The Offensive Security Maturity Model: Get Ahead of Threats

Cybersecurity is hard. 

Organizations are inundated with endless threats while also facing limited resources and a persistent talent shortage. As someone working in offensive security, your primary task is to find and illuminate your biggest, most critical risks and then communicate those risks to the defense so your assets remain secure and your security posture stays strong.

This is all well and good, but how do you actually move the needle to a more advanced form of offensive testing? Traditional vulnerability scans have their purpose, but attackers and their tactics have become far too complex to be complacent relying on basic testing. In order to survive and thrive in today’s world you need to evolve your offensive security strategy past traditional scanning and pentesting to get ahead of threats and stay there.

Introducing the Offensive Security Maturity Model

While there are many debates about how to measure your offensive security team’s maturity, PlexTrac’s Offensive Security Maturity Model has five phases that build your maturity from the low hanging fruit to the most advanced form of testing. These five phases include

1. Vulnerability Scans
2. Penetration Tests (Pentests)
3. Red Teams
4. Adversary Emulation
5. Adversary Simulation

Through this blog post we’ll describe each phase, its importance to your security team, and how you build towards the next phase of maturity. Let’s start with vulnerability scans!

Vulnerability Scanners: The Low Hanging Fruit

The chances are — if you work in offensive security — you’ve run and documented results from multiple vulnerability scanners. Vulnerability scanners are defined as an “inspection of potential points of exploit on a computer or network to identify security holes.” These scanners perform basic tests to scan, detect, and classify weaknesses in your company or its target’s infrastructure and assets.

Key benefits of performing vulnerability scans include

1. Vulnerability scanners provide fast and actionable results. Especially if you’re just getting started, a vulnerability scanner will have plenty of actionable work for you and your team to do to improve your security posture.
2. Vulnerability scanners are simple and repeatable. These scanners are largely automated, making them easy to run daily, weekly, or monthly to get updates on new flaws and/or patched vulnerabilities from previous work.
3. Vulnerability scans are easy. The simple saying “start somewhere” rings true here, as these vuln scans are easy to use and provide easy entry for those new to the security and IT space.

Popular vulnerability scanners in the cybersecurity industry include Nessus, Qualys, NMap, Burp Suite, and many more (all of which integrate seamlessly into the PlexTrac Platform!)

Although extremely useful, a vulnerability scanner also has many limitations, including

1. Vulnerability scanners will not find nearly all of the vulnerabilities that exist on your network and across your assets. These are simply baseline tests designed to find the most pressing and easily exploited vulnerabilities. Automated vulnerability scanners cannot adapt and improvise or chain together disparate flaws to exploit misconfigurations, which are some of the most common and high-impact vulnerabilities organizations have to deal with. 
2. Vulnerability scanners will need to be updated consistently in order to work properly. The cybersecurity industry is a fast-moving industry where new Zero Days and tactics, techniques, and procedures (TTPs) are discovered EVERY single day. You’ll need to be updating early and often in order to catch these new threats.
3. Lastly, vulnerability scanners are particularly inconsistent in their results. Each test will likely include several false positives in addition to the mountains of findings not visible through the scanners. 

While vulnerability scanners are flawed, the data you scrape from these scanners provide a valuable baseline for a security program, as it gives your testing a jump off point and actionable vulnerabilities that even the most novice of hackers could exploit. Additionally, these scanners set the stage for additional testing and exercises to be conducted as your team grows in both size and complexity.

Once you’ve implemented consistent and thorough vulnerability scanning, it’s time to level up to the next phase: penetration testing. Learn the differences between the two.

Penetration Tests: Goal-oriented Hacking

Running penetration tests is when the real fun begins and where your security team takes a step forward in its path to real maturity. Penetration tests are defined as “a method of testing where testers target individual binary components or the applications as a whole to determine whether intra or intercomponent vulnerabilities can be exploited to compromise the application, its data, or its environment resources.” Simply put, these are individual tests run to “penetrate” an asset and find vulnerabilities beyond what is capable of being seen in a vulnerability scan.

