Is Offensive Security part of your 2024 Security Roadmap? We caught up with Sam Kirkman, Director at NetSPI EMEA at BlackHat Europe 2023 about what an Offensive Security Roadmap going into 2024 should look like. Offensive security is much more than pentesting. We spoke about how to build a capable team, different maturity stages of building such a program and resources you can lean on while you are on this journey across different industries.
Questions asked:
00:00 Introduction
02:53 A bit about Sam Kirkman
03:53 What is offensive security?
04:52 The attack landscape
07:34 Offensive Security Roadmap
09:43 Components of Offensive Security Roadmap
11:04 Whats a good starting point?
12:55 Skillsets required in the team
16:57 Different stages of maturity
19:09 Where can people learn more about this?
22:03 Where you can connect with Sam
You can learn more about NetSPI and offensive security here
Sam Kirkman: [00:00:00] So what I've seen work in other organizations is they'll say, if you're at all interested in security, come and chat to us in our security team. We'll have these conversations around some of the problems we're trying to solve and how it works with what you do day to day. And we'll give you the time, the resources, whatever it is we need to do to help you upskill in that space.
And I know that any CISO listening is thinking, I don't have the time and the money or whoever's managing those teams. I understand that, but. On balance, if you take a developer that you're already paying, that's already on boarded, that knows your organization and you can give them a few days, a few weeks a year to either do some security focused training or to actually implement some of this in some code, that's a lot cheaper and more efficient for your organization.
Ashish Rajan: Is offensive security in your roadmap for 2024? If that is the case, then this is the perfect episode for you, even if you have never done anything with offensive security. So in this episode, we had Sam Kirkman, who's the director at NetSPI in the European region. We interviewed him at BlackHat Europe and we spoke about what a offensive security should look like, what are some of the strategies, the team capabilities you should look at building when you are [00:01:00] thinking of a offensive security program in 2024, even if you've never had one before.
We also spoke about some of the nuances of at least a lot of people, and I'm guilty of this as well, we always should think that offensive security is truly just, as long as I do a pentest and maybe even have a bug bounty program, that's more than enough, but there is so much more to just doing offensive security in general, in an organization and different levels of maturity you can go through.
So we spoke about a lot more than just talking about the team capability and the general information about this. We spoke about capability, we spoke about the different types of offensive security you can think about as you work in a program. Where do you even start? What's a good starting point?
And a lot more as well. If you enjoyed this episode, and maybe if you know someone who's working on an offensive security program, maybe who's a manager or someone who's looking into this, into their 2024 program. Definitely share this with them because this is going to be really helpful, at least leveling up the playing field, even for people who have never done this before as well.
Now, if you are watching or listening to this for the second or third time, I [00:02:00] would really appreciate if you can drop us a rating or review on iTunes or Spotify. But if you're watching this on YouTube please definitely subscribe because it definitely helps us know what kind of videos are being enjoyed more.
Maybe a like or a comment definitely helps us know what more questions that we should help answer for you as well. But otherwise feel free to reach us on email if you have been listening and want us to give a cover topic, which we have not so far. I just want to also say thank you to everyone who came to us and said, hello, and gave us a hug and BlackHat Europe.
Shilpi and I really appreciated it. I'm so grateful that you folks come over and say hello , I love it. And I'm so look forward to this. And this is probably the only reason we are driven to do more events as well. So we get to see a lot more of you, even the local meetups that we do as well.
Thank you so much for doing this. I know holiday season is coming up as well. And this was the last conference of the year, but I look forward to seeing a lot more of you in conferences in 2024 as well. I hope you enjoyed this episode and as always, I will see you in the next episode, peace.
Maybe to start off with, if you can introduce yourself and give your background a bit.
Sam Kirkman: Sure. Yeah. My name is Sam Kirkman. I'm one of our [00:03:00] directors of services here at NetSPI. So my job is to spend about half of my time pentesting for our customers. It was a wide variety of different services that we offer. A lot of my focus is on the application side of things. And then the other half of my time is all about the rest of what makes NetSPI great.
It's all about the quality drive, the focus on improving our processes, making sure our teams are equipped to do their job. And then the other component of that is some of the strategic stuff as well. My background was started off in strategic cyber security with big four consulting moved into pen testing to really be on the sharp end of validating.
Is it secure? Is it not? And then once I combined that really detailed technical stuff with the high level, it was a bit of security architecture as well, trying to help organizations build things secure by default. And then of course, wrap that around with some testing to validate. Did we succeed as well?
