NetworkTigers discusses whether offensive cybersecurity is a better approach.
Most people consider cybersecurity defensive measures as barriers designed to protect systems from the outside world. However, administrators are beginning to embrace offensive cybersecurity tactics that seek out vulnerabilities and embedded threat actors instead of waiting for them to strike first. Some offensive techniques go so far as even to antagonize threat actors once found. These newer tactics have many wondering: is going offensive a better investment than fortification?
Defensive cybersecurity explained
Defensive security sees administrators focusing mainly on blocking attacks with firewalls and antivirus/antimalware software. These tools prevent threats from breaking in and allow security teams to monitor network traffic for suspicious activity so they can react accordingly.
Defensive cybersecurity also encompasses the installation of any patches, software fixes and updates issued in response to weaknesses being discovered or exploited. Defensive security is a reactionary philosophy in which threat actors are typically allowed to make the first move and, in turn, take the lead when defining security protocols.
Offensive cybersecurity explained
An offensive security implementation takes a more proactive approach to network safety by locating and identifying system vulnerabilities before threat actors can do so themselves. Offensive security may also involve administrators hacking back at threat actors to disrupt their operations or throw a monkey wrench in their attack instead of simply preventing it from taking hold.
Thinking like threat actors, offensive security teams are constantly probing systems for weak points. They do so using two main strategies: penetration testing and threat hunting.
A penetration test, or “pentest,” is an authorized attack on a network in which a security team uses the same techniques and tools as hackers to find exploitable entry points. Penetration tests can determine how robust a network’s defenses are, ensure data privacy and security comply with regulations and pinpoint any current or potential weaknesses.
Penetration testing methodologies vary slightly between teams and applications but generally encompass the following phases:
- Reconnaissance sees administrators collect information about the targeted network to create an attack strategy. Data is gathered from internet searches, leaks that may appear on the dark web, social engineering and any other private or public source that an attacker might use.
- Scanning allows penetration testers to examine a system and search for weaknesses. Scans are performed using appropriate tools based on findings gathered from the reconnaissance phase.
- Gaining access is the next goal and is attempted via any weak points in the previous steps.
- Maintaining access is critical, as attacks take time to deploy. Penetration testers do what they can to maintain access long enough for hackers to inflict damage on a network via malware, ransomware injection or data exfiltration.
- Reporting and cleanup are the final steps in the process. Administrators can look hard at any findings and make necessary changes to tighten security before rerunning the test.
Threat hunting actively seeks out bad actors that have already gained access to a system and may be hiding in the shadows. Carried out assuming that an attacker is already within the network, threat hunting looks for any activity that may indicate malicious intent.
For threat hunting to be effective, it must be carried out with a deep understanding of the network. Knowing the difference between normal behavior and something amiss helps to eliminate false alarms. It allows administrators to flag and investigate anomalies that may go unnoticed by those unfamiliar with the system.
Types of threat hunting
Threat hunting can be executed in several ways, depending on the network in question and the types of threats being searched for.
- Hypothesis-driven models see hunters use crowdsourced attack data to proactively seek evidence of known threats within the network without necessarily being prompted to do so.
- Intel-based hunting is reactive and performed using current Indicator of Compromise (IoC) data. If an indicator is apparent, the hunt is on.
- Advanced analytics and machine learning investigations are carried out based on situational circumstances that may indicate the potential for a threat. Using AI, huge amounts of data can be scanned for irregularities or deviations from the norm. Any red flags can then be investigated by a knowledgeable administrator to determine whether or not a threat is present.
Risks associated with offensive cybersecurity
The biggest risk associated with offensive cybersecurity is collateral damage that may result from “hacking back” at an attacker. For example, let’s say hackers compromised a system belonging to a power plant or other component of critical infrastructure and then used it in a botnet or as a platform to deploy additional external attacks. An automated counter-offensive may result in punching back at the critical infrastructure’s network, potentially furthering the damage already caused and opening a can of worms both logistically and legally.
It’s easy to see how this type of security system could create chaos or even be weaponized by an outsider if not carefully administered and monitored.
Which cybersecurity methodology is better?
While the notion of repelling hackers before they get a chance to do their dirty work makes offensive cybersecurity an attractive idea, pentesting and threat hunting alone cannot adequately defend a system.
Threat actors attack from a wide range of angles using a variety of means to trick technology and human beings alike. They’re remarkably quick to adapt to security measures, patched updates and detection methods, so relying exclusively on one methodology is a recipe for disaster.
Unfortunately, the old adage “the best defense is a good offense” does not conveniently apply to cybersecurity, as professionals agree that maintaining network safety requires covering every base.
An all-encompassing security philosophy sees offensive techniques employed in addition to defensive measures that lock down network components, endpoints and devices with firewalls and antivirus detectors, ideally within in a zero-trust environment.