What is security research and security engineering?

What is security research and security engineering?
October 05, 2021

In this article I wanted to go through most of the major categories of computer security work, and describe the differences between them. As we go along, I’ll also make sure to point out where both CAD and Ola Bini fits in these descriptions.

I will be using the word “hacking” to signify the act of breaking into a computer system, since this is the popular understanding of the word. Likewise, in this article I’ll use the word “hacker” to signify someone that engages in “hacking”. It is worth knowing that these words have a long history with varied meanings, and the current pejorative meaning is something that many old-time computer experts find very frustrating. I myself fundamentally feel the same way, but in order to aid in understanding, I’m ceding this battle for another article.

Offensive versus defensive

The first thing to keep in mind is that most security work can be divided up into things that can be considered offensive, and other things that can be considered defensive. Offensive work can be the simpler action of breaking into a system, but it can also be considered creating tools or techniques that can be used for offensive purposes. This includes doing things like creating viruses and other malware. It can involve figuring out ways of circumventing firewalls and other detection technologies and actually using them.

In the same way, defensive security work in its simplest form can be seen as setting up the systems for stopping intrusions into a computer or service. This kind of work involves designing the general defensive strategy, configuring computer systems, continuous monitoring of events, and related activities. But from a wider perspective, defensive security work involves building tools and techniques that are mainly focused on defending systems. This can involve building new software, figuring out detection mechanisms to stop attacks, analyzing software or systems for holes and patch them, and so on.

Finally, there’s a huge grey zone in the middle of these two extremes. For example, identifying vulnerabilities in software is neither offensive nor defensive. But if you weaponize a vulnerability in order to attack a system, it becomes offensive. In the same manner, if you work to inform the vendor about the vulnerability, in order to close it, or if you create rules for intrusion detection systems that can detect an attacker trying to use the vulnerability, this is clearly defensive. At the end of the day, the same action can be defensive or offensive depending on the wider context and the motivation behind it.

The computer security industry sometimes borrow concepts, ideas and terminology from the military. This is only natural, since there’s a lot of overlap in the thinking, and security is obviously a core part of military operations as well. One of these ideas is the concept of RED TEAM and BLUE TEAM. When it comes to the security profession, a red team is basically an offensive team - a group of people trying to attack a system, person or organization. When we are talking about red teaming, this is not a team that comes from the outside - instead, it is a group of people that work for you, or that you contract to attack your systems. A red team can be a persistent team, or it can be a temporary exercise. But the main goal of a red team exercise is to generate information which can be used to improve the security of a system. Different red team exercises can be constrained in different ways. Sometimes only computer security attacks are valid, but other times, a red team will act as any real enemy would do, and try to use any methods to attack and extract information, including social engineering, physical penetration, and so on.

As you might have guessed, the goal of a blue team is the exact opposite - the blue team defends when the red team attacks. And just as with red team exercises, the blue team can be persistent or temporary. The main goal is to generate knowledge that can be used to improve the security.

One thing that almost always will happen with computer people and categories, is that they will come up with more categories. When it comes to attack and defense, the dichotomy of red and blue teaming are quite well established. But based on these categories, new ones have come up as well. You might very well see PURPLE TEAM as a concept. And recently, ORANGE, YELLOW and GREEN have also become more used. The best overview of these concepts I’ve seen, is in this article - which describes the BAD triangle, where BAD stands for Build-Attack-Defend. Each point of the triangle stands for one concept, where the Attack point is represented by the RED TEAM. The Defend point is represented by the BLUE TEAM. Now, the edge between Attack and Defend is represented by the PURPLE TEAM. The core concept of this team is to use attacker knowledge to improve defensive posture. You can think about this either as a team, or as a constant interchange of capability between the two teams.

On the other side, you have the different perspectives of building. We will come back to these aspects of security work later. But for now, the basic idea of the triangle is that YELLOW TEAM is the Build team. They have overlap with ORANGE TEAM which gains knowledge and builds based on attacker knowledge, and GREEN TEAM which does the same based on overlap with the BLUE TEAM, with information about defense.

