Jonathan shared his perspectives and philosophies around offensive security and what he gained from his time being part of a ‘red team’ at Facebook.
Let’s recap some of the insights Andy discussed with Jonathan.
What is offensive security?
Offensive security takes an adversarial approach to securing systems. In other words, if you want to know whether your systems are vulnerable to attacks, you need to think like an attacker. While specialized methods like penetration testing can assess certain aspects of security, offensive security is a mindset anyone can adopt.
A common offensive security practice is known as ‘purple teaming’, which is where an attack team (the red team) must exploit the system whilst a team of defenders (the blue team) must try to stop them or work out what the attackers are doing.
“The [red] team’s goal is to challenge assumptions and bias and act as a devil’s advocate,” explained Jonathan during the podcast. “Anything can happen when you start looking at systems from this perspective.”
Jonathan Echavarria spent time at Facebook as an offensive security engineer
Think like an attacker at all stages
The main objective in offensive security is to spot issues as early as possible by challenging assumptions about systems. As Jonathan pointed out, a problem that costs $10 to fix in the design phase could cost $10,000 to fix once it’s in production. Therefore, organizations should strive to foster an environment where it’s ok to bring up issues and get as far away from ‘groupthink’ as possible.
Jonathan advised focusing efforts on production environments, as staging and testing environments are often ‘too perfect’ and not realistic enough. You must attack the same thing that real adversaries would be attacking for the exercise to deliver true value
Challenge assumptions across the whole business
Offensive security is also a great way to take security testing out into the wider business, not just to the people who designed systems and have preconceived notions of how they should be used. Jonathan recommended getting people ‘on the ground’ involved, because they will give a much more in-depth insight into how the system is used.
This way, businesses can challenge assumptions about the ‘happy path’ we expect users to go down based on our design, since the scope of how a system can be used and abused by attackers is much wider than we might be able to see from our own perspective.
Can every business benefit from offensive security?
According to Jonathan, every organization can benefit from offensive security, “but that doesn’t necessarily mean that they have to go out and do a full-blown red team engagement”. Yes, you get the most benefit from investing in detailed red team engagements, but your business can also benefit greatly from getting everyone together in a room for a couple of hours for a tabletop exercise.
Is offensive security ethical?
Hackers are not always ethical, often stooping to immoral tactics to achieve their goals. However, Jonathan agreed that red teams can act ethically and remain effective.
For example, if Jonathan’s team is trying to convince an employee to fill in a form as part of an attack, they can get the same result by offering a $500 gift card as by using unethical emotional manipulation, such as telling the victim the form is for emergency medical care for their child.
Red teams should also not gather personally identifiable information (PII) to open new lines of credit or change their own pay grade, for example. A flaw in security can be uncovered just as well in ways less damaging to individuals, such as replacing parts of the codebase temporarily with emojis or just taking it offline for a time.
Jonathan also warned against the unethical weaponization of red teams for one part of a business against another. “No red team should allow themselves to be used as pawns in a political chess match because one manager thought the manager of another team slighted them. Sending the red team as their attack dogs doesn’t benefit the business in any way.”
Getting the rest of the business on board with offensive security
In the podcast, Andy questioned whether other parts of the business might resent the red team poking holes in their systems and pointing out flaws. Jonathan’s experience was different – “It’s offensive but it shouldn’t be hostile” – which he explained by stating most people don’t want to be responsible for a major issue later. “Generally, people are pretty grateful for the identification of these things. Because obviously, they didn’t know that it existed.”
It’s important that people know it’s ok to fail so that things can improve, which is the role of the red team. Jonathan also pointed out the value of highlighting the effectiveness of existing controls and what worked well, which creates a sense of goodwill with other teams.
Most vital though, is how the red team follows up on reporting findings. In Jonathan’s opinion, “A good red team should take ownership of its findings and do everything that it can to ensure that they’re remediated. They should be working with the system owners throughout the lifecycle of the operation.”
How can your business get started with offensive security?
If your business is just getting started with offensive security, Jonathan suggests starting small with tabletop exercises and small scope pen tests, then work your way up. “Everyone is a participant when it comes to offensive security… allow that mindset to foster a culture where it is okay to challenge assumptions and challenge groupthink.”