Ashish Rajan: And maybe just to level the playing field for people, how would you describe offensive security and is pentesting the only thing in offensive security?
Sam Kirkman: That's a good question. I think it's often seen that way because it's a very simple way of viewing it. Offensive security as [00:04:00] a concept, certainly the way we view it, you can think of it more as proactive security.
But when you think of it that way, it encompasses so much more than just a pentest. When you're thinking about offensive security or proactive security, it's a shift from a defensive mindset, where you would put in protective controls layer by layer, assuming you can put in a few layers and just assuming that they work and trusting that you've ticked the box, you've done the job.
You are now in a better position to a mindset of, are we really? It's professional skepticism around everything in your cybersecurity space. And once you make that mindset shift, you'll usually start finding out that a lot of the controls and the mechanisms that you've put in place to improve your security have gaps under certain circumstances with the right context or the wrong context, depending on how you look at it.
So it's more of a mindset shift to take a look at not only pentesting but even things like threat modeling and the broader landscape of actually saying, what happens if we attack this rather than just defend it?
Ashish Rajan: It's great that you called out the fact that it's a lot more about we always have that feeling.
Have we done enough? Is this enough or not? For sure. But these [00:05:00] days, there's a lot more complexity to just a web app. I think a lot of people who would have been in the space for a long time, at least for me when I started, web app pen testing and infrastructure network pen testing was the only two things that people would primarily talk about.
And there was a whole, hey, I'm doing malware analysis and trying to do all that as well, those people were like the elite people who were spending a lot of time analyzing malwares. These days, it's a lot more broader as well now. I think there's a lot more things that people are thinking about.
There's a whole, now we live in the AI world, unfortunately, or fortunately for some people. What are some of the other things people need to consider as part of, what's more than just a web app or a network these days?
Sam Kirkman: That's it. That's a really good point. Things are so much more complicated than they used to be.
It's not that long ago in the grand scheme of things that if you wanted to run a website, it would be one computer system, and it'd run the app, and it'd run the database, and it'd all be written in PHP at the back end and JavaScript at the front. It'd be fairly simple, and you might scale that by having a few of those systems.
But these days, it's entirely feasible to build Massive global application that serves millions of people [00:06:00] using not a single server, at least nothing you own if you start leveraging the cloud, which is a massive, complex area because the cloud has taken everything we know about the on premises infrastructure space and said, you can do that, but you can also do it in a completely new format with a whole new way of managing security, access control patch management, depending on exactly how you deploy things in the cloud, that can matter or it can not matter.
There's a whole shared responsibility model in the cloud. And then when you have a look at things like AI machine learning, that's moving so fast right now. And it's one of the things we've been looking at NetSPI. We've got a team that's dedicated to testing and validating our processes for looking at AI security.
Because once upon a time, it was check the infrastructure and maybe have a look at the architecture of the model. But now, particularly with the public example of ChatGPT, it's pretty clear to see what can happen if you start poisoning input data and getting really weird output. And whether that's the data that trains the model originally or just the inputs at the end.
I think at this point it's a complex thing to get right and it starts to become a game of thinking and [00:07:00] planning rather than just running through the pen testing cycle and hoping that you've ticked the boxes.
Ashish Rajan: Oh, cool. So I think what this made me think about is that a lot of CISOs may be paying for the roadmap for 2024.
And we spoke about offensive security roadmap. What is that? And is there really a need for offensive security? Because to what you said, it's a lot more complex these days. It's not just a server with a PHP and a JavaScript in the front end. But there's also Kubernetes, API, ChatGPT. There's a lot more things happening at that point in time.
What is a offensive security roadmap for people? Probably not even putting it in their roadmap for 2024.
Sam Kirkman: That's a really good question. There is a lot of complexity to it And I think the best way to put this would be with a bit of an example of what the traditional mindset has been in a lot of organizations.
Being a CISO is a tough job. You know this firsthand, right? It's there's a lot that you have to consider. When it comes to offensive security it's easy to think that it's just another plate to spin and a lot of more things to plan and account for and budget for but what we're trying to do in the offensive security space is It's not just be another plate, but be a tool for [00:08:00] validation of the rest of your work.
Because what the traditional mindset gives you of pentest your different assets and just say, is it working? Is it not? That does tend to give you an isolated view of each component of your landscape. And a good example of why that can be problematic is what we see when we're doing this in practice, particularly network pentesting with our red team services.
