations with ethical hackers. When setting up offensive security practices, there are common tools that greatly assist the work of hackers. 

Common methods

Offensive security practices at their core involve thinking like a threat actor. Below, we cover the main methods that actually put this mindset into practice.

Red teaming

Red teaming is an exercise where an internal team (called the red team) attacks a company’s systems using the steps outlined in a predetermined playbook. The goal is to use threat actor TTPs to probe for and exploit vulnerabilities. One of the major benefits of red teaming is that it can uncover novel vulnerabilities, especially by probing systems with new techniques.

In some cases, a company may also employ a blue team. The blue team’s goal is to defend against red team intrusions during the exercise. In standard exercises, the red and blue teams do not directly communicate or interact until after the exercise is completed. 

Purple teaming is a variant that merges red and blue teams into one. Some members of the team focus on exploiting systems while other members focus on detecting and warding off intrusions. The significant differentiator is that the members of the team communicate throughout the exercise. This allows blue team members to get insight into the TTPs threat actors will use. Additionally, red team members can see how defenders ward off intrusions, allowing the red team members to modify their approach. The result is more sophisticated attacks and defenses during the exercises and in production.

The limitation of red teaming and its variants is that the exercise is constrained by the specialized skills that the members of your team possess. For example, if your team doesn’t have experience with the TTPs for credential access, then your red teaming process won’t yield credential vulnerabilities. You can, of course, hire someone with that skill, but finding the most suitable candidate may take months. It can also be inefficient to hire full-time employees just to fill skill gaps in red teams.

Crowdsourced testing

Crowdsourced testing is the process of contracting expert hackers to test your systems. Its main benefits are breadth and scalability. You can hire experts in many different security specialties, all with their own TTPs. By doing so, you’re more likely to find exploits in your systems. This information will then make your systems more resistant to a wide breadth of methods. Crowdsourced testing also scales well; it requires fewer resources and much less time, as it is significantly less costly to pay hackers per finding than hiring a full-time employee.

Additionally, the incentive structure of crowdsourced testing prioritizes speed and critical vulnerabilities. The first hacker to find a specific vulnerability earns the reward associated with a vulnerability. On top of that, P1 vulnerabilities pay out more than P2s, and so on. In the realm of crowdsourced testing, there are three main offensive security methods: vulnerability disclosure programs (VDPs), bug bounties, and penetration testing. We’ll discuss each in turn.

Vulnerability disclosure programs

VDPs are a secure way to engage external hackers in identifying vulnerabilities in a company’s systems. Companies set up their VDPs to make it safe for external hackers to report to the companies any vulnerabilities they find. Companies can then report these findings to other companies and fix the underlying vulnerability as well. VDPs signal to both threat actors and a company’s customers that the company takes security seriously and therefore will be more difficult (although never impossible) to exploit. 

VDPs are a low-pressure way to get started with offensive security because for companies, the process is mostly passive. Once a company has done the upfront work of setting up the VDP, hackers may find vulnerabilities of their own volition, with no contracting needed. 

Bug bounties

Bug bounties are similar to VDPs but go one step further—they offer monetary rewards to hackers who find vulnerabilities. The first hacker to discover a vulnerability receives a bounty, and different vulnerability levels are associated with different reward amounts. 

Bug bounties also differ from VDPs in that many bug bounties initially have a defined scope. The scope outlines what parts of a company’s system are eligible for testing and what kind of vulnerabilities companies are looking for. Any discovered vulnerabilities outside of this scope aren’t rewarded. The benefit of starting with a defined scope is that it can ease internal adoption initially and create an opportunity for learning. The downside is that the full attack surface won’t be considered—so most organizations either evolve toward the best practice of an open scope over time or run multiple engagements for specific assets.

Bug bounties are a common next step for companies who may already have a VDP.

Penetration testing

Penetration testing (or pen testing) involves hiring a hacker to simulate attacks against a company’s systems. Pen testing differs from bug bounties and VDPs in that it is active. In pen testing, a company pays specific hackers to attack its systems, often based on an industry-standard methodology. 

Since it’s an active process, pen testing is the best option when a company needs specific results in a defined timeframe, such as to ensure compliance with internal or external controls. Often, pen testing shows the best results when a company has a defined scope and is able to hire hackers that have the necessary skills for that scope. Additionally, pen testing usually ends with a detailed report of any vulnerabilities and potential patches, something that is not guaranteed with VDPs and bug bounties.

Pen testing requires more work to set up and costs more than bug bounties and VDPs. However, pen testing can also ensure that organizations meet compliance needs and requirements, so it’s a crucial part of an offensive security strategy.

Common tools

Hackers use many tools to perform a wide range of activities in offensive security, from vulnerability scanning and network traffic detection to penetration testing. When setting up your own offensive security practices, you’ll want to be familiar with the most common tools and methods.

