Over the years and regardless of their specialization, I have met only a couple of people that didn’t like offensive security operations. But most people, have no idea how such an engagement happens.
N.B: In this article (and the subsequent ones in the series) we are only talking about legal engagements, where you have permission to attack a system (or for fun, in your own local vulnerable VMs). Don’t forget that you can be prosecuted if acted against those common sense guidelines.
What is an Offensive Security Engineer?
An offensive security engineer is a professional who is responsible for identifying and exploiting vulnerabilities in networks, systems, and applications. They conduct penetration testing and other security assessments to find weaknesses in a company’s defenses and provide recommendations for improvement.
Also, offensive security engineers work on “ethical hacking projects”, performing simulated attacks to test the security of a company’s systems and networks. They use their skills and knowledge to mimic the actions of real-world attackers and identify potential entry points that could be exploited by malicious actors.
High-level engagement steps
A team of offensive engineers (usually called red team), uses a set of steps like the below, to perform their engagement
Scope: Determine the scope of the engagement, including what systems and networks are in scope and what types of attacks will be simulated.
Gather information: Conduct reconnaissance to gather information about the target systems and networks, such as IP addresses, network topology, and software versions. Reconnaissance can be either passive or active.
By passive we mean, searching public information or semi-private ones like social media. Two known tools in the passive recon realm are the Shodan search engine and theHarvester.
By active we mean directly probing a system with tools like Nmap or Amass
Identify vulnerabilities: Use tools and techniques to identify vulnerabilities in the target systems and networks. This can include scanning for open ports, testing for weak passwords, and looking for unpatched software. Known tools here are Nessus and OpenVAS.
Exploit vulnerabilities: Attempt to exploit the identified vulnerabilities to gain access to the target systems and networks. Metasploit anyone?
Document findings and report: Record all findings, including vulnerabilities that were successfully exploited and those that were not, as well as any recommendations for remediating the issue. You thought you will only break machines and go home? 🙂
Who decides the minutiae?
A company might have an internal or an external red team.
An engagement process is usually proposed by cybersecurity organizations like MITRE and might be adapted to the team’s needs. An internal team might be affected more by the decision of senior leadership (e.g. the CISO) than an external team.
Regardless of whether the red team is internal or external, the engagement process should be well-defined and documented to ensure that all parties understand the scope and objectives of the engagement.
How do you become a red team member?
I think the right question is, how to increase your offensive engineering mindset. Becoming a red team member is a by-product of that. In my humble opinion, even though there is a shortage of people with proper cybersecurity skills, the red team area is a bit congested.
To start building your offensive mindset I would suggest the following process:
- Learn about cybersecurity foundations. Yeah, there is no shortcut to that. A good starting point is Coursera’s course on the fundamentals of cybersecurity.
- Confidence with programming. Not a deal breaker, but you will need to write your exploit or automate a process, sooner rather than later.
- Confidence with networking. Same as above, not a deal breaker, it will level up your game faster if you do.
- Analytical thinking. You need to be able to construct an attack route, given a vulnerability. Most of the time you will have seen something similar before, but sometimes not. And this is where you truly need that skill
- Practice, practice, practice. No escape here either. You can use platforms like tryhackme and hackthebox or build your own lab with vulnerable images like vulnhub
- Stay up-to-date. Attend conferences, read industry publications, and participate in online communities to stay informed.
Becoming an offensive security engineer is a challenging but rewarding career path. It requires a combination of education, work experience, certifications, and ongoing learning to stay up to date with the latest security tools and techniques.