What we'll see then is. We'll test an application in isolation and the organization will say, we've tested this. We know that it's secure from these different types of attack. Or we know we've got a couple of vulnerabilities here. And then our broader testing will actually demonstrate that if you can find a route through a completely unrelated component of your network, we can then get privileged access that goes all the way around the security controls that specific component is protected by using administrator access or something.
And gets direct access to the database or the underlying server that runs this application. And unfortunately, that's just how it is. There's no way that you can secure your application in isolation and know that it's secure. You have to think about the bigger picture. So an [00:09:00] offensive security roadmap these days needs to be able to validate the bigger picture.
So it should be, here's the individual components. You need to understand your landscape. So that is an asset inventory. What have you actually got? Who owns it? Who's responsible for managing it? And how does it all interconnect? That's really hard to do, and a lot of organizations aren't there yet. But if you can get there, or you're willing to put the time and effort into making some progress, it opens doors to things like threat modeling, and you can start moving from the mindset of offensive security is a big pot of money, and you burn it on pentesting every year, to offensive security is my ability to validate everything that I do as a CISO is effective and delivering value for my organization.
Which is a much, much better way to view it.
Ashish Rajan: You know how we spoke about some of the complexity of how pentests happen these days. It's not just a server with some kind of PHP or JavaScript running. A lot more complexity to it. When someone's looking at doing an offensive security roadmap, and we spoke about it, it's not just pentesting anymore.
It's a lot more holistic. You can go around controls as [00:10:00] well. What are some of the things that people should look at in terms of there's a red team There's all these other things people look at. Absolutely. What are some of the components people should consider for their offensive security roadmap?
Sam Kirkman: That really varies depending on the kind of organization that you are and I'd say it's worth taking a step back And thinking about what you're aiming for. Okay. Because of course, if you're a CISO, you're aiming for security, but it's worth trying to nail down what success looks like, find out what your objectives are.
And I know that sounds really abstract, but if you take it as an example, if you're a charity and your job is to provide these services to people who need your charity, then you're going to have a very different risk appetite and risk exposure to a financial institution that serves millions of customers and your baseline requirement for what secure is going to vary based on that as well.
Then you've got to add in the context of where you're at on the journey as well. So for some organizations, security is a pretty new concept for others. You've been doing it for many years already. You've got an established security operation center potentially inside your organization already. Figuring out where you [00:11:00] are is the final step before deciding what am I going to do next and that's how you build your roadmap.
Ashish Rajan: And what's a good starting point? I think you guys have been primarily working on the Europe London kind of side as well. So keen to know from a breadth of different companies that you guys have worked across. What usually is a good starting point to think about an offensive security roadmap?
Sam Kirkman: I'd usually say once you've had that initial thought and conversation with the right people around what you're aiming for.
It's to work out where your biggest gaps are. Because what we often see is organizations will have their, they'll have a pentesting cycle, they'll hit a certain number of things every year, they'll have a budget for that. They might involve something like a red team if they're in that position in their journey.
But what they're often not doing is evaluating, is this giving me value? Is this actually delivering on the security outcomes that I'm aiming for here? So once you've had the conversations, that you've done the thinking, you can say, I either have the data to say my gaps are email security or application security or network security or you can start narrow it down to individual systems and services Or you [00:12:00] might say I don't know and that's okay, too because your offensive security roadmap should say I need to get the services and the data to actually understand where my holes are I don't feel like I have that visibility right now.
So depending on where you're at to give you an example, it's quite common that we'll speak to an organisation that's been pushing hard on doing security, they've brought in various vendors and tools, and we'll say, is it working? And their response is, maybe? So the next step there is to go let's do some testing.
That's what we do in offensive security. Our security process is proactive. Instead of waiting to find out, did the security you implemented stop an attack? Let us check that for you. We'll bring the people in that have the skill set to run and simulate those attacks and we'll tell you that stopped us and that didn't and we'll then be able to say to you.
This is effective Yeah, that's less so and with your limited pot of money and time and of course the resources and the skill sets There's all sorts of limitations that we work with you now know where to put your time effort and money
Ashish Rajan: Interesting. So a good starting point is just to get the baseline to what you were saying earlier as well [00:13:00] find what your security baseline is at the moment whether you are starting from ground zero all the way up to, you may have been doing for years and just looking for what that next level up after that is.
Yes, absolutely. And how would you describe the maturity of different, I think the reason I talk about the roadmap is also because as a CISO, there's whole people process technology thing, right? We spoke about technology piece with the different kinds of complexity that we are working with, APIs, Kubernetes and all of that as well.