Metasploit. Metasploit is both a framework and a tool used in penetration testing. Hackers can use Metasploit to develop and test exploit code against remote machines. The Metasploit framework is flexible, allowing users to create custom modules for attacks. Metasploit is so important in the industry that one blogger coined a law about it: “Casual Attacker power grows at the rate of Metasploit” (HD Moore’s Law). Metasploit also has a robust open source community supporting the framework.

Nmap. Nmap is a network scanning tool. With Nmap, hackers can find all the hosts and services on a network, see which ports are open (and which services are using them), and determine the operating systems of hosts. Hackers can also use Nmap’s scripting engine to automate scanning tasks. Nmap is free and open source.

Burp Suite. Burp Suite is a collection of tools that support end-to-end offensive security practices for web applications, from indexing (Burp Spider) and scanning (Burp Scanner) to proxies (Burp Proxy) and attacks (Burp Intruder). There are 20 different tools available across different product tiers (including a basic free tier). Users can also download extensions created by other Burp Suite users on the BApp Store.

ZAP. OWASP’s Zed Attack Proxy (ZAP) is the most popular web security scanner. ZAP is a “man-in-the-middle proxy” between servers and browsers. It automatically intercepts requests and responses to find both malicious requests and vulnerabilities. It can also send requests to the server to probe for further vulnerabilities. ZAP is completely open source as well.

Hackers use a wide variety of tools in pursuit of offensive security, but the ones listed above are the must-know tools.

Objections to offensive security

So, offensive security works. The big question left is: How can you implement offensive security in your company? As we mentioned before, there are some obstacles that make it a bit harder to implement offensive security than reactive/defensive security. We’ll go through each obstacle to offensive security one by one and talk through ways to overcome them.

Effectiveness of offensive security

The numbers speak for themselves. As we have already covered, the DoD has found over 2,100 vulnerabilities through their bug bounties and VDPs over the last few years. Another example is from the Cybersecurity and Infrastructure Security Agency (CISA). CISA mandated VDPs for 40+ federal organizations, including NASA, Homeland Security, and the Department of the Treasury (all of which hosted their VDPs with Bugcrowd). In 2022 alone, hackers found 1,330 vulnerabilities via these VDPs. 274 of these vulnerabilities were classified as severe, and 84% were thereafter remediated. Furthermore, bug bounties on Bugcrowd have shown a 240% ROI.

Another point to consider is missed opportunities. In a survey we ran, 58% of hackers chose not to disclose a vulnerability they had discovered because the company didn’t have a way for them to report it without legal consequences. The takeaway is that offensive security may already be working for your company, but there’s just a small obstacle in the way of seeing the results.

Resources required for offensive security

In a world of decreasing security resources, it can be hard to justify new security approaches when the existing backlog of unpatched vulnerabilities is continuing to grow. It’s hard enough to patch existing vulnerabilities and set up defensive measures. Thankfully, there are low-cost ways to start with offensive security, namely VDPs.

VDPs require a small amount of upfront effort to set up. Our Ultimate Guide to Vulnerability Disclosure delves into the details, but with Bugcrowd, the effort can be minimized even further. The Bugcrowd platform makes it easy to document the principles, scope, and intake method of your VDP. Additionally, Bugcrowd sources, triages, and sends reported vulnerabilities to you to then remediate.

Another way offensive security may not match company resources is that a company’s employees may not be familiar with threat actors’ TTPs. Crowdsourced testing as a whole is the solution to this problem. For example, hiring a pen tester makes it easy to acquire the specific skills required to run a test. The alternative, hiring people to supplement your team, would take significantly more time and money. Hiring full-time team members also may not guarantee that you have the full breadth of skills necessary to test all your systems.

Bugcrowd as an offensive security tool

Let’s say we have convinced you of the importance of offensive security and that you have the resources to spin up an offensive security program. The last obstacle you might be figuring out is how to actually get started. What’s the first step you should take to set up your program?

Bugcrowd makes that first step easy. We work with you to define the attack surface of your system and prioritize the components for testing. With all this in place, you could define your VDP in a day. For bug bounties and VDPs, we find hackers with skills that exactly match your needs. We also prioritize reported vulnerabilities (according to our Vulnerability Rating Taxonomy) and provide recommendations to ensure any found exploits are patched quickly. 

Once your crowdsourced offensive security program has been set up, your organization becomes far more adaptable to security threats. You’ll be able to find vulnerabilities and create defensive measures to patch them. You can then test the effectiveness of your defensive measures and find any new vulnerabilities. This cycle can be repeated continuously, giving you far better protection than point-in-time security measures.

As technology cycles come and go, your offensive security program will help you adapt as quickly as threat actors and hackers do, letting you stay effectively one step ahead.