Over the last several years, as the threat landscape has continually evolved, the severity and sheer volume of security vulnerabilities and attacks has accelerated dramatically, causing the tech industry across the world to look for new ways to prevent crippling cyber attacks. In an effort to outthink and outmaneuver attackers, organizations have begun creating offensive security research teams. One well-known team in the industry is Google’s Project Zero.Created back in 2014, its primary purpose was to make computing more secure by proactively rooting out vulnerabilities and flaws that could be exploited by hackers and nation states. Since then, the field has blossomed with organizations like Microsoft, Apple, Intel, Amazon, Oracle and others investing in offensive security research.However, offensive
security research teams are still relatively scarce. As more organizations producing
technologies, products and services look to join the movement, it’s helpful to
understand some best practices and challenges involved in assembling and
managing a team, and how to measure success.
The
Fundamentals of Offensive Security Research First, a quick refresher. By definition, offensive security
research initiatives take an aggressive, proactive approach to product security.
Most organizations start by judiciously vetting products throughout the various
stages of the development lifecycle and stress testing to ensure they’re not
exposed to widely-known security vulnerabilities. That said, security is such a
broad and dynamic field that screening for known
risks only gets you so far. That’s when offensive security researchers step in.These research teams assess the evolving threat landscape –
beyond established security vulnerabilities – to identify where researchers and
attackers (both well-meaning white hats and cyber criminals) will focus their next
efforts. Offensive security researchers look at products through the lens of an
advanced attacker, using unconventional approaches to identify weak spots that
can be exploited.Assembling
Your Team When evaluating research candidates for your team, look for
these five key qualities:
A deep understanding of the threat landscape – The best offensive security researchers maintain a strong pulse on threats, and the know-how of cutting-edge attack methods in their area of expertise. At Intel we produce a wide range of diverse technologies – each with its own set of security considerations – so it’s crucial that we have security researchers on staff (and partners in academia) with high-level knowledge in each discipline. One of the visible traits of the right candidate is if they’re incredibly well-read on the latest security publications and have gotten to dissect and understand the anatomy of the vulnerability and exploitation scenarios.
Imagination and persistence in applying threat expertise to find complex vulnerabilities and novel exploits – An understanding of the latest attack techniques alone isn’t enough. Researchers must be able to take that expertise and successfully identify the areas of technology that are most likely to be attacked, prioritize them, and conduct scenario analysis to uncover new methods attackers might use to break the product. This process requires a tremendous amount of patience and persistence to navigate the complexity of the technology and the type of threat.
In-depth,
systems-level knowledge – Offensive security researchers also need to be
systems-level experts, with the technical chops required to operate across hardware,
software, firmware and other boundaries within a technology or systems to
uncover unforeseen weaknesses that might be buried within any layer of the
computing stack.
The
ability to recommend product-minded threat mitigations – A candidate could
exhibit all of the above capabilities, but if they’re unable to come to the
table with a potential solution, the jobs only half done with no tangible
impact. The work doesn’t stop once a vulnerability is found. Offensive security
researchers have to be able to proactively explore potential mitigations for
the vulnerabilities they discover, and work with product teams to establish a
solution that both eliminates the class of weakness represented by these
vulnerabilities and at the same time, preserves product functionality.
Follow
through to disseminate new security learnings – Lastly, offensive security
researchers in a large organization must be capable of turning hidden security
issues into known, quantified learnings and prevention/detection actions
throughout the organization’s engineering community. Continuity across every
stage of the offensive security process is paramount, with little room for
handoffs to other researchers. The individual leading each project must see it
through to completion. That’s how you ensure that all the critical attributes
of each risk are captured, and that the knowledge of each security vulnerability
is propagated throughout the organization in a way that eliminates similar
issues or the entire class of issues moving forward. Beyond individual research
projects, it takes a long time to build the breadth and depth of expertise
needed to do offensive security research well as an organization. Employing and
retaining researchers that are “in it for the long haul” is key to building
that momentum.