From a technology perspective, We covered that. Process is obviously way outside our control. People can do whatever they want in terms of people as well. One of the challenges that I used to find, at least in my colleagues, and one I personally went through was when we would do a pentest, we would not have the right kind of person on our end to help the developers solve the problem.
I remember the specific example of a Java library that we were working on and we primarily had network security, cloud security kind of people. Sys admin kind of people, no appsec experience and they were trying to the pentesting team identified a some kind of library that was wrong. And the last time I did Java was a university and I'm going.[00:14:00]
So the developer asked me a valid question. She was asking me, Oh, what am I doing with this? What's the right syntax? How do I make sure this doesn't affect the greater class and everything else? Because the way Java works is it's a class, subclass. And I'm going, I have no idea. We obviously went to the Pentesting team and got the exact syntax, but how it would affect the broader context, we weren't skilled enough for it.
The reason I bring that example is because I wonder, in terms of teams as well, as someone's trying to build an offensive security roadmap, What kind of capability should they have in the teams to be able to not be in a similar situation to where I was? Because sometimes it's just easier to say to CIO or CEO that hey because we have compliance needs we need to do pentest every year or every six months or whatever and this is a budget for it which may increase slowly every year because pentesting charges increases as well so what would be a team capability that at least people should consider to have in their team?
If they are at that stage where they think they can build an offensive security roadmap.
Sam Kirkman: Yeah. Again, that definitely varies. And I wouldn't want to suggest that every organization out there goes out and gets as many cyber security [00:15:00] professionals as they can. That's just not going to be the right fit for most organizations.
It tends to be, the most effective approach that I've seen at least, tends to be trying to find security champions in your organization and your people already. So to take your example with a developer and you're working with a specific application, you clearly had somebody who knew how to write code.
Their expertise and security was less developed at that point. That it was relatively new to them. So while you could look at a managed service provider that specializes in re architecting applications or fixing things, or you could work with your pen test firm and they may be able to offer you some quite tailored specific guidance, but the limitation that most pen test firms have, that they don't have the broader context, and as you say, when you've got classes and subclasses and all sorts of other impacts on other apps, it's something you've got to watch out for.
If you shift to a mindset of security champions in your existing team members, what that means is that you've got all the expertise you already have, and you're giving them the capacity to offer that value in the security space too. So what I've seen work in other organizations is they'll say, if you're at all interested in security, come and chat to us in our security [00:16:00] team.
We'll have these conversations around some of the problems we're trying to solve and how it works with what you do day to day. And we'll give you the time, the resources, whatever it is we need to do to help you upskill in that space. And I know that any CISO listening is thinking I don't have the time and the money or whoever's managing those teams I understand that but on balance if you take a developer that you're already paying that's already on boarded that knows your organization And you can give them a few days a few weeks a year to either do some security focused training or to actually implement some of this in some code that's a lot cheaper and more efficient for your organization and then you can leverage that knowledge when you need it inside your organization and next time they'll know when a pentest team says, Hey, here's this particular vulnerability, an injection attack, the developer go, I've done some training on that.
I understand that. And here's how I know how to fix that as well. Oh,
Ashish Rajan: so is this where the proactive part comes in, as well?
Yeah, get ahead of the game, teach people what they need. And then when it does go wrong, because that's just the way things work, you'll have the skill sets to fix it already.
And what would you describe as the different [00:17:00] stages of maturity as well because I think as you said in the long term probably works out cheaper for the organization to have resources being already trained like the developers already trained and hey, I know exactly what needs to be done when they see a situation like a fire drill I guess but where do you find the different maturity checkpoints people can have in their mind for if I'm starting today?
It was absolutely zero versus all the way up to if I've been doing it for some time. We started by saying security baseline is a good idea for everyone. So everyone may have some existing idea for it. Do you have some kind of a mindset or approach to what maturity may look like as people go through different roadmap stages?
Sam Kirkman: Yeah, that's a very good line of thinking. We were talking just yesterday, while we're here at BlackHat, around the journey from the traditional mindset of just know where you're at, roughly, and do some pentesting, which is where a lot of organizations are. And you start to move towards validation of security.
That security validation is where you become proactive. You start saying I think I'm doing things, but let's go check that. Let's validate, is it working? And start targeting your efforts, resources, all of that stuff, in a [00:18:00] way that gives you the most value. And then eventually you reach this stage of what we describe as exposure management.
It starts being, you understand where you're at, you're proactively testing and validating, and at that point you are sufficiently comfortable with that process that you're managing it really effectively. A bit like how you'll manage a team of people in any line of work. You're at a point where you can get ahead of planning for what you need to plan for.
