During a recent discussion with co-workers over lunch, the topic of offensive security came up. Preferring offensive security over anything else, I chimed in and explained the glorious difference study, and skill development methods between offensive and defensive security ideologies.
Offensive security and everything it encapsulates can be seen as a sport. There are techniques, tricks, methods, styles, different platforms, etc. all at your disposal to use to your liking. You’re taking your keyboard, and turning it into a controller that can potentially do as much damage as you allow yourself to learn. Offensive security can be practiced. You can even increase the speed in which you attack. The list goes on.
Defensive security is boring. It’s preventive. Write your policies, set up your controls, audit, report. ZZZZZ. Is this what I got into security for? No. Hardly. Not even close in fact. Anyway…
It came to mind that if offensive security can be considered a sport, why not train like an athlete. Yes, its good to know the general concepts, tools, and how to use them, but how is that really effective in today’s fast paced cyber-terrorism world? If you’re not trained to detect, react, and attack appropriately, you’re bound to become useless. The combination of both knowledge and disciplined ability will be invaluable.
I would imagine that a training curriculum for offensive security could take the security skills you already have, and hone them into militant abilities and at the same time, teach new methods. Not only would there be a program to follow for disciplined learning, but common offensive security tasks as well as attacks would become so ingrained into an individual, they would never have to stop, hesitate, or look up a procedure that was merely foggy or forgotten.
Does anyone have such a program or training curriculum?
How do you keep your skills sharp?
Would anyone be interested in developing such a curriculum with me?