Organizations spend a lot of time, money and effort on defensive cybersecurity tools and techniques like vulnerability scans,
endpoint detection and recovery (EDR), firewalls, and security incident and event management (SIEM).
These are all great at telling you where your weak points might be. But only offensive measures that try to break into your systems can tell you where your weak points actually are.
“The best way to secure an environment is to test it like a real adversary would,” writes
Wyatt Wilson, Senior Offensive Security Expert at Horizon3.ai and an experienced penetration tester. “It’s not just about scanning for vulnerabilities — it’s about finding and using credentials, chaining weaknesses, escalating access, and seeing how far I can go or what I can find.”
Finding the real threats
Penetration testing, red teaming, adversary simulation and other offensive-security techniques verify and validate the exploitability of known common vulnerabilities and exploits (CVEs) by taking the adversarial position and attempting real-world attack techniques, from network penetration to phishing lures.
“Offensive security shifts the mindset from compliance to confirmation,” says a Horizon3.ai
blog post. “It challenges assumptions, exposes blind spots, and drives remediation before attackers strike.”
Adversarial techniques will save you time because you won’t have to chase down the flaws that aren’t exploitable — for example, a software flaw on an air-gapped server that can only be accessed with administrative credentials from a local terminal.
“These [security] teams are running around all day long trying to patch, patch, patch, patch, patch, patch all these systems, but they don’t know which ones are the highest priority,” explains Stephen Gates, Principal Security Subject-Matter Expert at Horizon3.ai. “They don’t know which ones are the most at risk.”
Offensive methods can also discover weaknesses you didn’t know existed, such as accounts with weak passwords or without
multi-factor authentication, excessive user permissions, obscure attack paths, and cloud or application misconfigurations.
In his blog post, Wilson detailed how Horizon3.ai’s automated pen-testing tool NodeZero was able to take over a targeted organization’s systems in 20 minutes without using any known vulnerabilities.
First the tool used default credentials — a username and password — to get into an application on a Windows host. It then found more credentials on a database configuration file on that Windows host. The second set of credentials granted SSH access to a Linux host, which contained a credentials file containing domain-administration credentials. Game over.
“Not a single CVE was exploited in order to achieve this result,” Wilson wrote. “Weak passwords and
misconfigurations can possibly pose a greater risk to an organization.”
That targeted organization would never have known about those weaknesses without Wilson’s pen test. It would have been a sitting duck for any adversary using common scanning and penetration tools. Granted, NodeZero’s automation made the process a lot faster than a manual penetration test, but the end result was the same.
Learning what works and what doesn’t
Offensive security can also stress-test your defensive tools and techniques. For example, EDR tools and their close cousins,
extended detection and response (XDR) tools, are meant to detect and remediate exploits of software vulnerabilities and other weaknesses on PCs and servers.
But how can you tell whether they really work? Gates says that pen testers will sometimes get completely past EDR software without being detected.
“We’re like, ‘Wait a second, we just exploited this device. We just loaded a remote access tool on it and the endpoint detection and response did not even see what we just did,'” Gates explains. “The organizations can now say, ‘Our EDR is not working, or it’s not configured properly, or we’ve got some blind spots.'”
Likewise, the NodeZero software can perform audits on Active Directory passwords and tell client organizations which accounts need to have their credentials beefed up.
Finding and fixing the weaknesses of your defensive tools will go a long way toward making your organization more secure. Those weaknesses won’t show up on any
vulnerability scanner. Only offensive techniques will uncover them.
Two sides of a single coin
That’s not to say defensive security should be abandoned. It’s just not the whole story.
Practicing both offensive and defensive security is essential to optimizing your security posture, and both are central to the emerging concept of
exposure management (also known as
continuous threat exposure management, or CTEM), which stresses proactive as well as reactive discovery and remediation.
“Offensive and defensive security are not opposites — they’re complementary,” explains a Horizon3.ai blog post. “When combined, they close the gap between assumed security and proven resilience.”
So how can you implement offensive security in your organization? The tried-and-true way is to hire a local penetration-testing firm to try to break into your systems.
But it will take the pen testers a few weeks to perform and report on their tests, the process will be disruptive, and you probably won’t have the patience for it more than a couple of times a year.
Today, there are numerous cloud-based, automated pen-testing tools like NodeZero that you can run several times a week, or even every day, without undue disruption to your workplace.
Like the “Chaos Monkey” tool that randomly stress-tests Netflix’s cloud servers, an automated, rapidly acting pen-testing tool will eventually become background noise as it makes your systems more resilient as well as more resistant to attack.
“Offensive security isn’t about breaking things,” says Horizon3.ai. “It’s about proving what’s broken before it breaks you.”
