Offensive Cybersecurity for Small Businesses

Throughout this course we’ve learned a lot about defensive practices and technologies that are used to protect against cyberattacks.

While defenses play a primary and critical role, offensive cybersecurity can be used to test and strengthen the defense of any digital network, system, or application.

Offensive cybersecurity is popular, and

Offensive security services have historically been overlooked by small businesses and their security providers. In this lesson, we’ll look at what offensive services are, and why we think that they’ve been historically underutilized by small businesses.

It may not be practical for small businesses to hire a team to perform a multi-week, full-scale penetration test costing many thousands of dollars – but that doesn’t mean that small businesses can’t achieve major wins by using offensive cybersecurity engagements that are targeted and scaled properly for their business.

What is Offensive Security?

Offensive cybersecurity refers to a proactive approach of simulating an attack in order to identify potential cybersecurity threats.

The offensive strategy involves actively seeking out vulnerabilities, misconfigurations, and other weaknesses in a company’s systems, networks, and applications. By conducting a variety of assessments, cybersecurity professionals can simulate real-world attacks to uncover weaknesses that malicious hackers could exploit.

Offensive cybersecurity allows businesses to strengthen their security posture and significantly reduce the risk of cyberattacks.

Let’s look at an example:

A small business might hire a cybersecurity firm to help harden their network. Then they may use a vulnerability assessment or penetration test to confirm that the defenses are in place and configured properly, and to identify anything that attackers could use to get around them.

This is also a great opportunity to look at the attack from the defensive perspective. If the company had a firewall newly installed, was the attacker able to circumvent it and how? Can the configuration be improved using this information?

The use of offensive security services are also increasingly required for both compliance and insurance purposes.

Let’s learn more about common types of offensive security services, and then see how small businesses can integrate them into their cybersecurity program.

Common Offensive Security Services

The most common types of offensive security services are vulnerability assessments, penetration tests, and red team engagements. Purple team engagements are relatively newer and less common, but we consider them to be of particularly high value to small businesses when they are scoped properly for the business, so we cover them here as well.

  • Vulnerability Assessment: A vulnerability assessment is typically a limited engagement of short duration during which the assessor tries to identify as many vulnerabilities as possible. Many common vulnerability assessments rely on an automated software scan, but there is much greater value in hiring a skilled ethical hacker to perform manual activities and identify potential paths toward exploitation. At GAIT, our vulnerability assessments are comprised of both a comprehensive automated scan and manual testing. We recommend that small businesses not settle for less.
  • Penetration Test: A penetration test (also called a ‘pentest’) is an engagement of longer length and greater scope than a vulnerability assessment. The scope defines the targets and techniques used during the engagement. Like a vulnerability assessment, the goal is to find as many vulnerabilities, weaknesses, and other potential paths to exploitation as possible. However during a pentest, an ethical hacker (or team of hackers) is given both more time and greater range of attack type. While the scope of every pentest is different, it is common for pentests to allow exploitation and post-exploitation activities. For example, in an external penetration test, the goal is to breach the network. Once the attacker has gained a foothold, they may also be allowed to perform further activities to more completely simulate a full attack. If allowed in the scope of the pentest, they will seek to elevate privileges, pivot, and compromise other machines in the network.
  • Red Team Assessment: During a red team assessment, highly skilled ethical hackers simulate an attack by an advanced persistent threat (APT) or similar group. Red teaming often involves multiple people attacking a company’s assets at once. It often involves phishing and the scope commonly calls for an ‘internal’ assessment in which the primary goal is to assess the organization’s network from within. Red teaming is also often a stealthy assessment during which the attackers try to stay as silent as possible, simulating a real-world attack from an APT. This is in contrast with a pentest, during which attackers often want to be as ‘loud’ as possible so that the company can see what the defenses were able to detect. Note the two different goals: during a pentest, we want to identify as many vulnerabilities, misconfigurations, and other weaknesses as possible. During a red team assessment, the goal is typically to stealthily achieve full control of the network using any means necessary.
  • Purple Team Assessment: At large companies, the Red Team is responsible for simulating attacks, trying to break into the system using the same techniques as real attackers while the Blue Team is in charge of defense, monitoring the system, and responding to the simulated attacks. The goal of a Purple Team Assessment is to improve the overall security posture of an organization by fostering communication and cooperation between the offensive and defensive teams. What distinguishes a purple team assessment from other types of assessments, however, is the degree of collaboration between the attackers and defenders. The main goals are a) to identify weaknesses in the organization’s defense and b) to improve the way that the network is defended. While small businesses don’t typically have their own red team, purple team style engagements can still be used to dramatically improve their security posture.

External, Internal, Web Application, and Other Assessments

Each of the assessment types above can be performed on a number of different types of targets.

  • External Assessment: Focuses on assets that can be accessed over the internet. For example, a company webserver may provide a publicly accessible website or a mail server may allow employees to get their mail from home. Externally accessible assets need to be extremely secure so they don’t become footholds into the internal network environment.
  • Internal Assessment: Focuses on an internal network environment. This assessment may start as an external and then pivot to internal if/when the tester gains access to a system, or the attacker may be given direct access to the internal environment so that they can focus on it. On Windows networks, an internal pentest may be focused largely on Active Directory, which presents many unique opportunities for attackers. The primary target of such testing is usually the Domain Controller (DC). Once an attacker controls the DC, they essentially have control over the entire network.
  • Web Application Assessment: A web app assessment focuses on a company’s web applications or websites specifically. Large businesses often have numerous websites and a large online attack surface that constantly needs to be tested. For small businesses, the use of web applications is much more limited and the need for testing lower because SMBs often use third party solutions rather than creating their own.
  • Phishing Assessment: Involves simulating a phishing attack to test employees’ ability to recognize and respond to phishing emails. These simulated phishing emails are designed to mimic real phishing attempts, with the goal of evaluating how well employees can identify and handle such threats. By conducting regular phishing assessments, businesses can gauge their employees’ level of awareness and preparedness, helping them to identify potential vulnerabilities and areas for improvement in their cybersecurity defenses.

Deploying Offensive Security For a Small Business

We highly recommend that small businesses make use of limited, short offensive engagements as part of a complete cybersecurity program. Every small business is different. The most common assessments that we recommend are:

  • Vulnerability assessments
  • Targeted assessments
  • Authenticated testing
  • Carefully calibrated ‘purple team’ assessments
  • Phishing assessments

Some of these bear further discussion. We generally recommend a vulnerability assessment early on, once the small business has good practices and has integrated a network firewall and EDR. This vulnerability assessment allows us to take a much closer look at the network, which we can use to make more insightful recommendations – particularly ways for the company to strengthen security without additional cost.

Once we have a good understanding of the network, we may make further recommendations for targeted assessments alongside corresponding defensive activities. For example, during the initial consultation or vulnerability assessment we may identify a SQL database. We may then recommend a number of configurational changes to implement in order to secure the database, followed by a targeted assessment of the database. The assessment may reveal further potential weaknesses and thereby enable us to ensure that it has been properly secured. This can be done with minimal cost because the engagement is highly limited.

One unique service that we offer at GAIT (and which we hope will become more popular) is the use of short, modified purple team assessments.

In traditional pentesting, the ‘red team’ are the attackers and they have no contact with the defenders, or ‘blue team’. At the end of a penetration test or red team engagement, the red team submits a report which the blue team utilizes to improve their security posture.

Small businesses often don’t have a ‘blue team’, so traditional penetration tests are often of little value. As a result, we work closely with small businesses directly using a ‘purple team’ approach, in order to help the business implement the security improvements identified during offensive testing.