When discussing offensive and defensive security, you can talk about it from a more generic perspective, or a more specific one. Most of the time, it’s helpful to look at it from the more specific perspective, especially the offensive capabilities. From this perspective, hacking will always belong to the offensive category. In some cases, you can consider the members of a red team to be hackers. But most of the time, we try to avoid this terminology when talking about red teams. The fundamental idea of red and blue teams is that they are working for the company or organization in question, in order to strengthen the security. Most of the time, a hacker will be understood as someone attacking from the outside. So let’s move on to the question of ethical versus unethical conduct, and how that ties in to legal and illegal actions, and hacking in general.

When talking about computer security, the general public still has this idea of a person breaking into systems from the outside. This comes from generations of movies portraying these kinds of actions. But even in this sub-category of security work, there exists many different perspectives, reasons and restrictions. A lot of it comes back to the rationale for why someone breaks in to computer systems. In general, you can divide it up into a few different purposes. First, we have the people that break into systems in order to expose security problems. They do it to see whether it is possible, and once they succeed, they will generally report the problem. This kind of attacker will generally be extremely careful to not break anything in the process, to leave logs as they are and to not modify or look at data they shouldn’t look at. The main purpose is really to improve the security of their target. This type of hacker will often be called an ethical hacker or a white hat hacker. (The hat terminology comes from the old western movies, where the good guys always had white hats and the bad guys wore black ones).

On the other side of the fence we have the black hat hackers. These people will generally have as a goal either to steal information or to destroy a system in some way. Sometimes this kind of attacker doesn’t have a specific goal, but is uninterested in behaving in an ethical manner, meaning that even though they might not actively steal or destroy, they are not careful and can cause all kinds of damage. Sometimes, this category of people will do what they do as a contractor for criminal organizations, and other times they might work on their own.

Here we come into a bit of a tricky distinction problem, though. There are some attackers that might be a bit trickier to distinguish. Often, so called hacktivists have to be put in this category. The problem here is that their methods will often make them look like black hats - including stealing information or destroying their target systems. But at the same time, their motivations for their actions will generally be based on ethical reasons. For example, imagine a person breaking into a computer system of a problematic company, stealing information that shows illegal behavior by the corporation and its employees. The attacker destroys the computer systems after stealing the information. Then, the attacker sends the information to a journalist, which publishes it - leading to the company being legally investigated and potentially charged. Now, obviously, the attack itself follows the patterns of a black hat, but the reasoning for it comes from an ethical perspective. For this reason, hacktivism is often hard to categorize, since the actions will have to be judged subjectively. Sometimes, a person that attacks in this way might be called a grey hat hacker, since they violate ethical boundaries, but without malicious intent. However, another type of grey hat hacker are those that break in to systems and looks around, but doesn’t destroy anything. However, they also don’t report the security problems to anyone - simply keeping the vulnerability to themself. In this situation, the person is also not acting in a malicious way, but neither are they doing what they do for the purpose of improving security. Because of this, they fall inbetween the two categories.

How does these categories overlap with legal and illegal actions? This is a bit complicated, since different countries have different laws. In general, grey hat hacking and black hat hacking will almost always be illegal. However, in the case of white hat hacking there exists two different possibilities. One is when the attacker decides to attack based on their own volition and then report the results. In this case, there’s a strong possibility that the conduct will be considered illegal, but in some jurisdictions this might also vary depending on motive. On the other side, you have white hat hackers who sign contracts with organizations before trying to break in, and under these circumstances the actions will generally be considered legal. Often, these people will be considered part of a RED TEAM, at least for the duration of the contract. You might also hear the term penetration testing used for these activities.

So, as you can see, the questions of legality and ethics are not actually very well defined when it comes to these kinds of activities. And not all illegal actions are unethical either. But it’s important to remember that these kinds of actions are actually a very small part of what computer security work involves, and if you were to look at the sum total of security work, breaking into computer systems would be a very small fraction of that work - and something that most computer security people never do.

