The art of Offensive Cybersecurity will define a mature posture in Information Security and IT Security against the risk of emerging threats that seek to steal the high-value asset, information. It is also essential in the transition of knowledge to form a Purple Team.

Offensive cybersecurity seeks to execute controlled operations on IT and OT assets, to discover vulnerabilities, verify successful exploitation capabilities and reach over the network through lateral movement, to measure the impact on the asset, the network and on the business. As well as, provide remediation recommendations to be able to correct the limitations or flaws discovered, improving the policy posture, the design of the processes and mitigating technological vulnerabilities, effectively reducing security risks.

Offensive Cybersecurity is made up of specialists with mastery and operational knowledge in the art of hacking (capabilities, skills, creativity, perseverance, self-learning and ethics) and tools designed to perform reconnaissance, scans, vulnerability analysis, exploitation, lateral movement, establishment of the command and control center, and for the exfiltration of information.

Offensive cybersecurity includes the different ways of executing security evaluations, we have:

  • Continuous Offensive Cybersecurity
  • RedTeam.
  • Pentest as a Services (PTaaS).
  • Pentesting
  • Pentest in Infrastructure.
  • Pentest in Applications.
  • Ethical Hacking
  • Vulnerability Scanning

Continuous Offensive Cybersecurity

Continuous offensive cybersecurity is scoped to any scenario (evaluations in Infra, in Applications, in Cloud, wireless hacking, social engineering and physical security evaluation) since these operations are based on the cost of contracting time (1 year, 3 years), provides continuous visibility of the findings to measure the progress of vulnerability management, as well as providing real-time reports or allowing early warnings of new vulnerabilities that are exploited in nature, this is a great differential compared to analysis tools of automated vulnerabilities that do not have a defined prudent time for loading the new script to validate the new vulnerability, establishing a window period of several days.

Depending on the level of maturity of the organization, Red Team or in any case Pentest as a Service will be applied (PTaaS) would be applied; Red Team is applied when the company is mature, where it has policies, standards, guidelines, SOC, CSIRT; or apply Pentest as a Service when the organization is developing Cybersecurity, Digital Security or Computer Security maturity.

The scope of the objectives is established by the Team Leader (Senior operator), this leader is responsible for ensuring that operations do not generate a negative impact on the business, as well as, based on his experience, he defines the network segments to be evaluated. In OT, greater care is taken regarding the exploitation of an asset (Scada, HMI, PLC, etc.) that by its nature requires explicit approval from the security council or the CISO, it is difficult to receive an exploitation approval when the senior operator reaches the OT network, given the large number of obsolete systems available, it is risky to execute an exploit because it can corrupt the system of a component that costs thousands of dollars. In this scenario, we seek to identify weaknesses based on the network, that is, search the access point from the IT network to the OT network to work on effective control, or add efforts to monitor IOA (Indicators of Attack) in the OT network.

Pentesting / Ethical Hacking

Pentesting and ethical Hacking have limited scope, both in objectives and time (3 days, 15 days, 1 month), the short time is usually a problem since it does not allow evaluating the total services of the objectives or does not allow detecting all the possible attack vectors in the evaluated application.

Another major problem is associated with an erroneous definition of the scope of assets to be evaluated, where the CISO of the client organization due to lack of knowledge or being poorly advised establishes a large number of objectives to evaluate in a short time, this will force the provider applies bad practices such as only executing an automated vulnerability scan presenting the tool report (this is not pentesting or ethical hacking), there is a lack of sincerity on the part of the provider regarding the ideal scope of an evaluation, This may be because junior operators without experience are hired; Both the unknowing provider and their inexperienced operators end up performing poor service with little value for the customer.

It must be clear that the use of automated tools that emulate the global cycle of offensive cybersecurity are not efficient and are useless in an IT production environment because there are multiple cybersecurity solutions with ML (machine learning) that will block activities such as scanning. and known exploits for CVE (Common Vulnerabilities and Exposures). Likewise, these solutions do not think like a human being, they lack creativity, they only follow basic programming flows already mapped in current threat modeling frameworks. To be certain about this issue, we analyzed a Vulnerability Scanning evaluation, this will require having whitelisted permissions to operate since the automated tool generates a lot of noise on the network and therefore produces the immediate blocking of the IP assigned to this tool. So, thinking that what works in a hacking laboratory or course where there are no defenses will have the same results in a real environment or production environment, is a fantasy, of course, with few exceptions.

Vulnerability Scanning

Automated Vulnerability Scanning is applied in organizations that are in the initial phase of the implementation of Information Security and Cybersecurity, or is applied in organizations that do not have these areas due to lack of budget, allowing the identification of multiple vulnerabilities in assets. evaluated, as mentioned before, in mature organizations it is required to add to the whitelist so that the scanning operation is not blocked, that said, this evaluation is far from simulating a real attack.

R4Y0H4CK is kind enough to share a framework based on years of experience in advanced offensive operations, evading cybersecurity controls for fine-tuning.

The advantages of having experienced offensive cybersecurity operators who, with their capabilities to carry out direct exploitation of services, evading cybersecurity solutions, serve to have clarity on how an advanced attacker (cyberspy, cybermercenary) manages to evade defenses, this is where The need to apply threat hunting in the network to discover the IOA (Indicators of Attack) is clarified; here the Blue Team stops being reactive and becomes proactive, assumes zero trust, and evolves into the Purple Team.

The criticality of the vulnerability will define the attention times for its remediation by the person responsible for the risk, according to the vulnerability management plan, and then validate the remediation through the retest.

Always remember: "Knowledge prepares you to fight cybercrime" (R4Y0H4CK).

"If you know the enemy and you know yourself, you need not fear the outcome of hundreds of battles. If you know yourself but not the enemy, for every victory you win you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle" (Sun Tzu).

Share the knowledge with your contacts and please acknowledge the credits for this work, we would greatly appreciate feedback on your favorite social network.