You probably don’t remember swapping your slacks for camo fatigues, but you are on the frontline of a cyberwar. As cliche as it sounds, the digital environment surrounding your organization creates a level of operational risk close to that of a kinetic conflict. In order to adequately prepare for the modern threat landscape, security teams need new strategies to keep up. By practicing offensive security on their own attack surfaces, organizations can close off vulnerabilities before attackers can take advantage.
Ransomware attacks happen every few seconds, shutting down many companies that fall victim to them. Malware and other attacks come from unexpected vectors, at least 33% of which you don’t even know exist. And with the fog of war getting denser and the volume of evasive and human-operated threats larger, attack chains are often impossible to predict or even figure out after the fact.
This was all true even before Russia invaded Ukraine. From China to Iran to international cyber gangs, there has long been a who’s who of threat actors targeting your organization. Some of them are ideologically driven, funded either in whole or in part by their governments. More are only thinking about profit and see your company as a cashout opportunity. But, increasingly, many cybercriminals have blurry motivations, often a mix of patriotism and financial gain. As seen in the case of Costa Rica’s ongoing “war” with ransomware gangs, which has gone beyond a simple case of extortion, threat actors can be driven by all kinds of reasons. Regardless, you don’t want to be a target.
With trillions of dollars at risk in the next few years, cyber war is here. The one thing you cannot afford to do in response is hunker down. Faced with attacks from multiple angles and through so many pathways, falling back on reactive security, remediation, or some perfect idea of what a security posture should look like is not going to work. Whether through harder-to-detect malware, new extortion methods, complex social engineering, or something else entirely, criminal innovation thrives when defense stays still. You might have been lucky against cyber criminals so far. Still, to cause a devastating attack, attackers only need to get lucky once—see Colonial Pipeline, SolarWinds, or any other headline-making cyber attack for evidence.
Unless an organization fights back by switching to the offense, it will end up as another low-hanging fruit in a target-rich environment.
Offensive Security Essentials
Taking the offensive is being proactive with how your company does cybersecurity. Instead of waiting for threat actors to find vulnerabilities, practitioners of offensive security find them first.
A good way to picture how this works and why it is now critical, in a high-level sense, is to map proactive security to the People, Process, and Technology (PPT) model.
People
First of all, consider people—namely the individuals attacking your organization. These men and women are often incredibly talented hackers. With a few tweaks to geography and circumstances, many of them could easily be on your side of the cyber frontline.
Innovative and highly motivated, when these threat actors look at your organization, they are not thinking about vulnerabilities or devices. Instead, they are only looking for targets. This means they will be searching your attack surface forensically and probing every part for exploitable vectors.
In an inverse of Linus’s law, with so many trained eyes looking at your environment, you will never be able to patch your way to safety. Proactive organizations know this and understand that attackers and their techniques are dynamic and ever-changing. In response, proactive defense is also never static, and controls are created and adjusted based on how vulnerabilities develop.
Processes
After people comes the process of testing security controls—something that can’t be done on an annual or semi-annual basis. Your IT environment is constantly changing, and the snapshot you have from last quarter, or even last week, is likely out of date.
Compliance with frameworks like NIST is essential but should never be the end goal of your security strategy. Instead, as a proactive security professional, you need to probe your defenses constantly to gain deep situational awareness. This is something that needs to happen 24/7/365. Because threat actors don’t take weekends or holidays off, you, or at least your security posture, can’t either.
Technology
Backing up the processes of proactive defense is a new generation of technology that automates a part of the offensive security process and makes it possible for defenders to see more of their attack surface.
By turning security testing into a continuous process, External Attack Surface Management (EASM) solutions are the number one priority for large enterprise cybersecurity investment in 2022. Randori’s Continuous Automated Red Teaming (CART) solution is a market leader in this category.
It’s Time to Get Mission-Focused
The reality of day-to-day organizational life means distraction is everywhere. Although more people than ever know how critical cybersecurity is, it’s still never been easier for those responsible for it to get derailed with details. Unexpected but inevitable demands, misunderstandings, and roadblocks from above and below can turn even the most straightforward security initiatives into bureaucratic nightmares.
As cyber risk spirals, the core mission of cybersecurity to prevent cyber attacks must be front and center. No organization at any scale in operation today can afford to leave itself undefended.
Cybercrime is a low-risk, high-return operation for threat actors. As the world becomes more unstable, it will become an ever bigger problem. For the professionals and teams tasked with stopping them, offensive security is a game-changer.