This week saw research published about how the commercial offensive cyber sector is integrating emerging technologies into their commercial offerings, and what the implications are of this integration.

Taking into consideration entities that deliver legal and ethical security testing - including red team services - the DSIT research identified a number of opinions, attitudes, predictions and insights into how the red team element of the commercial offensive cyber sector, and their clients, are adapting and integrating recent and emerging technologies into their security offerings. These involved interviewees with UK red team service providers on common trends they see from their work and clients.

The research disclosed a number of findings that we are featuring here. Before then, an honorary mention about:

• A lack of discussion around technologies such as blockchain or cryptocurrencies.

• Significant discussion around the adoption, use and hopes for AI - although scepticism over its promises of AI, considering many of its capabilities overstated and overused in products, creating a confused environment as to its true potential and capabilities.

• Adoption and migration into cloud-based architecture having a larger impact to services being offered by the commercial red teams.

• Quantum computing is considered to be too abstract and only viable for laboratory settings.

1 - Awareness of cybersecurity risks has increased significantly in recent years, with particular focus on rising cybercrime and data breaches. This is in particular focused on the clients of the red teams.

2 - More than one interviewee stated that they had been hired to conduct cybersecurity assessments, including offensive cyber engagements, with a focus on their client’s third-party vendors.

3 - Cost and technologies remain a significantly limiting factor. Clients of red team companies recognised threats to their supply chains, but not all of them had the resources or available expertise in-house to enforce expected security standards. 

4 - Most of the effort was focused on Microsoft Windows environments, but with the development of new business models, which includes the new generation of entirely cloud based banking and a growing recognition and trend of developing for Linux and MacOS heavy technology stacks. 

5 - There has been more research into attacking mobile operating systems such as iOS and Android, due to their prevalence. 

6 - Society was overestimating the capabilities and reliability of Generative AI products - and their role in offensive and defensive cybersecurity - at this stage in their development.

7 - There is more call for the use of automation for repetitive security tasks such as attack surface management, penetration testing, and vulnerability assessment. 

8 - Whilst the number of boutique firms is increasing, clients of interviewees appear to still be showing a preference to working with larger, more established security providers. 

9 - The expansion of available certifications and courses is viewed with some scepticism due to a perceived lack of quality from these courses in terms of teaching offensive cyber techniques, and the ability to deliver offensive cyber operations from an ethical and legal stand-point. Respondents said this makes finding individuals with comparable skills more difficult in a global market and is exacerbating the perceived different standards of delivered testing.

10 - The market for red team services and capabilities was seen as extremely competitive, with many competing aggressively on price, and as a result, clients of interviewees - especially government agencies-  often struggle to differentiate between high-quality and low-quality providers. This led to the perception that clients were choosing cheaper options over more competent firms.

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.