Connect with us

Hi, what are you looking for?


Network Security

You Against the World: The Offenders Dilemma

Foreign attackers have many more toolsets at their disposal, so we need to make sure we’re selective about our modeling, preparation and how we assess and fortify ourselves.

In February, we saw a very large and interesting data leak from I-S00N, a Chinese company offering adversarial services for clients including the Chinese Ministry of Public Security, Ministry of State Security, and People’s Liberation Army. 

The leak offered details of compromise within at least 14 governments, custom hardware snooping devices, iPhone “remote access” capabilities, and even a Twitter disinformation platform offering the ability to distribute information en masse to new and/or compromised accounts simultaneously and conduct extensive monitoring. While the individual tools, services and activities are interesting, the profile offers a truth for global organizations that is concerning.

Enterprises have a range of options to mimic certain attacker behaviors or hunt for the same vulnerabilities on which attackers will prey. But what the I-S00N revelation demonstrates is that we’re fighting with one hand tied behind our backs, as other countries are weaponizing their private sectors in ways we can’t and won’t.  We’ve all heard of the “Defender’s Dilemma” as the good guys need to be right every time, while bad guys only need to be right once. As more, and more fragmented offensive security options enter the market for US companies, this gives us an interesting look at what could be considered an “Offenders Dilemma”. Foreign attackers have many more toolsets at their disposal, so we need to make sure we’re selective about our modeling, preparation and how we assess and fortify ourselves. This article will look at four pillars of an offensive playbook – Red Teams, Penetration Testing, Automation and AI, and vulnerability assessment – and for each the best approaches that provide an offensive security program with the visibility and reach to make the greatest impact.

Red Teams need to be about Every Team

When most think of Red Teaming, they envision a team of security experts playing out an attack scenario – either digitally or physically – to see if they can evade detection and achieve a goal by compromising a target asset or assets. While not wrong, that perception it is incomplete. Whether Red Team or threat actor, the “attack” is neither the beginning or end of contact with a potential victim, and thus too narrow of an activity for an organization to determine the full extent of their own vulnerability and risk. 

Prior to emulating an attack scenario, it is absolutely necessary to assess what intelligence you are providing the outside world to inform an attacker, and what human or procedural weaknesses may provide an open door through which an attack can begin. Engaging a Red Team’s ability to collect Open Source Intelligence (OSINT) through company communications, media coverage and even social media can be a treasure trove for a threat actor.  Additionally, many companies conduct “security awareness” training separate from Red Team activities which only provides an assessment against general scenarios.  A Red Team can conduct Social Engineering campaigns using live OSINT and following scenarios that give a real world perspective on how an attack may likely begin, and how effective it can be.

So what then? Understanding how an attack may play out is valuable, but unless you also assess how the organization and its stakeholders are oriented to respond, you have no understanding the extent of the damage a successful attack can create, or how effective you can be at minimizing impact. For this, also conducting incident response tabletops provide that full assessment of readiness, and also a blueprint for improvement.

Finally, realize that even the security team and defensive technologies themselves are assets representing potential vulnerability, and should be assessed in kind.  Which brings us to the next pillar.

Advertisement. Scroll to continue reading.

Silos are no-gos

There are no “air gaps” in an enterprise. Every asset, be it application, device, office footprint, or cloud is interconnected.  So, while testing an application or device is important to understand individual vulnerability, they don’t exist in a vacuum.  The connections and attributes they share across multiple applications and devices in an environment can represent additional vulnerability, either on its own, or as a pathway from a vulnerability in an upstream asset. 

It’s for that very reason that an organizational attack surface needs to be understood at the macro and micro level.  We need to be testing individual applications and the overall ecosystem in which they exist.  But we can’t stop there.  There is a third dimension to testing — Time.

Just as no asset is an island, neither is a point-in-time. Applications are constantly being updated, added or deleted. New employees, business units or even whole companies via M&A are being added. Additionally, if a constantly evolving infrastructure wasn’t complex enough, new threats and classes of vulnerabilities are being discovered every day – some in new assets, some existing in assets for months or even years. For this reason, not only must assessment and testing be comprehensive, but it also needs to be continuous. The reality of this level of change would be overwhelming, if not paralyzing for any organization without the benefit of automation. But as with anything in security and life, there are benefits, and pitfalls.

AI and automation must not be autonomous

Automation in all aspects of technology and systems are what drive growth and let businesses scale. Technology is an amplifier, but it can amplify noise as well as signal. Then, it’s critically important to be able to discern not just signal, but the right signals, and that requires human intelligence, intuition and most importantly validation. 

We are also witnessing a step change technology amplification with advances in Large Language Models (LLMs) and Artificial Intelligence (AI).  The ability of AI to develop content, aid in programming, manage high level processes or detect anomalies in data and systems is astounding.  It is of course a reality not lost on malicious actors, who are also testing AI’s capabilities, from deepfakes to malware development. 

However, no technology, particularly as nascent as AI, is perfect.  The age old maxim of Garbage In, Garbage Out remains true. AI models and output are only as valid and effective as the data sources they draw from, and the people who maintain them. We at Bishop Fox like to think about enabling technologies as much like an Iron Man suit with Jarvis. It can supercharge what an analyst or an operator can do, but it still needs a human to see new patterns, determine outliers that break from models and just as importantly, confirm that the output results in a positive outcome. And even with that validation and extra set of eyes, sometimes we need the help of friends.  

A crowd needs leadership

One of the greatest strengths of the security industry community. From open-source tools to industry events and resources, strength numbers is an important asset as new threats are rapidly discovered and weaponized. In this respect, bug bounties are a critically important tool. Whether filling the gaps or finding the needles, community contributions in finding vulnerabilities and developing mitigations is invaluable. Additionally, while standardized disclosure processes and rewards are crucial in driving efficiency and communication, a bug bounty program in the wrong environment can present the same overwhelming issue of noise and lack of prioritization as automation. That’s why in many ways, a bug bounty program at scale needs a strong internal team and vulnerability assessment infrastructure to support it.

Written By

Tom Eston is the VP of Consulting and Cosmos at Bishop Fox. Tom's work over his 15 years in cybersecurity has focused on application, network, and red team penetration testing as well as security and privacy advocacy. He has led multiple projects in the cybersecurity community, improved industry standard testing methodologies and is an experienced manager and leader. He is also the founder and co-host of the podcast The Shared Security Show; and a frequent speaker at user groups and international cybersecurity conferences.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.