Over the last several years, as the threat landscape has continually evolved, the severity and sheer volume of security vulnerabilities and attacks has accelerated dramatically, causing the tech industry across the world to look for new ways to prevent crippling cyber attacks. In an effort to outthink and outmaneuver attackers, organizations have begun creating offensive security research teams. One well-known team in the industry is Google’s Project Zero.
Created back in 2014, its primary purpose was to make computing more secure by proactively rooting out vulnerabilities and flaws that could be exploited by hackers and nation states. Since then, the field has blossomed with organizations like Microsoft, Apple, Intel, Amazon, Oracle and others investing in offensive security research.
However, offensive security research teams are still relatively scarce. As more organizations producing technologies, products and services look to join the movement, it’s helpful to understand some best practices and challenges involved in assembling and managing a team, and how to measure success.
The Fundamentals of Offensive Security Research
First, a quick refresher. By definition, offensive security research initiatives take an aggressive, proactive approach to product security. Most organizations start by judiciously vetting products throughout the various stages of the development lifecycle and stress testing to ensure they’re not exposed to widely-known security vulnerabilities. That said, security is such a broad and dynamic field that screening for known risks only gets you so far. That’s when offensive security researchers step in.
These research teams assess the evolving threat landscape – beyond established security vulnerabilities – to identify where researchers and attackers (both well-meaning white hats and cyber criminals) will focus their next efforts. Offensive security researchers look at products through the lens of an advanced attacker, using unconventional approaches to identify weak spots that can be exploited.
Assembling Your Team
When evaluating research candidates for your team, look for these five key qualities:
- A deep understanding of the threat landscape – The best offensive security researchers maintain a strong pulse on threats, and the know-how of cutting-edge attack methods in their area of expertise. At Intel we produce a wide range of diverse technologies – each with its own set of security considerations – so it’s crucial that we have security researchers on staff (and partners in academia) with high-level knowledge in each discipline. One of the visible traits of the right candidate is if they’re incredibly well-read on the latest security publications and have gotten to dissect and understand the anatomy of the vulnerability and exploitation scenarios.
- Imagination and persistence in applying threat expertise to find complex vulnerabilities and novel exploits – An understanding of the latest attack techniques alone isn’t enough. Researchers must be able to take that expertise and successfully identify the areas of technology that are most likely to be attacked, prioritize them, and conduct scenario analysis to uncover new methods attackers might use to break the product. This process requires a tremendous amount of patience and persistence to navigate the complexity of the technology and the type of threat.
- In-depth, systems-level knowledge – Offensive security researchers also need to be systems-level experts, with the technical chops required to operate across hardware, software, firmware and other boundaries within a technology or systems to uncover unforeseen weaknesses that might be buried within any layer of the computing stack.
- The ability to recommend product-minded threat mitigations – A candidate could exhibit all of the above capabilities, but if they’re unable to come to the table with a potential solution, the jobs only half done with no tangible impact. The work doesn’t stop once a vulnerability is found. Offensive security researchers have to be able to proactively explore potential mitigations for the vulnerabilities they discover, and work with product teams to establish a solution that both eliminates the class of weakness represented by these vulnerabilities and at the same time, preserves product functionality.
- Follow through to disseminate new security learnings – Lastly, offensive security researchers in a large organization must be capable of turning hidden security issues into known, quantified learnings and prevention/detection actions throughout the organization’s engineering community. Continuity across every stage of the offensive security process is paramount, with little room for handoffs to other researchers. The individual leading each project must see it through to completion. That’s how you ensure that all the critical attributes of each risk are captured, and that the knowledge of each security vulnerability is propagated throughout the organization in a way that eliminates similar issues or the entire class of issues moving forward. Beyond individual research projects, it takes a long time to build the breadth and depth of expertise needed to do offensive security research well as an organization. Employing and retaining researchers that are “in it for the long haul” is key to building that momentum.
Common Pitfalls to Avoid
Like any other highly-complex, multi-faceted process, managing an offensive security research group carries with it a unique set of challenges. Many of these involve bringing in the right talent, supporting their growth and getting individual researchers to work together as a unit. Deficiencies in any one of the above five talent criteria is typically a sign that a research candidate might not be ready to join the team. Another red flag to watch out for is a disinterest in how their research aligns with the company’s overarching goals.
The skills security researchers possess today leave most with no shortage of exciting and lucrative employment opportunities. Finding the right fit all starts with ensuring each researcher is on board with the organization’s big-picture motivations behind product security. Be concerned if it appears a candidate is set on satisfying their own personal research agenda over how the team’s efforts will impact the business and the overall industry/society.
Likewise, if a candidate doesn’t display an ability to communicate, learn from, and work well with others, they’re likely to end up stalling your research efforts rather than progressing them. Collaboration is essential in an industry defined by remote workforces distributed across time zones and geographies. The remote team model presents its own set of logistical hurdles, but if your organization is supportive of a location-agnostic workforce and invested in making it work, the research team will be able to attract and retain the best talent.
Additionally, the best researchers crave autonomy. Fostering a collaborative, team environment while preserving that desire for independence is another major challenge. It’s critical that you shield these researchers from the types of stifling bureaucracy (perceived or otherwise) that can be so common within organizations. The best way to do this is to ensure that each individual is committed to the common goal, while providing them with flexibility and freedom to achieve the desired outcome as they see fit.
Picking Your Battles
Once you have the right talent in place on your team, the next major consideration is determining how to prioritize your offensive security research efforts. Most organizations have a broad product and technology landscape to cover, so it’s critical that you’re careful about how you assign the expertise, time and resources available to you.
First, ask yourself, how critical is the technology in the product or platform? Consider technologies that are the most fundamental and foundational as the highest priorities. Next, identify any active research taking place for a particular type of technology or product in the industry or academia. This will help you understand what the research community is already thinking about, the common trends in the space, and what the leading methods are for exploring vulnerabilities in a given category. Finally, factor in the realized risk. In some cases, a certain type of attack or vulnerability type is repeatedly demonstrated and prevalent in the industry. You need to think through the best way to eliminate those risks from the products.
These steps should help you identify which offensive security research projects to prioritize, but it’s also important to take a measured and tactful approach to doling out assignments to the research team. The best approach is often “self-serve,” if you will. Ask researchers to conduct preliminary analyses independently, and bring the research proposals they’re most excited about back to the group for discussion. This should be done on a frequent basis to ensure that the research roadmap is refreshed regularly. By allowing individual researchers to select projects based on their unique interests, you’re able to tap into their passion for exploring a particular technology or product area.
How can you measure the success of a program? Here are four key indicators:
- You should be able to attribute the security assurance of your products to the team’s research efforts. The team’s impact on product security should be direct and substantive, not just peripheral.
- When executives and decision makers are assessing critical decisions related to product security, the offensive research team should be their go-to technical experts, whose opinions are requested and highly valued.
- The overall trend of security vulnerabilities present in the company’s products should decrease significantly over time, especially when it comes to known threats and technology areas that have been top priorities for the offensive security team. This doesn’t mean that new vulnerabilities and novel attacks will never arise, but they should be few and far between.
- Your team’s research is seen as a benchmark for innovative security research within the broader industry. Others should view your offensive security researchers as thought leaders in the market with valuable technical know-how that spurs new, ground-breaking research efforts and threat mitigations.
Today, the number of offensive security research teams across the entire industry is growing. Not only are they working to improve the security of their own organizations’ products, but they’re collaborating with one another to systematically tackle major software, hardware and firmware vulnerabilities. But, there’s much more work to be done. Consider applying these best practices and guidelines, and join the effort to improve our collective, worldwide security.