What is Offensive Security?

Offensive security takes an adversarial approach to securing systems. In other words, if you want to know whether your systems are vulnerable to attacks, you need to think like an attacker. While specialized methods like penetration testing can assess certain aspects of security, offensive security is a mindset anyone can adopt.

A common offensive security practice is known as ‘purple teaming’, which is where an attack team (the red team) must exploit the system whilst a team of defenders (the blue team) must try to stop them or work out what the attackers are doing.

The goal of this tactic is for the red team to identify the weaknesses within your security systems that could be exploited by attackers, allowing you to repair these issues before a real attacker can act.

Think like an attacker at all stages

The main objective in offensive security is to spot issues as early as possible by challenging assumptions about systems – a problem that costs $10 to fix in the design phase could cost $10,000 to fix once it’s in production. Therefore, organizations should strive to foster an environment where it’s okay to bring up issues and get as far away from ‘groupthink’ as possible.

During offensive security training exercises, you must put yourself into the mindset of an attacker and attack the same thing that real adversaries would target for the exercise to deliver true value.

Challenge assumptions across the whole business

Offensive security is also a great way to take security testing out into the wider business, not just to the people who designed systems and have preconceived notions of how they should be used.

This way, businesses can challenge assumptions about the ‘happy path’ we expect users to go down based on our design, since the scope of how a system can be used and abused by attackers is much wider than we might be able to see from our own perspective.

Can every business benefit from offensive security?

Every business can benefit from offensive security to a different extent. While offensive security training exercises could be useful to companies of all sizes, offensive security strategies are generally the most beneficial to large companies, as they are more likely to become a target for attackers.

Is offensive security ethical?

Hackers are not always ethical, often stooping to immoral tactics to achieve their goals. However, dedicated ‘red teams’ can act ethically and remain effective.

A flaw in security can be uncovered just as well in ways that are not damaging to individuals, such as replacing parts of the codebase temporarily with emojis or just taking it offline for a time. The goal of offensive security is always to protect the business but this must be done in a moral, legal and ethical way.

Getting the rest of the business on board with offensive security

Due to the nature of offensive security, which often pokes holes and find flaws in security systems designed and built by employees within your organization, employers might find some team members resent this strategy.

It’s important that the goals of your offensive security strategy are properly communicated to your employees – let your team know that it is okay to fail so that things can improve. You should also highlight the effectiveness of existing controls and give credit to systems that work well, rather than only pointing out the flaws you have identified within your existing security solutions.