The cybersecurity landscape has been experiencing a devastating deformation due to the increasing number of cyber attacks. The resulting chaos from cyber warfare has destructive effects across industries mainly due to the ever-changing threat dynamics, intensity, and complexity.
It is high time we retaliate to this chaos by evolving our practices to a more proactive approach from a reactive one. Here, offensive security and threat hunting come into the picture. Read on to learn why OffSec is the need of the era and where threat hunting fits in our network security framework.
What is Offensive Security?
Do a quick search on Google for offensive security, and you’ll see various definitions spring up on the search result page. However, the definition that feels closer to offensive security is the definition of red teaming, which is
“The practice of viewing a problem from an adversary or competitor’s perspective.”
As they say, to catch a criminal, you need to think like one. The same goes for cybersecurity professionals: you need to think like a hacker. This new mindset has enabled network security professionals to evolve their approach and develop more sophisticated methods to hunt attackers and neutralize threats.
The network security landscape has evolved over the years. But so as the threat actors and their nefarious practices. To put things into perspective, the average cost of a data breach in 2022 is USD 4.3 million.
Therefore, security professionals must up their games and think outside the box to hunt down perpetrators and neutralize their operations. For that, they not only need to be familiar with the perspective of adversaries but also the tools they use.
The study of those tools and how to apply them to counter-attack hackers, seek out vulnerabilities, and patch them is what we call ethical hacking. When security professionals unify their knowledge of ethical hacking and penetration testing (testing vulnerabilities in any network), they create a more offensive or proactive framework for preventing data breaches.
Offensive security is relatively distinct from its counterpart, the traditional passive or reactive security practice. In a reactive security environment, security professionals put all their effort into mitigating threats resulting from the chaos that has already hit.
However, in an offensive security environment, security teams proactively hunt down the attackers, nullify an attack as it happens, and reinforce network defenses to prevent future threats.
The Maturity Phases of Offensive Security
Depending on the budget, infrastructure, and security needs, an organization may have either of the following four primary maturity levels of an offensive security framework. Let’s discuss each phase briefly.
The first maturity level of offensive security involves leveraging vulnerability scanners for exploit hunting. It enables ethical hackers to identify and classify potential exploits or security holes. Vulnerability scanning is fast and delivers actionable insights. Moreover, it can be set up for periodic automated scans to detect network flaws.
Although vulnerability scanners may have several benefits for detecting exploits, it is not always completely efficient. To be exact, vulnerability scanners may detect most flaws in any network, but there’s always a high chance for the tool to leave many advanced vulnerabilities.
Secondly, these scanners require continuous and timely updates to find the latest security vulnerabilities. And it may bombard users with false positives at times. All things said vulnerability scanning provides a starting point for teams to get a baseline of data security that lays the path for further testing and remediation.
Penetration testing is a more mature approach to hunting and remediating security flaws in a network. Pentesting is carried out by penetration testers who exploit networks, resources, or applications for security holes. Unlike vulnerability scanners that are limited in their scope, penetration testing is more advanced and complex.
In pentesting, penetration testers go beyond what the traditional vulnerability scanners do. They look for vulnerabilities using complex pentesting techniques like SQL injection, social engineering, or phishing, to name a few. This approach allows pentesters to look for a wide range of vulnerabilities that often go undetected via traditional scanners.
However, penetration testing is like a double-edged sword. On the one hand, it may enable teams to perform complex testing to detect advanced vulnerabilities. On the other hand, it may harm the network or assets if the rules of engagement or testing aren’t properly followed. On a similar note, it might end up causing a real cyber attack.
Red Teaming & Blue Teaming
A more mature and abled organization may have a more enhanced framework of offensive security in the form of red teams and blue teams. Red teams comprise a highly specialized group of experts whose sole focus is to perform a continuous barrage of attacks to penetrate an organization's cybersecurity defenses to find vulnerabilities.