Common Pitfalls to Avoid Like any other highly-complex, multi-faceted process,
managing an offensive security research group carries with it a unique set of
challenges. Many of these involve bringing in the right talent, supporting
their growth and getting individual researchers to work together as a unit. Deficiencies
in any one of the above five talent criteria is typically a sign that a research
candidate might not be ready to join the team. Another red flag to watch out
for is a disinterest in how their research aligns with the company’s
overarching goals.The skills security researchers possess today leave most
with no shortage of exciting and lucrative employment opportunities. Finding
the right fit all starts with ensuring each researcher is on board with the
organization’s big-picture motivations behind product security. Be concerned if
it appears a candidate is set on satisfying their own personal research agenda
over how the team’s efforts will impact the business and the overall industry/society.Likewise, if a candidate doesn’t display an ability to
communicate, learn from, and work well with others, they’re likely to end up stalling
your research efforts rather than progressing them. Collaboration is essential
in an industry defined by remote workforces distributed across time zones and
geographies. The remote team model presents its own set of logistical hurdles,
but if your organization is supportive of a location-agnostic workforce and invested
in making it work, the research team will be able to attract and retain the
best talent.Additionally, the best researchers crave autonomy. Fostering
a collaborative, team environment while preserving that desire for independence
is another major challenge. It’s critical that you shield these researchers
from the types of stifling bureaucracy (perceived or otherwise) that can be so
common within organizations. The best way to do this is to ensure that each
individual is committed to the common goal, while providing them with
flexibility and freedom to achieve the desired outcome as they see fit.Picking Your Battles Once you have the
right talent in place on your team, the next major consideration is determining
how to prioritize your offensive security research efforts. Most organizations
have a broad product and technology landscape to cover, so it’s critical that
you’re careful about how you assign the expertise, time and resources available
to you.First, ask yourself, how critical is the technology in the
product or platform? Consider technologies that are the most fundamental and
foundational as the highest priorities. Next, identify any active research taking
place for a particular type of technology or product in the industry or
academia. This will help you understand what the research community is already
thinking about, the common trends in the space, and what the leading methods
are for exploring vulnerabilities in a given category. Finally, factor in the
realized risk. In some cases, a certain type of attack or vulnerability type is
repeatedly demonstrated and prevalent in the industry. You need to think
through the best way to eliminate those risks from the products.These steps should help you identify which offensive security
research projects to prioritize, but it’s also important to take a measured and
tactful approach to doling out assignments to the research team. The best
approach is often “self-serve,” if you will. Ask researchers to conduct
preliminary analyses independently, and bring the research proposals they’re
most excited about back to the group for discussion. This should be done on a
frequent basis to ensure that the research roadmap is refreshed regularly. By
allowing individual researchers to select projects based on their unique
interests, you’re able to tap into their passion for exploring a particular
technology or product area.Quantifying SuccessHow can you measure the
success of a program? Here are four key indicators:
You should be able to attribute the security
assurance of your products to the team’s research efforts. The team’s impact on
product security should be direct and substantive, not just peripheral.
When executives and decision makers are
assessing critical decisions related to product security, the offensive
research team should be their go-to technical experts, whose opinions are
requested and highly valued.
The overall trend of security vulnerabilities
present in the company’s products should decrease significantly over time,
especially when it comes to known threats and technology areas that have been
top priorities for the offensive security team. This doesn’t mean that new
vulnerabilities and novel attacks will never arise, but they should be few and
far between.
Your team’s research is seen as a benchmark for
innovative security research within the broader industry. Others should view
your offensive security researchers as thought leaders in the market with
valuable technical know-how that spurs new, ground-breaking research efforts
and threat mitigations.
Today, the number of
offensive security research teams across the entire industry is growing.
Not only are they working to improve the security of their own organizations’
products, but they’re collaborating with one another to systematically tackle
major software, hardware and firmware vulnerabilities. But, there’s much more
work to be done. Consider applying these best practices and guidelines, and
join the effort to improve our collective, worldwide security.
There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