The key benefits of performing penetration tests include

1. Penetration tests uncover a wide range of vulnerabilities for security teams. These tests certainly go beyond the scope and complexity of traditional vulnerability scans, providing complex testing — in both manual and automated formats — which gives your team a wider field of view. After all, half the battle of fighting threats is knowing they exist.
2. Vulnerabilities found in penetration tests are more complex. These vulnerabilities are often a combination of other small vulnerabilities chained together in order to achieve a bigger, more dangerous vulnerability — like achieving administrative access to a server, for example.
3. Penetration testing reports provide specific advice for remediation. One of the final steps of the pentesting process is writing a report, often the main deliverable of a penetration test. These reports — which are created in half the time using PlexTrac — are a valuable asset providing real remediation steps to the rest of your security team. This both helps the team prioritize important work and provides a blueprint for patching vulnerabilities in a timely manner.

Common tactics used in penetration techniques include phishing, SQL injections, social engineering, and brute force attacks, among many others. So yes, penetration testing is certainly a big jump up from vulnerability scans, providing you with more complex and widespread testing.

However, penetration tests are not without their drawbacks. Here are some of the limitations of pentests:

1. Penetration tests aren’t particularly helpful without strict rules of engagement. Tactics, techniques, and procedures used in pentests are often vast and seemingly limitless in nature. Before the test your team needs to identify clear rules of engagement and a statement of work to ensure tests are useful instead of harmful.
2. If done improperly, penetration tests can cause a lot of damage. Peter Parker lives by the mantra of “with great power comes great responsibility,” and so should pentesters. Penetration tests done improperly can result in crashed servers, compromised data, or worse, much like would be the case in a real cyber attack.
3. Penetration test results may be misleading if you aren’t realistic or on the same page. A bit of secrecy with your penetration test may be the key to realistic results. If your team has time to brace for a penetration test, the results may indicate that your posture is stronger than it actually is. Likewise, if your team is blindsided without a realistic representation of a cybercrime attack, your posture may look weak. Keep your tests realistic and make sure all parties are on the same page to achieve maximum results.

Once your organization is running vulnerability scans and performing penetration tests on a regular basis, you are probably feeling good about the strength of your security posture. While this is a good start and VITAL for all organizations, there’s still a long way to go to reach peak performance. The next step of the Offensive Security Maturity Model is establishing a dedicated red team — and often a blue team with it.

Red Teams: Structured Testing, Often with a Blue Team

Once your team has gotten into the penetration testing groove, it’s time to enhance your testing capabilities by creating a red team. Red teams are defined as a team “made up of offensive security experts who try to attack an organization’s cybersecurity defenses.” Typically organizations will continue to have pentesting teams, and they will create a highly focused highly specialized group of offensive security testers to be their red team, as the complexity of the organization’s environment has grown. 

These red teams are often balanced out by an equally important blue team, whose job it is to “defend and respond to the red team attack.” Think of these teams as the offense (red team) and defense (blue team) in American football. They both serve a vital purpose for the team as a whole, but each has a specialized role to play in the fight against your adversaries.

The key benefits of establishing a dedicated red team include

1. Red teams provide organizations with a specialized team with more focused goals. As you continue to mature, your offensive team will fill out with special individuals with unique talents. This diversity and luxury of sheer numbers gives you a distinct advantage over organizations who have not yet established a dedicated red team.
2. Because of this, your red team will likely find more vulnerabilities than a pentest team. A more mature team with more resources will find more holes in your armor — it isn’t rocket science.
3. Balancing a red team with a blue team will ensure faster remediation cycles. A dedicated foil to your red team provides your organization with plenty of resources to find and react to threats faster than ever. If your red and blue team has an efficient process and an established relationship of continuous purple teaming collaboration, you’re set up for success.

Most outsiders consider organizations with built out red and blue teams to be among the more mature in the industry… However, this isn’t always the case. If red teams are spun up improperly or get into bad habits, there can be dire consequences.

Here are some of the drawbacks to an established red team

1. Investing in a dedicated red team is a large and expensive task. For those assuming that just hiring a red team will make you mature, you’re sorely mistaken. Developing an efficient and effective red team takes a lot of time, in addition to large investments in your technology stack and process workflow.
2. Red and blue teams don’t always get along. There’s been a traditionally adversarial relationship between the offense and defense, which can cause major problems. A little healthy competition never hurts anyone, but when team members are working harder to outsmart their team members than they are to outsmart adversaries you have a problem. 
3. Bigger teams aren’t as nimble as smaller teams. While this directly relates to point one, it’s worth noting separately that a larger offensive team can cause problems for the speed of your security team. Teams working to protect one organization need to communicate well, speak the same language, and report and remediate findings in a consistent manner to avoid costly errors.

