No longer confined to the hooded hacker in a dark basement cliché, offensive security has been steadily making its way into the limelight.
Ethical hackers are now in boardrooms, university classes, TV news segments, and other places where mainstream conversations take place. Their exotic origin stories attract thousands of podcast listeners and inspire youngsters to build a career in offensive security.
But this change didn’t happen overnight. It took a lot of consistent effort to break down misconceptions and develop standards and push them through tightly knit communities. The work continues to this day.
We wanted to understand how offensive sec specialists are pushing for better security by exposing vulnerabilities and translating risk in business terms, so we interviewed 8 prominent ethical hackers. Their stories show how change is bubbling up to the surface and how a new generation of whitehats is changing the culture and decision-making in the security industry.
- Ippsec – “suddenly the hackers have an outlet for using their skills and curiosity for good, instead of malicious purposes.” See how ethical hacking evolved in the past decades.
- Alethe Denis – “Services that were once considered a waste of time, effort, and money, are now becoming essential.” Discover the bigger context around this change.
- Olivia Gallucci – “The conversation allows for a deeper understanding of why hackers can be a source for good, and how intentionally breaking systems is often a net positive.” Read her inspiring view on the role of ethical hackers.
- Joseph (aka rez0) – “Offsec being a part of mainstream conversations is helpful because it normalizes ‘good guys’ using ‘bad tools’ to showcase places where security should be improved.” See what other changes Joseph has noticed.
- Cristian Cornea – “We should take in consideration all those offensive activities (Penetration Testing, Vulnerability Assessments, Red Teaming, Social Engineering, etc.) as equal with the defensive ones (Blue team related stuff), and vice-versa.” See how else Cristian advocates for collaboration.
- Albert Vartic – “All this needs to be supplemented with a proper Maturity Level for the cyber security processes and continuously increasing the knowledge level for personnel from operation and maintenance.” Discover how this applies to Albert’s field of expertise.
- Peter Bassill – “I am seeing more requests for pentesting but there is a lot of confusion over the difference between a vulnerability scan and a pentest.” Find out what else contributes to this problem.
- Yassine Aboukir – “Now, we’re indeed seeing more companies allocating resources and investing in offensive security operations.” Check out more details about this transformation.
Ippsec
“Offensive Security is certainly more mainstream nowadays, if you ask any established security expert, they will likely say they didn’t know hacking could ever be a legitimate career path in the early 2000’s. The mentality back then was “I’ve never been hacked, so why do I need security”, which prevents a lot of companies from paying for security testing because it was seen as wasted money.
The reality is many companies were getting breached back then; but the attackers profited from siphoning off resources or selling data, which meant that they wanted their attacks to go undetected. With the advances in ransomware and cryptocurrency, attackers now announce their presence while holding the customer’s system hostage until they pay. Suddenly, business owners are now either hearing stories of their friends being hacked or being hacked themselves.
This greatly helped the security industry change the mindset to “Assume Breach”, which helped create the profession of Ethical Hacker, Penetration Tester, Red Teamer, etc. The more important thing with this, is suddenly the hackers have an outlet for using their skills and curiosity for good, instead of malicious purposes. Again, if you go back to the early 2000’s training for cyber security wasn’t nearly as mainstream as it is today. I learned by hacking things I hoped no one would care about, such as video games or instant messenger clients. It was very much sink or swim, and the skills I picked up were just for my own enjoyment/curiosity.
With great power comes great responsibility. At the time, if I wanted to profit from the skills, I didn’t know of any ethical way to do so. Thankfully, I was never in a position where I thought about using the skills unethically and now that it is no longer taboo I can enjoy teaching people daily over on Hack The Box.”
Alethe Denis
Senior Security Consultant @bishopfox | #BlackBadge @DefCon @tracelabs
“Cybersecurity, and information security, are still relatively new concerns for organizational executive leaders; however, more are recognizing the benefit of proactive defense through offensive security testing. Unfortunately, this can likely be attributed to the increase in cyber-related incidents, the media attention that is given to each incident, and the fallout that C-level executives have faced because of them.
That said, as we hear more of our clients describe a desire to increase offensive security testing and leverage these tests to improve their defensive posture, we learn more about what really matters to our clients. We, as consultants, see the results of those worries as they manifest into investments in previously ignored or undervalued services.
We are seeing an increase in the investment in incident response readiness and preparedness services, such as Red Team attack simulations that incorporate real, ransomware-attack testing and purple teaming into a single engagement, as well as time and money invested in Tabletop Exercises (TTX). During a TTX, clients test the technical incident response of their security and IT teams, along with their executive team’s incident response and disaster recovery capabilities, through the facilitation of a specific tabletop scenario, e.g., ransomware. Services that were once considered a waste of time, effort, and money, are now becoming essential. Whether the investment is being driven through compliance requirements or the executive decision makers are finally recognizing their benefits, due to increased awareness and knowledge of cybersecurity-related risk, is still up for debate.
“The best way to get management excited about a disaster plan is to burn down the building across the street.” – Dan Erwin, a security officer at The Dow Chemical Co.
Perception IS reality, and many decision makers are hearing the pleas from their security teams for additional resources and investment, and simultaneously witnessing big name organizations fall victim to attack after attack. We are learning as a society that the best way to make sure that the fence is sound, and the team on the inside is ready to defend it, is to test the fence regularly and avoid making assumptions. This is where offensive security is having its moment, where companies that would typically avoid the expense are electing to set money aside to purchase offensive security services and the demand for talent continues to grow.
