Jump to content

The future of offensive security/red teaming


Recommended Posts

In the rise of:
SIEM, EDR, NGFW, SD-WAN, DevSecOps, Cloud, Machine learning, Automation to mention a few buzzwords out on where the evolution of security is moving towards.

What would one say about the future of red-teaming is, and or is important to focus on to stay a head of SOC/NOC/Blue teams?

Edited by Worl
Link to comment
Share on other sites

I think red-teaming is something that will always go hand-in-hand with defensive security. Security researchers and people who like to break things a lot of the time is what gives us in the blue team the understanding of how things work in order to defend them.

  • Like 3
Link to comment
Share on other sites

I agree with ZedSec, but I'm a bit afraid that the red team will become more and more complicated via phishing mails, especially because of the measures put in place at the moment (MOTW, disabled macros), so I think it will certainly evolve by other methods more focused on social engineering by phone or via messengers like LinkedIn

Link to comment
Share on other sites

As seen in the latest breaches (actually, in most of the breaches) the focus will turn more and more in the human factor. (Ph|v|sm)ishing, SE. Hell, even spamming the OTP push notification

Link to comment
Share on other sites

spot on comments about shifts to SE and related factors, but some additional perspective I've observed in my work.

Over the years, I gradually shifted more towards Purple team ops. I found this far more valuable to clients and my team as it let members of the SOC follow the breach in real time to see where they need improvement (whilst also testing response from those not "in the know"), and giving our team valuable understanding of where we need to improve our game. These typically start as completely covert and eventually shift to the hybrid approach after some threshold, offensive or defensive, is hit.

The changing landscape has also forced a higher level of creativity. EDR has gotten better as has good network architecture, but so have creative exploits and poking other surface area. For a Phish I even filed in a nearby county courthouse to have them send a legal process server to the target to add legitimacy to my spearphishing email.

In my earlier days dropping an 0day on a client was exceptionally rare, but my more modern work has us 0day hunting far more regularly. A short, two week project of mine once involved crafting 3 new exploits in COTS products a client used in addition to targeting their in-house developed software/JIT access infrastructure.


This leads to what I found was the most valuable development in my work: having a dedicated infra engineer supporting a red team in addition to the usual exploit devs. Getting software spun up for testing grounds quickly, herding the myriad of containers/relays/fronts for N increasingly complex OpSec architecture, has made them indispensable to my teams over recent years.





  • Like 6
Link to comment
Share on other sites

I really liked H's post above.  Even though these days I'm teaching students "purely" offensive methods, the entire purpose/value of an offensive engagement is increasing the capabilities of the blue team.  In that respect, as well as assessing my students on strictly technical factors (can they exploit this software, can they locate the misconfiguration which ultimately leads to a widespread compromise in a domain), I also want to see that they can express:
what problem they found
how they found it
how they exploited it
what the ramifications/impact of their actions would be if they were truly a malicious actor

- in sufficient detail that any competent technical audience (typically the blue team) can fully absorb the information and develop mitigations.

Last thought on my mind right now is the term "breach".  Don't forget/underestimate the devastation that can be caused by a motivated insider.



  • Like 1
Link to comment
Share on other sites

My personal view is red-teams going more structured, some already do but from experience most don't (e.g. dedicated reverse engineer role, exploit dev role, development roles & operators).

For Blue-teams, some of the biggest impact comes from environmental changes to their IT infra, things like deploying VBS+Credential guard across the fleet, these however can be enormous undertakings and requires support within the org.

Edited by Kharosx0
Link to comment
Share on other sites

I can see red teams taking on more control effectiveness testing.  Assigning effectiveness scores to existing security controls and fueling control owner conversations around control requirements, configurations, and tooling decisions.   I build and manage red teams full time, and we're getting more and more of this work.   

Also, red teams are more often getting pulled into security incidents where they contribute to forensic analysis of logs, and evaluate controls to close gaps related to incidents.  Once you have these skills in your company, they get pulled into everything from security cross-training to help with planning of realistic table-top exercises.  

Edited by ScapeG0at
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...