While spinning up a red team is expensive and resource intensive, it’s a worthy investment for organizations trying to level the playing field between themselves and their enemies. However, this isn’t the end… The next phase of the Offensive Security Maturity Model puts your team in their adversaries’ shoes. Let’s talk about adversary emulation.

Adversary Emulation: Tactics by Adversaries, for Your Security Team

Once you’ve started red teaming and conducting awesome red teaming engagements, it’s now time to put a down payment on an evil lair. Adversary emulation is defined by PlexTrac as the process of copying adversaries tactics, techniques, and procedures (TTPs) exactly to test your organization’s defenses against real-world attacks. These TTPs are typically pulled from adversary emulation libraries, like SCYTHE’s Community Threats Library and MITRE’s Center for Threat-Informed Defense, which may both be imported directly into PlexTrac’s Runbooks module.

The key benefits to performing adversary emulation exercises include

1. Using adversary emulation to evaluate your security posture against real adversaries. These TTPs are created and executed by the most infamous, talented, and dangerous adversaries in the world. Seeing how your defenses perform against these attacks is extremely valuable to teams looking to ensure all of their bases are covered.
2. Adversary emulation is a fantastic test for your blue team’s detection and response rate. The speed and accuracy of the work a blue team does to detect and remediate a vulnerability — or worse, a breach — is a vital aspect of your team’s maturity. Your organization’s mean time to detection (MTTD) and mean time to remediation (MTTR) will be put to a real test with adversary emulation exercises.

Once your team has developed a high-performing red team and started adversary emulation exercises, there aren’t necessarily any cons to the exercises. The main thing to keep in mind with a large team with many moving parts is prioritization. This means that alongside all of your activities to source and aggregate security findings and data (which is centralized easily in PlexTrac), you need to also be scoring and prioritizing the work you do based on the impact it has on your organization, your team, and your day-to-day tasks.

Now, let’s get to the cream of the crop… Adversary simulation.

Adversary Simulation: By Any Means Necessary

While there’s often a naming dispute in the industry on these last two phases, PlexTrac has adversary simulation as the most mature phase on our Offensive Security Maturity Model. Adversary simulation is defined by PlexTrac as the process of using all of the techniques in your offensive toolkit — including vulnerability scans, penetration tests, red teaming, and adversary emulation — in order to compromise your organization’s defenses.

This truly is the step that is easily described to our readers as “by any means necessary.” Adversary simulation exercises are meant to simulate the look and feel of a real-world cyber attack, as the adversaries you encounter in the real world will use everything at their disposal in order to break your initial defenses, escalate their permissions to find what they’re looking for, and make off with their loot before you can stop the threat.

The key benefit to performing adversary simulation exercises in addition to all of the other four phases mentioned previously is that adversary simulation provides your offensive team with the most realistic exercise of a real-world breach. When a vulnerability is inevitably used as a breach on your network, you need to have employees prepared, much like people do with fire drills. Conducting adversary simulations prepares your team for the real thing and ensures there is a process to secure your perimeter in real time and mitigate the damage of a breach.

While there is often debate on the names of each of these final two phases in the Offensive Security Maturity Model, there’s no debate that they’re both key to a mature and all-encompassing security team.

Get Ahead of Threats with a Purple Teaming Mindset

Vulnerability scans, penetration testing, red teaming, adversary emulation, and adversary simulation all provide key benefits to your security team and the posture they build. However, it is often difficult to know when it’s time to move forward along the maturity model and level up to the next activity. However, by breeding a collaborative purple teaming mindset your team will have a better understanding of its strengths, weaknesses, resources, and roadblocks. 

This mindset of continuous and transparent collaboration — whether with your internal team or external stakeholders —  will help guide you on your path towards offensive security supremacy. This mindset also ensures that your team works at peak performance whether you’re a one-person security team or one of the biggest on the planet.

Go forth and conquer, everyone!