The future of offensive security/red teaming

[Worl]

In the rise of:
SIEM, EDR, NGFW, SD-WAN, DevSecOps, Cloud, Machine learning, Automation to mention a few buzzwords out on where the evolution of security is moving towards.

What would one say about the future of red-teaming is, and or is important to focus on to stay a head of SOC/NOC/Blue teams?
 

Edited November 6, 2022 by Worl

[ZedSec]

I think red-teaming is something that will always go hand-in-hand with defensive security. Security researchers and people who like to break things a lot of the time is what gives us in the blue team the understanding of how things work in order to defend them.

[Sh0ckFR]

I agree with ZedSec, but I'm a bit afraid that the red team will become more and more complicated via phishing mails, especially because of the measures put in place at the moment (MOTW, disabled macros), so I think it will certainly evolve by other methods more focused on social engineering by phone or via messengers like LinkedIn

[vict0ni]

As seen in the latest breaches (actually, in most of the breaches) the focus will turn more and more in the human factor. (Ph|v|sm)ishing, SE. Hell, even spamming the OTP push notification

[hon1nbo]

spot on comments about shifts to SE and related factors, but some additional perspective I've observed in my work.

Over the years, I gradually shifted more towards Purple team ops. I found this far more valuable to clients and my team as it let members of the SOC follow the breach in real time to see where they need improvement (whilst also testing response from those not "in the know"), and giving our team valuable understanding of where we need to improve our game. These typically start as completely covert and eventually shift to the hybrid approach after some threshold, offensive or defensive, is hit.

The changing landscape has also forced a higher level of creativity. EDR has gotten better as has good network architecture, but so have creative exploits and poking other surface area. For a Phish I even filed in a nearby county courthouse to have them send a legal process server to the target to add legitimacy to my spearphishing email.

In my earlier days dropping an 0day on a client was exceptionally rare, but my more modern work has us 0day hunting far more regularly. A short, two week project of mine once involved crafting 3 new exploits in COTS products a client used in addition to targeting their in-house developed software/JIT access infrastructure.

 

This leads to what I found was the most valuable development in my work: having a dedicated infra engineer supporting a red team in addition to the usual exploit devs. Getting software spun up for testing grounds quickly, herding the myriad of containers/relays/fronts for N increasingly complex OpSec architecture, has made them indispensable to my teams over recent years.

Cheers,

~H

 

 

[gilmx]

I really liked H's post above.  Even though these days I'm teaching students "purely" offensive methods, the entire purpose/value of an offensive engagement is increasing the capabilities of the blue team.  In that respect, as well as assessing my students on strictly technical factors (can they exploit this software, can they locate the misconfiguration which ultimately leads to a widespread compromise in a domain), I also want to see that they can express:
what problem they found
how they found it
how they exploited it
what the ramifications/impact of their actions would be if they were truly a malicious actor

- in sufficient detail that any competent technical audience (typically the blue team) can fully absorb the information and develop mitigations.

Last thought on my mind right now is the term "breach".  Don't forget/underestimate the devastation that can be caused by a motivated insider.

-Mike

 

[Kharosx0]

My personal view is red-teams going more structured, some already do but from experience most don't (e.g. dedicated reverse engineer role, exploit dev role, development roles & operators).

For Blue-teams, some of the biggest impact comes from environmental changes to their IT infra, things like deploying VBS+Credential guard across the fleet, these however can be enormous undertakings and requires support within the org.

Edited November 9, 2022 by Kharosx0

[ScapeG0at]

I can see red teams taking on more control effectiveness testing.  Assigning effectiveness scores to existing security controls and fueling control owner conversations around control requirements, configurations, and tooling decisions.   I build and manage red teams full time, and we're getting more and more of this work.   

Also, red teams are more often getting pulled into security incidents where they contribute to forensic analysis of logs, and evaluate controls to close gaps related to incidents.  Once you have these skills in your company, they get pulled into everything from security cross-training to help with planning of realistic table-top exercises.  

Edited November 10, 2022 by ScapeG0at