Over the years and regardless of their specialization, I have met only a couple of people that didn’t like offensive security operations. But most people, have no idea how such an engagement happens.
N.B: In this article (and the subsequent ones in the series) we are only talking about legal engagements, where you have permission to attack a system (or for fun, in your own local vulnerable VMs). Don’t forget that you can be prosecuted if acted against those common sense guidelines.
An offensive security engineer is a professional who is responsible for identifying and exploiting vulnerabilities in networks, systems, and applications.
They conduct penetration testing and other security assessments to find weaknesses in a company’s defenses and provide recommendations for improvement.
Also, offensive security engineers work on “ethical hacking projects”, performing simulated attacks to test the security of a company’s systems and networks.
They use their skills and knowledge to mimic the actions of real-world attackers and identify potential entry points that could be exploited by malicious actors.
A team of offensive engineers (usually called red team), use a set of steps like the ones below, to perform their engagement.
Scope: Determine the scope of the engagement, including what systems and networks are in scope and what types of attacks will be simulated.
Gather information: Conduct reconnaissance to gather information about the target systems and networks, such as IP addresses, network topology, and software versions. Reconnaissance can be either passive or active.
By passive we mean, searching public information or semi-private ones like social media. Two known tools in the passive recon realm are the Shodan search engine and theHarvester.
By active we mean directly probing a system with tools like Nmap or Amass.
Identify vulnerabilities: Use tools and techniques to identify vulnerabilities in the target systems and networks. This can include scanning for open ports, testing for weak passwords, and looking for unpatched software. Known tools here are Nessus and OpenVAS.
Exploit vulnerabilities: Attempt to exploit the identified vulnerabilities to gain access to the target systems and networks. Metasploit anyone?
Document findings and report: Record all findings, including vulnerabilities that were successfully exploited and those that were not, as well as any recommendations for remediating the issue. You thought you will only break machines and go home? 🙂
A company might have an internal or an external red team.
An engagement process is usually proposed by cybersecurity organizations like MITRE and might be adapted to the team’s needs. An internal team might be affected more by the decision of senior leadership (e.g., the CISO) than an external team.
Regardless of whether the red team is internal or external, the engagement process should be well-defined and documented to ensure that all parties understand the scope and objectives of the engagement.
I think the right question is, how to increase your offensive engineering mindset. Becoming a red team member is a by-product of that. In my humble opinion, even though there is a shortage of people with proper cybersecurity skills, the red team area is a bit congested.
To start building your offensive mindset, I would suggest the following process:
Becoming an offensive security engineer is a challenging but rewarding career path. It requires a combination of education, work experience, certifications, and ongoing learning to stay up to date with the latest security tools and techniques.
With the right skills, knowledge, and experience, offensive security engineers play a critical role in protecting organizations from cyber threats and helping them stay one step ahead of attackers.