During a presentation at Infosec21, Alex Peleg, CEO Cynergy, used the term “Offensive Engineering” to describe the adversarial approach to secure product development. In case you missed the presentation, don’t worry. This post will explain what the concept is all about.
As a rule, organizations, including federal governments, conduct only cursory security inspections of software they get from third parties or develop in-house for a wide range of activities, from managing databases to operating internal tasks. Unfortunately, this approach creates a blind spot that has resulted in costly attacks, like the recent SolarWinds hack that affected the Treasury Department, NIH, DHS, and other agencies.
What minimum security do you set for software and services? Do you invest considerably in security and then outsource services to companies with insecure products?
We understand the importance of injecting security as part of the development lifecycle, which we call the Secure Development Lifecycle (SDL) in the AppSec/DevSec space.
An article on TechBeacon states that SDL is a “different way to build products. It places security front and center during the product or application development process.” In its simplest form, SDL standardizes security best practices across a range of products. It captures industry-standard security activities, packaging them for easy implementation.
Back to the SolarWinds hack, which security researchers and White House officials have linked to the Russian spy agency, the SVR. The incident reflects a level of sophistication that organizations cannot block completely. Lucian Constantin, a Senior Writer on CSO Online, states that such an attack highlights the severe impact supply chain attacks can have and the unfortunate fact that most organizations are woefully unprepared to detect and prevent such threats. Many organizations have regularly deployed software with bugs because developers lack the skill, time, or incentives to inspect them thoroughly. Fortunately, technical professionals and policymakers say new approaches to software development and procurement could at least give defenders a fighting chance.
Request a Live Demo
Want to enhance your cybersecurity operations?
Are you looking for your first cybersecurity expert?
Want to gain visibility for your exposed assets?
You can request a live demo by scheduling date and time on our available hours:
Leveraging SDL and Offensive Engineering to Prevent Attacks
When there is an incident, such as ransomware or any other tech-related cyber incident that disrupts the whole organization, one good call has been trying to recover and restore systems from backups after an incident, or more preferably, do a complete rebuild of its systems and architecture. “However, this unique edge case does not fall under the standard SDL process, since it’s SDL on steroids,” states Alex.
The approach should be, in this case, “Trust nothing and try to hack everything you can while you are building it.” asserts Alex. Offensive Engineering term is borrowed from the process of building an infrastructure for a Red Team operation, yet it’s more suited to describe this SDL on steroids process.
When you want to return from a cyberattack in the organization or as part of the development process, it is crucial to carry out an attack, not only on the development itself but on all the things that are affected, such as the cloud infrastructure, employees, vendors, and so on. We refer to a proactive and adversarial approach to protecting applications, systems, and users from attacks. Instead of focusing on reactive, defensive measures like finding and fixing vulnerabilities through patching (such was the case with most SolarWinds attack victims), we propose offensive engineering processes focused on spotting and disabling vulnerabilities during product development.
Offensive Engineering involves information gathering about threats and cautiously retaliating without illegal actions, thereby frustrating soi-disant attackers. It is a means of testing security measures from an adversary’s perspective. Simply put, enterprises can enhance their security postures by understanding and applying adversarial tactics.
The concept of trusting nothing and trying to hack everything you can while building your products sometimes involve launching offensive attacks against adversaries to cripple their plans and deter potential attacks. We can take an analogy of a boxing match to demonstrate offensive engineering. Offensive engineering tactic is like a boxer trapping an opponent towards a corner, making it impossible for an adversary to chase down.
What if you are against a formidable quick opponent in the challenge, with a fighting style that makes it hard for you to pin down? The faster you run, the faster the adversaries run away while landing punches on you as you are chasing them down. In such an incident, the best way to handle the opponent is to cut off the ring, as Gracie Raleigh, a leading mixed martial arts studio, posts on their blog. Cutting off the ring leaves the opponent with nowhere to run to, and you can get them to stay in a corner where you can land your devastating reprisal. However, this tactic requires practice, including the ability to read your adversaries.
But just like in a boxing match that requires extreme precision to cut off the ring, Offensive Engineering is an undaunted move in cybersecurity. It would be best if you practiced caution to avoid incidents of illegally hacking back, which every security expert should know is not a trivial act. Some laws deem such forms of active cyber defense to be unlawful.
You can also consider leveraging artificial intelligence (AI), especially in security automation, in your Offensive Engineering efforts. Some security tools can implement AI with relevant parameters to detect and differentiate between authorized and anomalous activities and initiate a response. With proper verification, you can implement automated threat responses in offensive engineering, thereby solving other concerns like scalability and efficiency while handling a myriad of codes and products. This approach is precisely what Cynergy is all about – an automated security roadmap based on who you are and what you do.
Let us cut off the ring safely and avoid inappropriate punches whose ramifications could warrant an escalation that your enterprise is not prepared to deal with technically and legally.
We would greatly appreciate it if you kindly give us some feedback on the “Offensive Engineering” here.