What is an Offensive Security Team?

In 2018, hackers stole half a billion records—an increase of 126% on the year prior, which translates to 3.8 million records per day. Ransomware is an ever-increasing threat, geopolitical tensions are being played out online, and corporate and government security systems are struggling to compete with the sophisticated modern cybercriminal.

To take the fight back to these malicious actors, enterprises need to understand the very people that are targeting them. I recently interviewed Okta’s own Travis Morrow, our Senior Manager of Offensive Security to get a better understanding of the hackers’ mindset and motivations, along with the role that offensive security can play in thwarting these attackers.

What is an Offensive Security Team?

At Okta, it’s our mission to ensure that our customers’ data is kept secure from adversaries internally and externally. To support this mission, we employ a robust, multi-faceted Security Team, part of which is made up of an Offensive Security Team and Application Security Team. Offensive Security, Led by Travis, is focused on discovering vulnerabilities within Okta’s infrastructure, vendors, and people.

“Offensive security takes a more holistic view of the company from an outsider’s perspective, not just looking at one service but across the entire Okta organization to find various routes into our environment,” said Travis.

In addition to trying to infiltrate Okta from the outside-in, they also work from an “assumed compromise” mindset. That is, working with the mindset of: “Let’s assume a vulnerability already exists and a hacker has gained a specific degree of access. What resources would that hacker have access to in this scenario, how could we detect that, and how can we proactively work with our Blue Team to address that risk?”

Okta’s Defensive Security Team (Blue Team) focuses on detection and response while working in collaboration with Red Team activities of the Offensive Security Team to increase Okta’s resiliency at all layers.

In short, it’s the Offensive Security Team’s job to assume the mindset of a hacker, and find vulnerabilities before an adversary can.

Threats to look out for

“Before enterprises invest substantial time and money in the latest gadget or tool, it’s vital to understand how and why they’re being attacked. They need to understand what hackers are looking for, the valuable assets they are trying to protect, and the most common threat vectors leveraged,” said Travis. Here are a few threats to be on alert for.

Opportunist Attacks

Less targeted “opportunist attacks” generally occur when an attacker scans the internet for a known vulnerability—such as a BlueKeep RDP Flaw—and exploits those resources en masse to build a botnet, cryptomining cluster, or to sell access on the black market.

Cloud Resource Exploitation

The explosion in cloud adoption has increased the need for organizations to understand what data they have. One of the easiest ways for opportunistic and targeted attackers to steal enterprise data is through open S3 resources, embedded IAM credentials in source code, or through the compromise of cloud management keys. Malicious actors can use credentials / IAM keys as a launch point into the network, pivot into better-protected enclaves, retrieve forgotten database archives, download site backups, or crypto mine on the company's dime.

Authentication Systems

Building an in-house custom authentication system can expose an enterprise to additional vulnerabilities within their implementation of the SAML or OAuth spec that aren’t typically included in threat modeling or rigorously tested by enterprise security teams. Custom authentication systems often include short-cuts on the SAML or OAuth specification all the way to outright back-doors for ease of management and development. These implementations are ripe for abuse and access to critical systems which can go undetected for years.


Phishing attacks remain a highly prevalent and effective technique for attackers. These range from bulk email attacks that promise payments for laundering money to more targeted attacks where the attacker sends seemingly urgent emails to employees from their CEO. Spear-phishing attacks tend to be the most devastating as they are often meticulously planned to appear as believable and trustworthy.

“We look at LinkedIn and Facebook to add employees as friends and discover what information is publicly available to attackers and build rapport” Travis explained. These tactics significantly increase the chance of individuals opening / running malicious code or visiting a malicious site.

Other security tips

Toward the end of our conversation, I asked Travis about what other tips and best practices he recommends for both security teams and individual users.

“In order to protect themselves, businesses need to first have a comprehensive understanding of what they are protecting, what their most valuable targets are, and how it could be compromised,” Travis explained. “There are a number of strategies for doing that.”

The basics

Companies should select a framework that works with their maturity level and is configured such that application security testing is happening throughout the software development lifecycle — from architecture to release. Only once code is reviewed and features are tested continually does it make sense to commit the time and team resources required to focus on simulating outside threats and looking for complex compromise scenarios.

Threat modeling

Part of a robust security program includes threat modeling your most important assets and code paths. This is best done in collaboration with the developers and security team during the design phase to set expectations around what is the most important aspect of their work and allows the internal or external security testers to focus on targets of high business impact.

Be wary of passwords

“Using passwords — especially ones that people know or can remember—is a surefire way to get compromised. These login details are generally recycled on social media or other platforms that end up compromised and made public. The best recommendation I have for individuals is to use a password manager that generates strong unique passwords for every site. It’ll save you a world of heartache in the long run,” said Travis.


I’d like to thank Travis for taking the time to share a glimpse into his world. To learn more about Security at Okta, check out our Security and Reliability page, or feel free to contact us.