In the world of computer security, there are attackers and there are defenders. That’s not to say, however, that all attackers are bad and all defenders are good. Both roles are valuable to an organization and to the security field as a whole. The only question is, which one would you like to specialize in?
Defining Offensive Security
Offensive Security, also known as the “red team”, is a kind of cybersecurity that aggressively tries to break into systems, exploit bugs in software, and find loopholes in policies that gain them access. Cybersecurity specialists are often Certified Ethical Hackers, people who have their skills verified and their ethics certified.
If you’re interested in a from-the-ground perspective on what makes offensive security enjoyable as a career and what goes into it, one of the best resources is Deviant Ollam. Ollam is a prolific speaker and guest at many conventions, including DEFCON, and his YouTube channel is full of interesting presentations on security. His approach to offensive security includes a mixture of both digital cybersecurity and physical security, and shows off how robust and varied the career can be.
The primary difference between an offensive security specialist and a hacker is the results of their efforts. A hacker might compromise a system to install ads on a website, to steal user data, to gain competitive secrets, or otherwise damage the company they’re attacking. An offensive security specialist will use the same techniques to penetrate the same systems, but with a different goal in mind:
- Testing a system to check for vulnerabilities that need to be fixed in the next release.
- Demonstrating to a company a flaw in their security or their policies that needs to be fixed.
- Earning a living through hunting for bugs that have bounties attached to them.
Offensive security specialists often work with outside firms, security consultant companies that come in, do their attacks, deliver a report to their clients with suggestions on how to fix issues, and move on. Some of these companies stick around to work on implementing those suggestions, while others consider their role over when the report is delivered.
Should You Specialize in Offensive Security?
Offensive security takes a specific kind of person to thrive. If you’re the kind of person who has been tinkering with computer systems as a hobby for years, who likes to know a system from the inside and out, and who loves to exploit bugs and loopholes, offensive security might be for you.
Some of the best offensive security specialists are people who:
- Take joy in proving that an “impenetrable” wall can be climbed, broken, or circumvented.
- Like to exploit systems just to see if it can be done, such as in video games.
- Enjoy pointing out flaws to major companies, whether to take them down a notch or simply to prove something to themselves.
- Find it entertaining to view the world from the perspective of a nefarious villain, using their own tools against them.
- Enjoy the feeling of being on the “wrong side of the law” but with full permission to be there.
Offensive security specialists find many roles in the cybersecurity ecosystem. They might be ethical hackers working for companies to help protect them from less ethical hackers. They might be consultants, brought in to test the security of a system. They might be employees of a government department, as part of the FBI or NSA, probing both national and international systems for possible means of exploitation. Even simple companies that deliver phishing tests to employees of a firm are offensive security consultants.
The best offensive security specialists are intensely curious people who love getting into the meat and potatoes of a system, understanding it from the inside out and the bottom up, and looking for any possible means to slip in through the cracks. Given that modern technology is built upon a pile of inherited and backward-compatible tech from literal decades past, with hotfixes and patches plastering over holes, there’s a near-infinite possibility.
Some offensive security specialists also work in the physical security world. After all, a server farm might be protected from any kind of digital attack, but if the front door to their office is open or if their secretary plugs in a thumb drive they found in the parking lot, the system is not secure. Here’s one such example.
Defining Defensive Security
Defensive security is the opposite of offensive security. These are the security guards to the thieves of the offensive security world. Defensive security specialists are the people who sit in a company’s office, designing both computer systems and networks as well as company policies to ensure both digital and procedural security.
For everyone who tries to penetrate a firewall, there’s someone who has to set up that firewall. For every system that needs to be cracked, there are people who designed the system against intrusion and who patch the bugs that are found. Defensive security specialists are the people who set up systems to prevent intrusion, set up other systems to monitor those first systems and detect intrusion that slips through, secure assets against potential intrusion, and patch systems to prevent replication of an intrusion.
Where Deviant Ollam is a prime example of an offensive security specialist, Chris Krebs is a great example of a defensive security specialist. Until recently, he occupied one of the highest roles in the federal government’s cybersecurity initiative and has many high-level concerns about the threat that, for example, ransomware poses to both the general populace and to governmental systems.
So what do defensive security specialists do?
- Set up systems in a way that puts security first and attempts to prevent intrusion.
- Monitors systems to detect potential intrusions.
- Maintains security protocols to minimize the impact of intrusions and revert compromised systems.
- Set up honey pots to trace malware, ransomware, and other intrusions to their sources.
