Reading view

There are new articles available, click to refresh the page.

Behind Enemy Lines: Understanding the Threat of the XZ Backdoor

By: OffSec

The following is an excerpt from our new module on the recent XZ Utils backdoor, CVE-2024-3094.


On Mar 29, 2024, at 12:00PM ET, Andres Freund posted on the Openwall mailing list about a backdoor he discovered in the XZ Utils package. The backdoor targeted the OpenSSH binary, allowing remote code execution on impacted machines. This backdoor was not located in the GitHub repository, but only in release versions of the package, which hid its presence.

Given that XZ Utils had been installed (directly or indirectly) on billions of Linux systems worldwide, this finding stunned the international Linux and infosec communities.

Understanding the Timeline of the Attack

In late 2021,

... Read more »

The post Behind Enemy Lines: Understanding the Threat of the XZ Backdoor appeared first on OffSec.

OffSec Versus: Revolutionizing Cybersecurity Training Through Live-Fire Collaboration

By: OffSec

Did you know that 95% of cybersecurity breaches are caused by human error? Traditional training methods often fail to address this critical factor, leaving organizations exposed. OffSec Versus, part of the Enterprise Cyber Range, is designed to change that. It’s a live-fire training environment where your Red and Blue teams learn by doing, battling head-to-head, and developing the essential collaboration skills needed to neutralize real-world attacks.

Versus Explained

OffSec Versus exists to bridge the gap between traditional cybersecurity training and the dynamic, collaborative teamwork needed to defend against modern threats.  

Versus is a realistic, adversarial training environment within the Enterprise Cyber Range, enabling Red and Blue teams to engage in realistic, scored tournaments.  In a real-world attack,

... Read more »

The post OffSec Versus: Revolutionizing Cybersecurity Training Through Live-Fire Collaboration appeared first on OffSec.

Soft Skills for Cybersecurity Leaders: CISO’s Perspective

By: OffSec

The emphasis on technical skills and knowledge in cybersecurity has always been present. However, as the field becomes increasingly complex and intertwined with every facet of business operations, the spotlight has shifted to the indispensable role soft skills hold in cybersecurity leadership. 

This perspective was the focal point of our recent webinar, led by Thereasa Roy of OffSec and featuring the insights of Jason Haddix, CEO of Arcanum Information Security. Jason delved into the pivotal role that soft skills—such as strategic communication, empathy, and storytelling—play in navigating the challenges of cybersecurity. 

As we’ve seen with recent attacks like the one on casino giant MGM, cyber threats are technical but also deeply rooted in human behaviors and interactions.

... Read more »

The post Soft Skills for Cybersecurity Leaders: CISO’s Perspective appeared first on OffSec.

Transform Your Cybersecurity Training with OffSec’s Cyber Ranges

By: OffSec

In 2024, the cybersecurity landscape is bleak, with 62% of organizations acknowledging a pressing need for enhanced cybersecurity skills amidst growing digital threats. This statistic underscores the urgent demand for comprehensive training in modern cybersecurity practices​. In response to this critical need, OffSec is introducing a new suite of Cyber Ranges. 

OffSec’s Cyber Ranges – our solution for realistic, high-impact cybersecurity training. This suite delivers a powerful combination:

  • Our Enterprise Cyber Range (ECR) with the groundbreaking live-fire capability in Versus, for Red vs. Blue training.
  • Enhanced Offensive and Defensive Cyber Ranges for deep-dive, specialized skill development.

Together, these ranges create an unmatched training experience for your entire cybersecurity team.

OffSec’s Enterprise Cyber Range

Traditional cybersecurity training often falls short.

... Read more »

The post Transform Your Cybersecurity Training with OffSec’s Cyber Ranges appeared first on OffSec.