Businesses that tackle this perceived threat by preparing for an incident through offensive testing, tabletops, and red teaming along with job function-specific security training will thrive.
Information security leaders and executives have never been closer to being on the same page as we are now, and I would anticipate this gap continuing to close over the next decade, as the value of offensive security testing is experienced, and those experiences are shared.”
Olivia Gallucci
Offensive Security in Big Tech | #FOSS advocate
“Offensive security is a critical part of securing software and hardware. I am enthralled by the increasing interest in offensive security, and I hope the excitement around the concept will inspire more people to become hackers.
The conversation allows for a deeper understanding of why hackers can be a source for good, and how intentionally breaking systems is often a net positive. Repetition of the importance of offensive security helps change the narrative of hacking solely resulting in destructive outcomes. More support for offensive security may help strengthen systems globally by demonstrating the productive uses of hacking, leading to better security decisions.
As an open-source and transparency advocate, the concept of “security through community”—as opposed to “security through obscurity”—is particularly appealing in the offensive space. There is an abundance of resources to learn hacking online, and new interest in the concept will hopefully amplify the support of these communities, strengthening old resources and innovating new ones.”
Joseph
(aka rez0)
Christian, husband, father, hacker, and cybersecurity professional.
“I think offsec being a part of mainstream conversations is helpful in two major ways.
The first way is that it normalizes “good guys” using “bad tools” to showcase places where security should be improved.
The second way is that it creates an expectation for more things to be tested. I intentionally say “things” because it varies from purely physical devices like the lock-picking lawyer on Youtube testing locks to IOT devices, and all the way to pure software like web app testing. It’s a really big step forward for humanity, in my opinion. When stuff gets tested, it gets improved. And we aren’t ignorant to the way in which bad actors might bypass security.”
Cristian Cornea
Founder @ Zerotak Security, President @ National Cyber Security Training Centre of Excellence (CSTCE), Co-Founder @ Cyber Union
“Basically, the offensive topics are more frequently discussed nowadays because the industry adopted a better appetite for those activities by establishing a culture of “Ethical Hacking” (e.g. Bug Bounty). This allows security professionals and enthusiasts to perform offensive engagements in a legal way, and also to be paid for this.
From many conversations I’ve had with decision makers in this industry, the good ones are related to taking a proactive approach, which includes also the offensive parts. However, from my point of view, the perspective should not be focused on only one side of the coin. We should take in consideration all those offensive activities (Penetration Testing, Vulnerability Assessments, Red Teaming, Social Engineering, etc.) as equal with the defensive ones (Blue team related stuff), and vice-versa.”
Albert Vartic
E&P OT Cyber Security Officer at OMV Petrom | COTCP | FSE-SIS | CNSS | Speaker |
“To have a holistic coverage on preventive approach for offensive cyber security in OT/ICS, the main steps are to have a right cyber security by design requirements fulfillments in the early stages of ICS design as per Targeted Security Level and to have a proper defense-in-depth implementation.
All this needs to be supplemented with a proper Maturity Level for the cyber security processes and continuously increasing the knowledge level for personnel from operation and maintenance.”
Peter Bassill
CISO, Cyber Security Researcher, GT4 Endurance Racer, Pitboss Master, Award-winning Chef, Speaker. Neurodiversity champion.
“Cyber Security awareness at the board level has been increasing significantly over the years and this has been helped, in part, by the rise of offensive security awareness. Both in the planned aspects of pentesting etc., but also from the criminal element.
More organizations are getting breached, often by having stupid password practices. But this is not all a good thing. I am seeing more requests for pentesting but there is a lot of confusion over the difference between a vulnerability scan and a pentest. This is really evidenced by firms from India who use the phrase VAPT, a totally nonsense phrase. Less than ethical operators are selling pentesting but are actually little more than a vulnerability scan.”
Yassine Aboukir
Application security consulting, bug bounties (MVH & H1 Top 20), digital nomad, and aspiring athlete.
“With the increasing security breaches such as the case of Uber and LastPass very recently, offensive security has surfaced to the mainstream.
Organizations are becoming more aware that solely relying on reactive and defensive measures isn’t sufficient enough and certainly not as effective as expected. Hence, it’s important to complement it with a proactive approach to defend against potential security threats and catch and remediate security vulnerabilities as early as possible.
Now, we’re indeed seeing more companies allocating resources and investing in offensive security operations such as hiring red teams, conducting regular penetration testing, investing in EASM solutions, running spear-phishing exercises, and launching their own bug bounty programs, all alongside a blue team focusing on the defensive side by developing and deploying further robust defense mechanisms, such as firewalls, intrusion detection systems, and multi-factor authentication. etc.”
From taboo to trending
Offensive security has almost entirely shed its stereotype of a hooded hacker in a basement and is now a hot topic. Ethical hackers continue to break down misconceptions and drive change, as the eight prominent whitehats interviewed in this article demonstrate.
With investments in offensive security testing increasing, we’re seeing a shift towards a truly proactive defense strategy. As more ethical hackers build and use their skills responsibly, we see our optimism renewed as they support and contribute towards a more secure digital world.