The Four Phases of Offensive Security Teams
For brevity, I will be using the term “partner” to refer to the customer, Defensive Team, IT Team, or other direct consumers of the Offensive Team’s output.
In my experience, offensive security teams, be them internal or external (consultants/contractors), the relationship they have with companies falls into one of four phases: The “Adversarial” phase The “Hammer” phase The “Friendship” phase The “Adversarial Friendship” phase
The first phase is that of adversaries. Neither party wants to be doing what they are doing. The partner doesn’t see value in the Offensive Team and only sees it as a waste of time, extra work, a checkbox to become compliant, or orders from “on high.” Either way, neither team wants to be doing what they are doing.
How do you make the most of this phase or move out of it? The Offensive Team has to do the heavy lifting here. The partner is in this state, either from a negative experience, or lack of experience, so it is on the Offensive Team to over-communicate goals and objectives and be flexible to adjust to benefit the direct partner as much as possible. The Offensive Team should suggest modifying the engagement to limit extra work from the partner, even if it limits the scope of the engagement. Being over accommodating can help create a positive experience for the partner and move future engagements with this partner out of this phase, even if it doesn’t directly affect the one at hand.
The “Hammer” phase is where the intent of engagement is for the Offensive Team’s output to be used as a hammer. This phase is also the most common in my experience as it is mainly used for internal politics, to prove points or cause actions. For example, if a development team refuses to patch a particular vulnerability due to projected outages, a partner might pull in an Offensive Team to demonstrate the risk of not patching it. Offensive Teams do not always know they are being used as a hammer. The unfortunate result of this phase is that many times the Offensive Team has unintentionally created a negative experience for the team being attacked and used as an example. Using the Offensive Team in this way can create problems in future engagements and make sure they land squarely in the Adversarial phase.
There are positives to this phase. The hammer phase can help to overcome prejudices and biases and open eyes to possibilities. However, it is a fine line between “name and shame” and eye-opening, a line that the Offensive Team has very little control over. Internal Offensive Teams need to take extra care to not “name and shame” any part of the company as it will spread like wildfire that that is the intent of the team and is very hard to recover from.
How do you know your Offensive Team team is being used as a hammer? Over-communication again. Setting expectations correctly about what the output should be and the goals of the engagement are. It should become evident that the more you talk to the partner about goals, whether you are being used in proving a point or if you are in one of the other phases.
The friendship phase is when the partner and the Offensive Team have become friends (at least in a professional manner) and know each other’s teams’ goals. They have realized that they’re both needed in the organization, and genuinely want to help either other achieve their goals.
The good part of this phase is that you get more done as an Offensive Team. There is less friction to performing engagements and providing your results.
The bad part is that it’s unfortunately easy to slip back into one of the previous phases via employee turn over or one poorly worded report. Friendships require cultivation, and staying in this phase needs regular conversations with the teams and partners involved.
The final phase is the adversarial friendship. This phase is when software vulnerabilities no longer hold political weight at the company, and the security goal has shifted to prevention, response, and detection. The partner and the Offensive Teams work hand in hand, many times as a “Purple Team” or Red vs. Blue, to achieve efficiency goals, such as quicker time-to-detection or time-to-eradication.
This phase is the optimal situation and rarely achieved. Many companies I have worked for/with have attempted to jump to this phase without the friendship portion required to make it work. However, when it does, both the partner and the Offensive Team are pushed to improve and excel beyond their previous capabilities, and pure magic can happen.
I have only been in the Adversarial Friendship Phase three times in my career, and I can say that it was unfortunately short-lived. It takes the two teams actually having pure fun together to make it work.
Notice that through this entire rant, I didn’t mention leadership, management, or executives. It is effortless to blame “them” for Offensive Teams not being accepted or forced into one phase or another. Still, it’s on the teams to define that narrative better through expectation setting and over communication.