Next-Gen Offensive Security: 5 Service Trends to Watch in 2024
A deep-dive into 2024's top trends
Hey! I'm Mike Dame, and I have 5+ years of experience in Offensive Security, working for Fortune 50 enterprises and more recently, consulting across multiple industries. I hold the OSCP, CRTO, PNPT, and AWS Security Specialty certifications to name a few. Though new to the TCP community, Darwin and I go way back to our days on Ford Motor’s Red Team. Fun times 🐍🔴
Throughout my career, I’ve dedicated most of my focus to offensive security which has allowed me to gain a firm grasp on how systems, networks, and infrastructures can be abused. My goal in my professional and personal career is to inspire growth and bring about positive change in everyone I meet. That said, I'm excited to connect with you and continue sharing what I've learned during my time in the industry.
When Darwin shot me the idea for this post, I was enthused to share some of the recent trends I’ve been noticing, especially considering how quickly things are now moving with the recent AI boom. That said, today I’ll be sharing Trends in Offensive Security Offerings and Services to keep an eye out for in 2024.
Defining Offensive Security Services and Offerings
These are the tactics and tools used by offensive security teams and consulting firms to test the defenses of a target. Whether it’s a penetration test or a full-blown red team engagement, methods have changed over the past couple of years and they will continue to as the security landscape progresses. Let’s take a look at where directions are headed and who are the ones blazing the trail.
Overview
Automated Penetration Testing Tools
Advancements in Cloud Penetration Testing and Cloud Red Teaming
“Continuous” for Penetration Tests and Vulnerability Scanning
Assumed Breaches
Client Portal Reporting
Automated Penetration Testing Tools
Though many were skeptical of automated penetration testing (Pentest) tools at first, they’ve proven to be a valuable addition to the arsenal as their capabilities have matured. Automated pentest tools take the repetitive tasks that we’re all familiar with in a pentesting methodology and executes them on a recurring basis. This saves practitioners a ton of time, allowing them to focus on finding more advanced exploits and attack chains.
The types of attacks that can be automated include:
Poisoning and sniffing to capture credentials with Adversary in the Middle (AITM) attacks.
Cracking hashes or passing the hash.
Exploiting common CVE POCs like EternalBlue and Log4j.
Enumerating a host once a foothold has been established and extracting additional hases.
Spraying found credentials to compromise additional hosts across the network.
While these tools are still in a stage where there's room for improvement, and manual exploitation is still a requirement for now, automated penetration testing tools can significantly reduce the workload for your offensive security team. This saving of valuable time during a client engagement or internal assessment enables you to concentrate on more in-depth dives, research, or chase rabbits to your heart's desire.
Below are a few notable products blazing the trail for automated pentesting:
They all offer free trials to corporate accounts. Check them out and see what works best for you!
Advancements in Cloud Pentesting and Cloud Red Teaming
As traditional on-premises networks transition to the cloud, and with an increasing utilization of cloud resources each year, the cloud remains a prominent attack surface. This area is one where the industry is in desperate need of more security experts. From an offensive security perspective, stay vigilant for advancements in attacker tactics and techniques with resources such as:
And the progression of exploitation toolkits. Check out their Github repos for new additions to be made. Some have come out more recent than others:
Graph Runner (Azure)
Storm Spotter (Azure)
CloudFox (AWS + Azure)
Pacu (AWS)
Unfortunately, I’ve not come across a GCP exploitation framework. Is this something we’ll finally see in 2024? If you’ve come across one, please reach out! It definitely seems to be a space that is trailing behind.
“Continuous” for Penetration Tests and Vulnerability Scanning
Another trend I've noticed is that teams are increasingly adopting a continuous offensive security approach, shifting from point-in-time assessments to more frequent, sometimes daily assessments. This change, often enabled by automation, helps identify security issues as they arise versus relying on annual or quarterly assessments. While there are limitations and trade-offs, this proactive approach is becoming more common due to its effectiveness in promptly uncovering and addressing vulnerabilities as they appear.
I don't believe point-in-time assessments are becoming obsolete. There is significant value in a assessment at a specific point in time because it delves deeper than what automated tools or scanners may provide. The manual approach is where the real fun and creative exploits emerge. However, with continuous vulnerability scanning, increased frequency of penetration testing, and ongoing red teaming engagements (lasting for months attempting to breach an enterprise), we can more effectively mimic real threat actors and provide multiple assessments for the price of one.
Considering that external assets are constantly scanned on the internet, and threat actors have unlimited time and resources to discover these flaws, offensive security professionals need to keep up. That's why I believe this trend will continue.
Assumed Breaches
In my years focusing on offensive security, the term "Assumed Breaches" has resonated more deeply with me, especially as attacks have become more sophisticated. This approach, which I've increasingly integrated into my practices, operates on the principle that breaches are not just possible; they're inevitable.
Why I Advocate for the Assumed Breach Approach
To me, adopting an "Assumed Breach" approach requires a mindset shift. It's about acknowledging that our defenses will be breached and focusing instead on how we prepare for, respond to, and recover from these incidents. By simulating malicious access to various parts of our network, we're not just testing our defenses; we're proactively preparing for real-world scenarios. This method allows us to uncover vulnerabilities that traditional assessments might miss.
Tailoring the Simulation
In my practice, the starting point for an assumed breach scenario is rarely the same. It's carefully chosen to reflect the unique nature of the environment that I’m targeting. For example, if a company's core operations revolve around development, I'll start with developer credentials and workstations. This approach ensures that the pentesting is as relevant and insightful as possible, mirroring potential real-world attack vectors that could be exploited by actual threat actors.
Looking Ahead
As we step into 2024, I'm convinced that the "Assumed Breaches" methodology will only become more relevant.
Client Reporting Portal
Are traditional pentest reports becoming obsolete? From a consulting perspective, I certainly hope so.
There are rumors of a trend gaining traction within some teams. Bug and remediation tracking tools, such as JIRA for internal security teams, have evolved into the concept of an interactive dashboard. This dashboard can notify and display findings in real-time to a client, offering several advantages:
Speeds up the notification time.
Facilitates easier tracking and remediation.
Allows for comments and communications about findings in one place.
Enables a simpler export or attestation that confirms the penetration test was conducted and items were remediated.
If you take a step back and consider a primary purpose of offensive security services, it's to identify, exploit, and demonstrate the impact of vulnerabilities as well as provide this information to security teams, enabling them to understand the issue and remediate it as quickly as possible. With that in mind, having a faster, more iterative and more interactive method to deliver these results, such as a client reporting portal, just makes sense.
PlexTrac and Precursor Security are two companies that I’ve found are leading the charge in this space. Have you come across any? Please let me know in the comments!
Conclusion
Those are the top trends I think will continue to be hot in 2024. Thanks for reading! If you have any predictions for what we might see more of in Offensive Security services in 2024 or have any questions about the topics I covered, feel free to message me on LinkedIn or leave a comment on this post! You can also follow my Github where I’ll be posting more resources around penetration testing and red teaming!
Great post ! .. I agree that the trend is now moving towards a continous approach which I am seeing more and more in my engagements. Breach and Attack Simulation is also something a lot of customers are interested in implementing and using to see where an attack might succeed