Research, analysis and engineering

When we look outside of hacking, what other security work exists? We have already touched on the concepts of defense and building. These two categories can be divided up into further categories as well. Some of the more prominent parts would be research, analysis, engineering and training. Each one of these can be sub-divided into many more specific disciplines as well, but we won’t go too deep into these things. Let’s take a look at each one a bit more carefully though.

The field of research is exactly what it sounds like. People here work on figuring out better ways of defending, better attacks, new ways of finding vulnerabilities, new techniques for creating better software, and so on. Some of this work also concerns evaluating existing solutions, both from a technical perspective, but also from a usability perspective - security only works if it is usable, after all. A lot of security research happens inside of academia, but that’s not the only place. Many private companies and non-profit organizations also do a lot of research. As with everything else in society, many of the important steps forward in security work comes from the people doing research.

One specific field of research that should be mentioned is that of cryptography. Here, once again, we have to divide the work into different parts. When it comes to cryptography, the biggest division is between creating new algorithms and protocols, and breaking those same systems. Once again, a lot of this research happens in the academic sector, but private organizations also take part.

After research we have analysis. It is worth mentioning that the professions we talk about here are not completely separate from the previous discussions. A RED TEAM will often do security research and analysis as part of their general goals, as well. So will the other types of teams. The work of analysis is fundamentally based on the divide of defense and attack as well. You analyze what weaknesses an existing system has, and you design ways to reinforce that. Or, you start by analyzing the possible threats, how likely they are, and then figure out the proper amount of defense to apply to mitigate each one of the most important threats. I would argue that security analysis is probably the core of most security work - even if it’s not the main activity for many security people, it is a supporting activity which is absolutely necessary to do the rest of the work well.

A big part of security work is also the actual engineering aspect. This involves the building of tools and techniques, either for attack or for defense. It can involve designing protocols, or implementing them. This is where the work of research and analysis gets turned into something that actually can protect a system in the real world - or attack it.

Security training is a slightly different type of work, but one which is also extremely important to the field of security. Fundamentally, you can never build a system that is completely secure without also involving human beings in the system. We want security to be intuitive and not intrusive, but there are things that users also need to know, when they are part of a larger system of defense. Security training is concerned with helping people make the best security choices for themselves and their organization, but also to do it in a way which reduces the burden on them as much aspossible. This kind of security training is - or should be - part of any realworld organization with any kind of threat.

But security training can also have a slightly different meaning, where the goal is not to train people to support the security needs of a larger structure, but instead to understand and protect their own security needs. I often talk about this as opsec (operational security) training. Because the goal is so different, a core component of this kind of training is to teach enough analysis skills to make it possible for people to make good security choices for themselves. The difference is that often, security training inside of an organization will have a situation where someone else already made the analysis and made the decisions. But in an opsec training scenario, most of the time the person needs to make these evaluations themselves. The recipients of this kind of training can be any kind of person, but often they will be people working under more severe risk, such as journalists, lawyers, healthcare workers, and so on.

Conclusions

Now that we have a much better understanding of what security work actually involves, we can put the work that most people in security do in a better frame. As mentioned above, most security people do not break into systems. Instead, they analyze, do research and protect in various ways. And this does not work the way it does in a movie, where the protection is simply against hackers always trying to attack. There are many risks that security people have to consider. Anyone with incentive can be a threat, and security is about protecting against all these kinds of threats - whether it is a hacker from the outside, a visitor who by mistake finds sensitive information, or an insider who steals data.

The work that CAD - and me (Ola Bini) - does, is to a large degree focused on security engineering. We build things that will improve the security for a wide array of different people in the world. We also sometimes do opsec training. Sometimes we are involved in security research as well - especially in the field of defensive cryptography. And since security analysis is the foundation for the engineering work we do, that is also a component. But we as an organization - and me as an individual - have never done offensive work. We have never played the role of a RED TEAM. We are not any kind of hackers. What we do is different - we build systems for defense. We protect digital rights.

In future articles we might look more closely at different types of security work, focusing on what we, at CAD, do. It is important to clarify what security work actually is about, and dismiss the many myths and misconceptions about security that still exist in the general population. Hopefully, with this article you will have a better understanding of security work.