Improving offensive cyber security assessments using varied and novel initialization perspectives

Abstract

Offensive cyber security assessment methods such as red teaming and penetration testing have grown in parallel with evolving threats to evaluate traditional and diverging attack surfaces. This paper provides a taxonomy of ethical hacker conducted offensive security assessments by categorization of their initial evaluation perspectives. Included in this taxonomy are the traditional assessment perspectives which initiate analysis and attack simulation against networks either externally, from within a DMZ or internally. A novel paradigm of critical perspective as an initial point for offensive security evaluation processes is also presented. This initialization from a critical perspective bolsters the holistic capabilities of offensive cyber security assessment by providing a new offensive security assessment option intended to begin evaluation at the last line of defense between malicious actors and the crown jewels of an organization. Then from such a perspective assess outwards from the deepest levels of trust and security. This method will be shown to improve the ability to mitigate the impact of threats regardless of their originating from within or without an organization. As such, the assessment initialization at a critical perspective provides a new approach to offensive security assessment different from what has traditionally been practiced by red teams and penetration testers.