Importance of report writing for pen testers

By: OffSec

Pentesters are well known for their technical skill sets, they simulate cyber attacks on computer systems, networks, or applications in a controlled environment. And, their primary goal is to identify vulnerabilities and weaknesses to assess the security posture of a target system. Much of the work they do is technical in nature, but in order to help organizations understand and rectify their vulnerabilities before malicious hackers can exploit them, communicating that risk through report writing is nearly as important as finding the risk. 

This is where soft skills like report writing become just as important as their technical skills. 

In this blog post, we’ll address the value of report writing for penetration testers, show examples of reports, highlight some mistakes that are often made,

... Read more »

The post Importance of report writing for pen testers appeared first on OffSec.

The Cybersecurity Skills Gap: Time to Step Up with OffSec’s Red Teaming and IoT Learning Paths

By: OffSec

The cybersecurity landscape is indeed challenged by a significant skills gap, with reports highlighting the critical shortage of professionals equipped to handle escalating cyber threats. The 2023 Global Cybersecurity Skills Gap Report from Fortinet underscores the urgency of this issue, revealing that a vast majority of organizations are facing more breaches due to a lack of skilled cybersecurity professionals. Specifically, the report found that 86% of decision-makers in cybersecurity recognize that the manpower shortage increases cyber risks for companies. 

OffSec is on a mission to address this critical challenge with its cutting-edge Red Teaming and Internet of Things (IoT) Learning Paths. These in-depth programs transcend generic tutorials, equipping learners with the real-world skills to tackle the complex security vulnerabilities in two of today’s most targeted areas.

... Read more »

The post The Cybersecurity Skills Gap: Time to Step Up with OffSec’s Red Teaming and IoT Learning Paths appeared first on OffSec.

Starting 2024 strong – The largest launch of security training from OffSec

By: OffSec

Strong cybersecurity relies on an understanding of the importance of security throughout the entire organization. OffSec is committed to delivering security training to offensive, defensive, development and IT teams that can best protect organizations.

In the first 10 weeks of 2024, we’ve released new learning paths to support more security training across the organization. No matter your role or area of expertise, this training will help develop a security mindset for more folks within your organization.

We’ve put together a 20-minute highlight video explaining all the cool stuff that we’ve released and what’s coming in the next 10 weeks. 

... Read more »

The post Starting 2024 strong – The largest launch of security training from OffSec appeared first on OffSec.

Cloud security training: Build secure cloud systems

By: OffSec

The cloud’s potential is undeniable – but securing it remains a daunting challenge. A recent SC Magazine survey revealed a troubling statistic: one in four companies cite a critical cloud security skills gap. This gap leaves organizations vulnerable, as attackers exploit everything from exposed cloud storage buckets to vulnerabilities in development pipelines. Generic tutorials and vendor-focused hype aren’t enough –  teams need hands-on experience to grasp the complexities of real-world cloud security. That’s where  OffSec’s new Cloud Essentials and Offensive Cloud Learning Paths deliver, providing the actionable training you need to bolster cloud security – whether you’re building cloud environments or testing their resilience.

OffSec’s answer: Build real-world cloud security expertise

Too much cloud training focuses on abstract concepts and vendor-specific tools, leaving you ill-equipped to handle the realities of cloud security.

... Read more »

The post Cloud security training: Build secure cloud systems appeared first on OffSec.

Cybersecurity training aligned with the MITRE ATT&CK framework

By: OffSec

The MITRE ATT&CK framework was developed in 2013 as a knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is a foundation for specific threat models and methodologies in the private sector, government, and cybersecurity product and service community.

This MITRE ATT&CK Enterprise framework is used by many of our customers to understand their teams’ existing skills and develop new learning plans to address skill gaps and protect the organization’s attack surface.

As we continue to meet our mission to empower individuals and organizations to fight cyber threats with indispensable cybersecurity skills and resources, we’ve developed 12 learning paths that are aligned with the MITRE ATT&CK framework. OffSec training and content cover nearly 70% of the skills required to match the entire attack framework.

... Read more »

The post Cybersecurity training aligned with the MITRE ATT&CK framework appeared first on OffSec.
