Triumph with Technology
Measuring Your Offensive Security Maturity
The tools of the trade are constantly evolving to meet rising threats, but the sheer number of technology options in the industry can be overwhelming. The key to maturing your program’s technology maturity is building a tech stack to support your goals rather than allowing the capabilities of your tech determine your strategy.
By thoughtfully approaching the selection and implementation of technology tools, organizations can strengthen their offensive security capabilities, provide tailored solutions, and act as a trusted partner in the ever-changing landscape of cybersecurity.
PlexTrac exists to help offensive teams become more efficient and effective so organizations can become more proactive and ultimately, more mature. Check out our webinar series with Echelon Risk + Cyber to learn more about leveling up your offensive security game, and don’t miss the episode on Triumph with Technology.
Curating the Ideal Tech Stack
When we talk about a technology stack, we need to first separate into two categories: the operational technologies and the administrative.
Operational technology are the systems and applications that are used to perform the offensive security work. Examples include infrastructure servers, scanning suites, open source tooling, cloud-based resources, password auditing servers, VPNs. These devices are used to send packets down-range, receive connections, and send commands; They are key pieces of technology that allow you to execute offensive security related work products.
Administrative technology are the applications and systems designed to support the process and personnel but that are not directly related to offensive security work. Examples include project management and scheduling apps, email and chat systems, file storage and transfer technologies.
Some technologies toe-the-line and are both operational and administrative. Reporting solutions come to mind in this possible third category.
Deciding which technologies to adopt for organizations should involve a systematic approach to ensure the selection of viable tools that meet the specific needs of the business. Identifying current gaps or manual and labor-intensive or repetitive processes is a good place to start to identify where technology can add efficiency. Before going off and shopping for the best blinky-box or open source project or deciding to write our own, you need to gather requirements. Look at the processes you currently execute and determine if there’s a need that technology can address. Thoroughly understanding organizational objectives and engaging stakeholders is crucial. Staying updated on industry trends and seeking reputable vendor or open source project information is important, as is hands-on testing. No one knows how tech will work with your processes and methodologies better than you.
Evolving Your Technology
As you evolve, it is natural that technology stacks would need to evolve as well to support your goals and the needs of constituents that can also be changing. Along with the ever-moving threat landscape, below are areas to consider:
As offensive security practices grow, their technology stacks should be designed to scale seamlessly. Consider the ability of the stack to handle increased data volumes, user traffic, and transactional demands. Scalability can be achieved through technologies such as cloud computing, containerization, and distributed architectures.
Flexibility and Adaptability
The technology stack should be flexible and adaptable to accommodate evolving business requirements. It should allow for the integration of new tools, applications, and systems. Embracing modular and interoperable technologies, APIs, and microservices architectures can enable greater flexibility and adaptability.
Anticipate future trends and technological advancements to ensure the technology stack remains relevant and avoids becoming obsolete. Keep an eye on emerging technologies such as artificial intelligence (AI), machine learning (ML), internet of things (IoT), and blockchain, which may offer opportunities for innovation and competitive advantage.
Evaluate the impact of technology stack changes on the user experience. The stack should enable a seamless, intuitive, and consistent experience across different devices and platforms. Consider user feedback, conduct usability tests, and prioritize user-centric design principles when implementing changes. Getting a group of hackers and offsec professionals to agree on user interface and experience may be the most challenging task of them all!
Performance and Efficiency
Monitor and optimize the performance of the technology stack to ensure efficient operations. Consider factors such as system response times, load balancing, caching mechanisms, and database performance. Regularly assess and fine-tune the stack to eliminate bottlenecks and improve overall efficiency. Realizing that using a different technology to meet performance needs, or even scale, may be a better investment than shoe-horning what you’re used to.
Evaluate the cost-effectiveness of the technology stack and optimize expenses. Consider factors such as licensing fees, infrastructure costs, maintenance, and ongoing support. Explore opportunities to leverage open-source technologies, cloud services, and automation to optimize costs while maintaining desired functionality and performance.
Evolving technology stacks should be part of a continuous improvement process. Regularly review and evaluate the stack’s performance, identify areas for enhancement, and explore innovative solutions. Stay informed about industry trends, attend conferences, and engage with technology communities to gain insights and stay ahead of the curve.
Evaluate Emerging Technologies
When evaluating technologies, there is no one-size fits all advice; however, some generally accepted principles to guide the process can be useful. First, conducting thorough market research helps gain insights into emerging trends and potential solutions. Next, be sure to broaden your focus beyond only commercial off the shelf (COTS) products, and instead be open to the concept of free and open-source software (FOSS), especially in the realm of offensive security. However, a broad focus must be balanced by the benefit of COTS solutions that are typically more supported, scalable, and less cumbersome to maintain. That said, FOSS options may fit the bill and be malleable enough to be adapted to your needs and maintained by your own staff of experts. Exploring analyst reports, industry publications, and attending relevant conferences can provide valuable information on trends in the industry and help you determine the best new tools and mix of COTS and FOSS options to fit your program’s goals.
Determining the return on investment (ROI) of your tech stack is important. Doing so can help you determine the efficiency of your spend and how to allocate (or reallocate) resources. To calculate ROI, organizations should consider both the tangible and intangible benefits derived from their tooling investment.
Tangible benefits include measurable factors such as cost savings, increased productivity, and improved operational efficiency. If possible try to quantify the potential cost reductions achieved through automation, streamlined processes, or reduced manual efforts provided by your tools. People’s saved time that can be spent on other things is something that can be overlooked when it’s only the financial impact that’s under review. Try to assess productivity gains by measuring the time saved, increased output, or enhanced quality of work. For example, tooling that allows you to execute more offensive security engagements or that can enhance IT teams’ ability to mitigate identified risks quickly needs to be evaluated accordingly with these factors included in the measurement of its value.
Intangible benefits are more challenging to quantify but equally important. They encompass factors like improved decision-making, enhanced collaboration, or better mitigation statistics. These benefits may not have direct monetary value, but they contribute to overall organizational effectiveness and competitiveness. Accounting for them and devising a way to communicate the intangible value provided, particularly in moving the needle on security posture, well, that’s the whole point, isn’t it?
The PlexTrac Solution
The PlexTrac platform can be used as an aid in measuring the maturity and efficacy of offensive security testing efforts and teams. It is designed to provide data on findings’ status, allow teams to collaborate effectively, and provide analytical insights into trends on the data derived from the testing efforts.
PlexTrac is a force multiplier for offensive security programs. Book a demo to learn how PlexTrac can accelerate your path to maturity.
Nick PopovichPlexTrac Hacker in ResidenceNick Popovich’s passion is learning and exploring technology ecosystems, and trying to find ways to utilize systems in unexpected ways. His career has focused on adversarial threat simulation, offensive and defensive security, and advanced technical security assessments. Nick’s mission is to help individuals and organizations involved with defensive security operations to have an opportunity to observe the mechanics and methods of the attackers they’re defending against, and to assist in realistically testing those defenses. He’s a lifelong learner and loves finding new ways to get under the hood of systems and networks. He is a father of three and a husband to one.