Going on the Offensive How to build and mature an offensive security program at your organization Proactive security is the name of the game these days. Everyone is doing it, right? Well, maybe not, but they should be. The need to get ahead of threats is greater than ever, and there are countless solutions to help organizations of every type and size with their offensive security efforts. But you can’t just buy a tool or hire a contractor and call it a day. Effective offensive security is hard and complex. To delve deeper into the topic, we invited esteemed cybersecurity expert Phillip Wylie to join a Friends Friday cast. He and Dan DeCloss discussed both the human and technological components that make the strongest, most mature offensive security programs. Phil has over 26 years of industry experience in IT and cybersecurity with diverse experiences in multiple disciplines, including network security, application security, and pentesting. He is the concept creator and co-author of “The Pentester BluePrint: Starting a Career as an Ethical Hacker,” and hosts “The Phillip Wylie Show” and “The Hacker Factory Podcast,” where he interviews guests on how they got started in cybersecurity and their advice for aspiring cybersecurity professionals. Additionally, he is a frequent conference speaker, workshop instructor, and mentor. Watch the full episode or read on for the highlights. Going on the Offensive: How to build and mature an offensive security program Getting into offensive security Dan and Phil started the conversation by discussing the building blocks of any offensive security program: the pentesters. Talent shortages in the industry are a common topic of discussion because obtaining the skills of an elite tester is difficult. For those interested in advancing in offensive security, Phil advised, “Let’s say one of the things is not to skip the basics, not skip the fundamentals. Because a lot of cases, and it’s kind of understandable as pentesting is a very interesting field, and a lot of times people just want to jump into learning the hacking piece. But it makes it a lot easier if you understand the different fundamentals. Because for me, before I even got into security, I spent six years as a sysadmin, which was the most valuable experience I had going into being a pentester.” Dan added, “Also, you know, my background is much more in web app security, and I was a web app pentester primarily. And I found that some of the sharpest web app pentesters — and it’s not always the case — but some of the sharpest ones were former software engineers, former developers. They understood how libraries came together and how the code would be pieced. And, you know, it’s always, that kind of that big puzzle, right? Of like, how do I break into this network or how do I find this odd vulnerability in this web app? And so having some of that baseline background in technologies, particularly software engineering, IT, and networking system administration, plays a big factor.” Whether building a career or building a team, a varied background and strong foundation in technology are good indicators of success for offensive security work. But the onus isn’t completely on the testers. An effective program requires a collaborative approach. Building an offensive security team Phil broke down the makeup of a successful pentesting team with collaboration as the common factor. Strong leaders and mentors — “You’re going to need some good senior folks who are willing to mentor and help others. I’ve seen people throughout my career who weren’t patient, didn’t want to help people. So you really need someone, who is almost as good of a leader and mentor as they are a pentester.” Teamwork — “You really need to instill in your team a sense of teamwork. Because I’ve been on teams before where we’re all remote, totally isolated and no one was really helping each other. But when you’ve got that cohesive team, they’re sharing that information.” Shared knowledge — “As pentesters, we’re all keeping our little notebooks and notes on how we do that stuff. But if we can have a centralized repository of notes that we can share with the team, some of those things that we already figured out how to do, then they can figure out how to contribute to that library and it will make things a lot easier instead of everyone wasting time. Research is good because you learn how to research, but why should someone have to research something that’s already researched and already documented?” Growing an offensive security program Next, Dan and Phil discussed strategies and processes necessary to mature an offensive security program. Phil highlighted five components essential to growing a program well. Document the processes — “Going back to that documentation, make sure you’re documenting the processes, that you have a good runbook that’s easy to duplicate, because once people come in, we’re humans, we make mistakes. So to be able to document, have a runbook, that checklist — you can go back and make sure you’ve done those things,” said Phil. Report well — “A good report template [is important], that you are really making sure you’re building out a good executive summary so the folks outside of the technical side of things, like your CISOs and your board, get value out of that report. Because you want them to get as much value as you do the tech team because they’re the ones signing the check and making all the approvals,” Phil continued. Keep up with technology — “And I would say stay ahead of the curve and learn some of the newer technologies that are becoming more prevalent in our industry. You know, like some of the large learning models and web3 stuff. Start investigating that because notoriously you’re in a company and all of a sudden someone saw some presentation somewhere and we’re going to this type of AI product or whatever.” Test frequently — “So if you’re only pentesting once a year, there’s all that time that nothing’s going on. But if you can go in, do the purple team exercises, eliminate some of the possibilities from the hands of a threat actor, remove some of the tools that they can use — that goes a long way with improving your security posture.” Communicate effectively — “And I see things going more towards a risk-based approach. And that is something that’s the kind of lingo that the board and the business groups are going to understand. So we come back to them with a risk quantification or risk-based approach, they’re going to understand it a lot better than some of the jargon that we would rattle off about the different vulnerabilities or exploits.” Going on the offensive Dan summarized the main themes of the discussion: “I would sum up the key takeaways as building yourself in terms of knowing the underlying technologies — taking it on yourself to understand and learn those resources — automating as much as possible for your team, and building that continuous assessment mindset and paradigm, and then really staying in the mode of progress over time and how you’re communicating that value to your stakeholders.” For more insights on pentesting, offensive security, and careers in cybersecurity, follow Phillip Wylie at www.thehackermaker.com.
Vulnerability Assessment vs Penetration Testing: Understanding the Key Differences Vulnerability Assessment vs Penetration Testing READ ARTICLE
Unlocking Continuous Threat Exposure Management: New Features for Prioritizing Remediation Based on Business Impact The evolution of product security READ ARTICLE