You're in a position where you can say, I understand what my security risks are, I'm mitigating them in this way, I know that it's working in this way and not in this way, here's how I'm going to fix it. Here's my accepted risks. That's a really important angle too. There's going to be some bits in every part of your offensive security roadmap where you say.
I'm okay with that. I don't want to spend 100, 000 dollars on fixing that problem because I can spend 10, 000 and fix this other one that's similar risk. And once you've got to that exposure management level, you're in a very strong position. And that's hopefully the gold standard where CISOs can maybe start to relax just a little bit.
Maybe.
Ashish Rajan: And I was going to say maybe. So I don't think you are ever relaxed. But I think the one thing I'm taking away from this is [00:19:00] that having a security baseline is probably the good start. If as. No matter what stage you're in, just having an understanding of what they have currently exposed, probably number one is I would say.
In terms of, sending people over to, where can they learn more about this as well? Where can they learn more about the offensive security side? I feel like there's a lot of information about pentesting and a lot of that people can easily find. Is there something that you recommend people for a strategic roadmap kind of a thing as well?
Where do people go for, how do I plan? Even just the fact that a lot of people would have heard the word red team for the first time on this episode as well. Yeah. They would go, Oh, there's a red team. Do I need one internally? Or pentest, do I need one internally? It happens at a different scale. Do you normally recommend resources for where can they go to learn about the offensive security side of the world?
Sam Kirkman: There's a lot out there. You're right. But a lot of it is focused on the world of pentesting specifically because it tends to be the one that everyone gravitates to. I'd say that it's worth, as is the case with all walks of life, try and find a few different sources. And obviously, as part of the NetSPI team, we run a bunch of executive blogs, [00:20:00] and they are specifically designed to help executives make those decisions, because you haven't got time to become a pentester and understand this at that level of detail.
So our blog series is designed to give you that core information, say, here's what this is, here's how it makes things easier for you, better for you, whatever the case may be, and help you make those informed decisions. We also have our solutions architects, and that's what we do in our business. So instead of you coming to us and you just speak to a salesperson and they'll try and sell you some stuff.
Our solutions architects, their sole responsibility is to find out how we solve your problem. They don't operate on the basis of we get commissioned for sales or anything like that. Their sole function is to make sure that whatever we do for you, it gives you maximum value and solves the problem at hand.
So from our point alone, And that's how we're trying to make sure that when somebody's not too familiar or feels like they would like to know more, instead of just selling them services, we can give them knowledge that they can take to the rest of their career, to the rest of their roadmap. And then, of course, we can fit into that.
But the bigger picture, too, there's some great resources online. One thing that comes to mind is there's a brilliant CISO [00:21:00] mind map out there that someone's put together. And it shows you all the different Huge number of things that a CISO has to consider and their team as well. That same map works for an IT security leader, even just the head of an IT department as a whole, and you start to realize.
I've got a lot on my plate and you can start to look at I need to learn more about this component When you look at that big picture, you can go I get this. This is familiar I'm comfortable with how I apply that and get value out of it And there'll be other areas that are new to you and at that point you can start saying i'm going to talk to my network I'm going to talk to other people i'm going to talk to whether it's testers whether it's other CISOs whether it's just people that are nothing to do with it and security because it's important to understand how all of the stuff we've talked about fits into the actual operations of your organization.
We all know what it's like to have to change a password for the up to time and every three months, every one month, whatever it is. And as a user, that's really annoying. Yeah. But we do it from a security point of view in many cases, even though that's a whole separate conversation about whether we should.
But we'll save that for another day. But understanding the bigger picture by just talking to as many people as you [00:22:00] can is going to give you a well rounded view of how to proceed. That's awesome.
Ashish Rajan: Thank you for sharing that. And where can people find you on the internet to talk to you more about pentesting, offensive security roadmap, proactive offensive security?
Sam Kirkman: We can head straight to NetSPI. com and you'll see that on our main website, there's links to our executive blogs and our technical blogs. And then for me personally, you can find me on LinkedIn under the name Sam Kirkman, which should be fairly easy to find. And my URL is sam-kirkman-cybersecurity. So that's pretty easy to find.
And then of course, sam.kirkman@netspi.Com and you can get straight through to me. I will be happy to help with any questions. Awesome.
Ashish Rajan: I'll add that to the link as well. Thank you so much for coming on the show, man. Thank you very much. Thank you. And that's a wrap. Peace.