This morning I saw a job offer from Facebook looking for offensive security engineers and I thought it would be a wonderful opportunity to explore this idea and its application in corporate security.
Traditionally information security in enterprises has a defensive role based on different products (firewall, anti-virus, IDS, etc.). But when week after week we read in the media as businesses of all sizes are attacked and owned, something is wrong here!
Internet and its dangers have evolved but corporate security has not: too many companies follow decades old security schemes to protect their information.
As Nation-States develop not only their defensive capabilities but also their offensive capabilities, businesses should also enhance their offensive capabilities, not to attack other companies but to assess their own security effectively.
It is impossible that security consultants / pentesters with a limited time are able to truly verify the security of a company, which unfortunately is the model that most companies follow. No one presses the doctor when operating or the plumber when fixing a problem, but we press all the time security consultants to obtain compressive results in a short space of time.
It is necessary that corporate security evolves with offensive staff who truly understand the attackers (attacker mindset), who are capable of attacking systems and applications and have some freedom to do this in the company. These individuals are who can raise security to the next level.
Their objective is to constantly attack the company using actual techniques to discover the weak points and strengthen them, analyze malware identified in the company and even set traps to the attackers (honeypots). We should not confuse with Counter-Hacking, the idea that if we are attacked we must respond by attacking. No company should use its offensive capabilities to counter attack as this can unleash all kind of problems (legal and ethical). We must only use offensive capabilities internally to improve security, period.
Companies that do not evolve their security to a defensive and offensive model and enhance not only the technology but also its processes and people (the famous pyramid: people, processes, and technologies) are doomed to be owned for lifetime.
Has your company offensive security capabilities? How are they used?
— Simon Roses Femerling