Offensive or Defensive Security? Both!

Published: 2016-06-09
Last Updated: 2016-06-10 06:22:12 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

Sometimes students ask me the best way to jump into "the security world". I usually compare information security to medicine: You start with a common base (a strong knowledge in "IT") then you must choose a "specialization": auditor, architect, penetration tester, reverse engineer, incident handler, etc. Basically, those specializations can be grouped in two categories: "offensive" and "defensive". Many people like the first one because it looks more funny and the portrait of the hacker as depicted in Hollywood movies is tough! Being involved in a few call for papers for security conferences, I see a clear trend in submissions focusing on offensive security.

If breaking stuff is always nice (playing the "red team"), being able to defend them against attackers is also very rewarding (playing the "blue team"). So, back to the first student's question: Which side of the force to choose? I can't answer this question for you! It's a very personal choice based on your feelings but one thing is certain. There is clear overlapping between offensive and defensive security. Why? Here are two examples.

First from a defender perspective. To be able to properly defend your assets, you must know what techniques and tools will use the bad guys against you. This is the principle of "Know your enemy!". If you're involved in a security incident, your knowledge of the bad side will be very helpful to find how your server was compromised. If you're implementing a solution or writing some code, try to think as a bad guy and ask yourself "How would I try to break my setup".

On the other side, from an attacker perspective, you can improve your tasks by using defenders' techniques. While performing a pentest, we don't have unlimited time. A good idea is to rely on forensics investigation techniques. Indeed, operating systems like Microsoft Windows are well-known to keep trace of all the user activities in multiple places. It is possible to trace back all the actions performed by a user (which applications he started, the last files opened, network shares mounted, etc). This is a gold mine for a pentester too. Imagine that you just compromised a computer. You've your Meterpreter shell ready. And now? To save your time, just check the latest files opened by the victim, there are chances that they will be business related and contain juicy information. Which internal sites he visited? That's nice targets to pivot! 

So, offensive or defensive security? Choose the one you like but think about both!

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

1 comment(s)
Diary Archives