- Design and implement a combination of physical, digital, and procedural security processes to minimize the risk to business systems.
- Work with offensive security specialists to identify and fix issues before malicious actors find them.
Where offensive security specialists might leverage physical intrusion, social engineering, and procedural gaps to crack a system, defensive security specialists take a holistic approach to security and help a company implement both physical and procedural policies as well as digital security, designed to minimize or prevent external threats. They’re the ones who set up the firewalls, but they’re also the ones who disable employee USB ports and set up physical access control to the building.
Should You Specialist in Defensive Security?
Offensive security tends to be more self-motivated, with freelancing and consulting as a primary vector for career success. Defensive security tends to be more of an on-staff position. Companies hire a security specialist or a security department to keep their buildings, their employees, and their systems safe. If you prefer the lifestyle of a vigilant watchdog solving puzzles, the world of defensive security might be for you.
The ideal defensive security specialist:
- Is intensely curious about how a system works and how to protect it from intrusion.
- Is able to fully grasp an ecosystem and the various ways it might be attacked, from digital assault to physical penetration.
- Enjoys detecting and stopping people who think they’re clever and thwarting their efforts.
- Enjoys the world of malware from a scientific perspective and wants to study it.
Defensive security specialists can find many roles throughout the world. Just about every business needs to have some level of attention paid to security, whether they have their own on-staff security department or they hire a managed services provider or a consulting firm to handle security for them.
The government needs defensive security specialists just as much as they need offensive security specialists. Protecting government systems from intrusion, both from roving individuals and from nation/state-level actors, is a critical part of homeland security.
Defensive security specialists can also take up two roles that are less common in the offensive security world: forensic analysis and security science.
Forensic analysis specialists are typically defensive security specialists who come in and examine a system after it has been compromised, to look for how it was compromised and what went wrong. They then deliver a report to their client detailing the problem, how the problem happened, and how it can be prevented in the future. They may also help the company recover from the problem if recovery is possible.
Data scientists specializing in cybersecurity are the people who study malicious actors from a high level. These people don’t work for any given organization, but rather for themselves. They monitor trends in malware, tracking the sources and variants of viruses and ransomware. They set up honeypots to trap and track malicious software, see where it reports and how it exploits systems, and inform the creators of those systems of what is going on.
One prime example is this story from several years ago, where quick-thinking defensive security specialists identified a new strain of ransomware, identified how it worked, registered a domain name, and shut the whole thing down before it became a global threat.
The arms race of cybersecurity is a constant push and pull of attackers and defenders. Both sides have their merits in white-hat security, and there’s likely a role for you, no matter who you are.
The Middle Path
There are people who find both sides of cybersecurity to be interesting. People who are curious about how systems work, not from an attacker or a defender perspective, but from either the absolute highest level on a global scale or the absolute lowest level from a machine interface perspective.
These people tend to find roles as cybersecurity generalists, scientists, and designers. If this sounds like you, it can be worthwhile to get an education in both sides of cybersecurity. You don’t need to specialize in one side or the other; you can leverage knowledge from both sides to view a system from every possible angle.
These people tend to turn into the sorts of scientists who study malware, and the people who design security systems. People who work for companies like Fortinet or SolarWinds need to know both how attackers think in assaulting a system, and how defenders think in configuring a system. They need to design the appliances, software, and even hardware used in security, to prevent intrusions before they become problems.
Generalists in cybersecurity can be found at all levels of the industry. If you simply don’t know which path you would like to take, there’s no shame in learning as much as you can, getting jobs in various sectors of security, and trying things out. Maybe one role doesn’t fit for you, and another does. Maybe you won’t know until you’ve tried them out. Maybe you want to experience the corporate world before you move on to your own security consulting business. The paths you can take through a cybersecurity career are near-infinite.
There’s just one thing that every modern cybersecurity specialist needs today: an education. We no longer live in the digital wild west. Simply operating as a curious individual in the space isn’t likely to get you very far. It can, however, teach you enough to know whether or not you want to pursue such an education. In fact, we would venture to guess that many of the people reading this are people who are self-motivated by their own curiosity, and simply wonder how best to leverage it into a career.
Pursuing a modern education in cybersecurity is a great place to start, and can help with both networking and with getting your foot in the door with companies looking to hire security specialists. It’s a field with infinite growth potential, as the world becomes increasingly reliant on digital and networked systems and infrastructure. There’s an ideal position for you out there somewhere; all you need to do is learn enough to find your place in the industry.
What form of cybersecurity interests you the most? Are you more of an offensive or defensive kind of person?