The team is balanced out by their counterpart, the defensive blue team. The important purpose of the blue team is to not only defend against the continuous attacks of the red team but also to retaliate accordingly. The combined efforts of both teams enable them to set up effective countermeasures against adversaries and prevent data breaches.
The red teaming framework gives organizations a distinct benefit as they can cover more ground due to the high number of experts in the field and find more vulnerabilities. Plus, with the presence of a defensive group, they can remediate vulnerabilities as they are discovered.
However, there’s also no denying that not every organization can afford this maturity model of offensive security because it is resource-intensive and highly expensive. Moreover, it is vital for the success of both teams to be on the same page in that the red team communicates their findings properly so that the blue team can defend and remediate the vulnerabilities effectively.
The last and more mature phase of offensive security is adversary emulation. At this stage, your organization is well-familiarized with the red teaming and blue teaming activities. But now, you take it up a notch and introduce the adversary emulation module, where you enable teams to go all out and use real-world tactics, techniques, and procedures (TTP) as adversaries use.
There are established libraries where your team finds tactics, techniques, and procedures that are usually leveraged by real threat actors to conduct cyber attacks. Your team uses the same TTPs to perform real-world attacks on your systems to detect and remediate security threats or flaws.
Adversary emulation is also an ideal framework to test and verify the effectiveness and efficiency of your blue team’s defensive techniques for detection, prevention, and remediation.
Threat Hunting - An Effective Offensive Security Practice
Threat hunters are a breed of offensive security experts who leverage cyber threat intelligence or historical security data to look for vulnerabilities and hunt down attackers.
Threat hunters believe that no network security is always completely impenetrable. In fact, a network may contain threat actors who might have ingeniously slipped past the first layers of cyber defenses.
Assuming that the network might be accommodating an adversary, threat hunters look for unusual activities like over-access usage or frequent access to sensitive data systems and set up countermeasures against any malicious activities.
The 3-Step Process of Cyber Threat Hunting
The cyber threat hunting process can be simple as well as complex. It depends on the organization’s network infrastructure and security model. Some organizations may have long and complex steps in the hunting process. However, under usual circumstances, a threat hunting process may involve the following three steps:
1) Threat hunters begin the process with a hypothesis that acts as a trigger. The hypothesis may revolve around existing vulnerabilities in a network, or it may be based on historical data resulting from cyber threat intelligence. Resultantly, the hunters use their expertise, knowledge, and tools to establish the hypothesis and proceed to the next step.
2) Once the hypothesis is established, threat hunters begin with the investigation step. During this process, the team uses various threat-hunting solutions to further their investigation, find potential malicious activities or threats, and establish whether the activity is threatening or unharmful.
3) The third and last step is the response phase. In this phase, threat hunters prepare their threat intelligence report on both the unharmful and malicious threats and communicate it to security teams so they can develop effective response strategies and execute them.
Prerequisites for Successful Threat Hunting
Threat hunting is not only resource-intensive but also highly complex and expensive. An organization must consider the following prerequisites to establish an effective threat hunting framework.
- Expert Hunters: A capable resource is always behind the success of every business operation. A threat hunting team requires specialized hunters who have an in-depth understanding of ethical hacking and penetration testing and ground experience.
- Tools: Threat hunters need to be equipped with the right set of tools and resources to be more productive and efficient in hunting flaws and threat actors. Threat intelligence tools like Maltego and Sqrrl, threat hunters can effectively detect hidden vulnerabilities in any network or determine the level of their complexity.
- Baseline Security Data: Historical data is a must to develop threat intelligence. Data enables teams to see the historical pattern of various known vulnerabilities and expect unknown vulnerabilities hidden within them.
The more evolved proactive mindset enables threat hunters to be more efficient in detecting vulnerabilities, enabling them never to let their guards down. Offensive security is the future of cybersecurity, but it needs more maturity over the years as we still lack the manpower we can call capable threat hunters.
Anas Baig is a Product Manager at Securiti.