By now, security leaders understand the importance of defense in depth, or layered security. If one defensive security control fails, there is another to prevent or minimize damage done by an attacker. And it has proven successful: According to a Forrester survey, organizations that implemented defense in depth experienced fewer breaches.
Offense in depth is a lesser-known term than defense in depth, but equally as important. Google “offense in depth” and you will find links to NFL offensive strategies and depth charts before you find content centric to cybersecurity, but the idea isn’t much different. What happens when your star quarterback gets injured? Do you have offensive strategies and solid backups in place? In offensive security, what happens when your red team is detected by an endpoint detection and response (EDR) tool? Do you have the necessary tools and capability to seamlessly recover and continue the operation?
The importance of offensive cyber security
Many organizations tend to operate cyber security defensively or reactively. For example, patching vulnerabilities or implementing a new security tool after experiencing a breach. This is especially true for organizations that belong to an industry with significant regulatory or government compliance pressures, such as healthcare or financial services. Offense in depth, on the other hand, encourages a proactive and adversarial approach to cyber security. And there is room for both in every cyber security strategy.
Defensive programs often focus on regulatory standards, certifications, best practice frameworks, or the latest compliance guidelines required by the auditors. While important, at the end of the day it is imperative to remember that we are not defending against an auditor or a checklist. We are defending against a living, breathing, intelligent adversary that knows how to stealthily penetrate and pivot through a network undetected. Adversaries do not care about our checklists nor whether you passed your audit. They care about one thing: getting in and getting access to the targeted information undetected.
To better defend against real-world threats, an effective offensive testing strategy is critical. Famous football coach Vince Lombardi said, “Practice does not make perfect. Only perfect practice makes perfect.” Again, the sports analogy applies nicely to cybersecurity. The offensive testing we perform must reflect the types of real-world threats our organization faces each day. If not, how can we expect to detect those attacks when they actually occur? To accomplish this, our offensive testing capability must have the maturity and resiliency of real-world attackers. This is why offense in depth is critical to improving defense in depth.
Identify weaknesses in your defense in depth
Just as penetration testing identifies weaknesses in your network, applications, and cloud platforms, offense in depth identifies weaknesses in your defense in depth. Without extensive offensive testing across multiple tools and capabilities, how can we ensure that our defensive security layers are working as intended?
Defense in depth includes a combination of administrative, physical, and technical controls. Your offensive security activities should match those layers to validate controls. To achieve this, you must use sophisticated offensive attack techniques through all phases of an attack chain, including initial access, discovery, pivoting, persistence, privilege escalation, and the often-overlooked data exfiltration. Once weaknesses are identified, work with defensive teams to improve detection capabilities.
Red teams cannot rely on a single tool or approach
Red teams cannot not rely on a single offensive tool or approach when conducting an operation. When a defensive control detects an attack or prevents it from happening, red teams need additional tools and capabilities in their arsenal to adapt on the fly to an engagement – just as real-world attackers would. The more sophisticated, persistent adversaries do not stop their attempts after only hitting the first or second layers of defense.
To think like an adversary and achieve offense in depth, red teams need to understand how to adopt the tactics, techniques and procedures (TTPs) associated with a specific threat actor or threat actor groups. As defense in depth can include dozens of tools, from endpoint detection to firewalls to antivirus, offense in depth requires tools that can leverage defensive evasion techniques, such as syscalls for stealthy code injection, in-memory obfuscation, and logging bypasses (AMSI, ETW, PowerShell, etc.).
You cannot achieve successful defense in depth without good offense in depth – and vice versa. As you develop your defense in depth strategy, also consider implementing offense in depth to support your adversary simulation and red team operations and, in turn, stay a few steps ahead of real-world threats.