Bishop Fox’s Vinnie Liu talks offensive security skills

A proactive approach to security

“Offensive security is the all-encompassing term for a broad range of activities,” explains Vinnie Liu, CEO and co-founder of Bishop Fox, an offensive security specialist that launched its UK operations earlier in 2023.

“It’s the emulation of adversaries in various ways. It’s penetration testing, both internally and externally. It’s application testing and the discovery of vulnerabilities. It’s the exploitation of those vulnerabilities in the real world, as well as the ecosystem around the identification and exploitation of vulnerabilities across the entire technology stack,” he says.

The proactive nature of offensive security results in a more robust security posture, as the defensive measures will have already had their resilience tested, and the majority of exploits will have been detected and mitigated. Although offensive security may not necessarily prevent attacks, as nothing can be 100% secure, it will enable a thorough trial and testing period in advance.

Even though human-based elements may remain the most vulnerable exploit (through social engineering), offensive security enables organisations to detect system-based vulnerabilities that could be exploited. These can be broadly defined into the following five categories:

1. Credential management – poor password management remains a common flaw, despite well-publicised warnings about this issue.
2. Custom code or application-level vulnerabilities – insecure code that enables the system to be exploited.
3. Misconfiguration of systems – this can be as simple as not activating a security feature or a system not being appropriately configured for maximum effectiveness.
4. Missing patches – poor patch management is another common issue.
5. Sensitive information disclosure – when a system discloses too much information about itself, which a malicious actor could leverage and exploit.

It is often a combination of these five categories that can lead to a high-risk vulnerability. A single medium-risk vulnerability may be a cause for concern, but might not require urgent attention. It is more likely that multiple medium-risk issues could result in a compromise, as they could be linked together and leveraged to acquire access.

“People refer to it as attack chaining – linking together these various vulnerabilities that may not seem like a critical risk, but when combined with others create pretty devastating results,” explains Liu.

A multi-skilled discipline

The multi-faceted nature of offensive security requires a diverse skillset. Offensive security testing is more complex than simply stress-testing a system, as it requires inventiveness and creativity on the part of the analysts.

“There’s an aspect of it which is similar to safecracking. To do that successfully, you have to know how it works, so that you can find how it doesn’t work,” says Liu. “You’ve got to both quickly understand if something should happen, and then be creative and inventive enough to figure out how it shouldn’t happen, or how you can still get it to do a thing that it was never designed to do in the first place, but not crash and fall over.”

The cyber security sector is struggling to recruit specialists, as there are currently more vacancies than experienced people. This is especially the case for offensive security, due to the diverse skillset required. As such, offensive security firms such as Bishop Fox have an active recruitment policy of always being on the lookout for fresh talent.

“Part of being an offensive security expert is you need to be versed in a broad array of technologies and systems, as you don’t know what you’re going to come up against,” says Liu. “Because we encounter so many different environments, networks, custom applications and custom targets, you really have to have that versatility and a broad, but also deep, set of knowledge.”

This lack of offensive security talent has been exacerbated by the limited number of academic institutions that have educational programmes designed to teach students how to become offensive security experts. “There’s plenty where you can learn how to be a network analyst or security operations centre analyst and get your hands around some of those,” says Liu. “The skillsets and instinct of offensive security are tough to teach in a school environment.”

“When we look for talent, we don’t care about degrees. The most educated and credentialled people in our company are the technical writers, who have degrees from Oxford and Yale, but for our testers it’s all about their skillset and their commitment”

Vinnie Liu, Bishop Fox

Given the limited number of academic or training credentials available for offensive security, talent and reputation for security is often far more important than academic qualifications or certifications. “When we look for talent, we don’t care about degrees,” says Liu. “The most educated and credentialled people in our company are the technical writers, who have degrees from Oxford and Yale, but for our testers it’s all about their skillset and their commitment.”

Vinnie Liu became interested in security during the early days of the internet, dialling into systems and sharing text files. What really piqued his interest was reading technical documentation about how computers operated and how different aspects of telephone systems worked.

Learning about programming and how different operating systems worked was a natural progression for Liu, as well as spending time on internet relay chat (IRC) interacting with peers in those circles. “As I was graduating from high school, an individual I knew, who I’d known for over four years online, was in the Air Force and working at the National Security Agency (NSA), suggested that I get in touch with a couple of people at the NSA,” recalls Liu. “They were running a programme designed around recruiting computer science and math people out of high school, to bring them into the agency if they were gifted and talented programmers.”

Whilst IRC may now be obsolete, programming and mathematics have come to the fore with the prevalence of science, technology, engineering and maths (STEM) teaching in modern education. Organisations can harness the focus on STEM subjects by liaising with educational establishments and engaging with pupils, thereby allowing them to nurture fresh offensive security talent.

This engagement could be in the form of immersion days, where schools arrange for pupils to experience different careers throughout the year, or offering educational challenges with a prize for the winner. In each of these cases, individuals with the appropriate talent will become familiar with the backing organisations and be encouraged to apply for vacancies within the sector.

“The key thing you’re looking for is talent, but that’s difficult to judge until they’re in,” admits Liu. “A lot of people can talk the talk, but the ability to grow and become more sophisticated to be a true professional takes passion and dedication and a willingness to invest.”

However, the pervasive nature of technology and the growing acceptance for remote working has meant that organisations are no longer as geographically bound as they once were. Recruitment initiatives in the past may have required a relocation budget for potential applicants, but the capacity for working online means that this is no longer the case. As such, organisations are now able to search further afield and expand their recruitment campaign beyond the normal boundaries.

The future of offensive security

With the growing frequency of cyber attacks that have real-world implications, there has been increasing demand to have a robust cyber security posture that can protect user data. There is also the reputational element that needs to be considered, as potential clients and vendors may be disinclined to rely on the services of an organisation that has recently suffered a data breach due to a cyber attack.

“The key thing you’re looking for is talent, but that’s difficult to judge until they’re in. A lot of people can talk the talk, but the ability to grow and become more sophisticated to be a true professional takes passion and dedication and a willingness to invest”

“There’s an embrace of this approach to testing yourself and holding yourself to a higher standard, and allowing that to improve your system,” says Liu. “There’s a renaissance in offensive security, as companies are looking to be more proactive instead of reactive. People and regulations are starting to push for proactive measures – instead of getting breached in the first place.”

Given the proactive approach for detecting threats before they are exploited, offensive security remains a powerful tool in an organisation’s security posture. However, it is a technique that is experiencing a shortfall in analysts with the required skillsets, due to the lack of formal training or certification. That said, with the appropriate community engagement policy, organisations should be able to attract suitable students with the potential to become offensive security analysts in the future. This approach to easing the skills shortage requires time and commitment.

“The way vulnerabilities are being exploited today is a global concern,” concludes Liu. “It isn’t just regional anymore, because of the homogeneity of technical systems. Everyone is impacted by it.”