Netenrich
This guide explains seven times to attack your attack surface, what you should investigate and, shore up your attack surface.
Your attack surface is “the set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from,” according to the National Institute of Standards and Technology (NIST).
Think of your attack surface as a fast-moving, ever-changing target. With more publicly accessible infrastructure, externally-facing digital assets, access points to those digital assets, and myriad people who have access, the more attractive – and vulnerable – that target can be.
This guide explains seven times you should investigate and, if necessary, shore
up your attack surface, specifically when you:
- Launch or promote cloud- or SaaS-based services
- Acquire another company
- Find or suspect shadow IT
- Assess third-party risk
- Prepare for a cyber audit
- Justify your security spend
- Incur serious breaches
We cover each of these in more detail below. First, let’s cover the basics.
What is Attack Surface Management?
Attack Surface Management (ASM) is the continuous discovery, assessment, and mitigation of cyber risk across your attack surface. Keeping your digital attack surface in good shape takes constant vigilance to find and fix vulnerabilities before you’re attacked.
ASM is similar to IT asset discovery and asset management, but ASM views your attack surface from an attacker’s point of view. Its goal is to identify potentially vulnerable assets and end points that you don’t necessarily know about, that aren’t being monitored on a regular basis, and/or that fall outside of your regular security processes and procedures.
Think like a hacker – continuously
Because your attack surface is dynamic – and so are hackers – your attack surface management solution must be dynamic, agile, and continuous. ASM makes it easy to visualize external risk exposure and severity in one place. It enables security teams to act quickly to address the most critical exposures before damage occurs. Thus, attack surface management should be automated, always-on, and near real time.
You likely already have security procedures in place for key assets, such as your
company’s website. But other elements of your digital attack surface may be hiding
in plain sight, such as old domains, publicly exposed code repositories, and other
by-products of digital transformation that make you vulnerable to cyberattacks.
Advanced ASM solutions like Attack Surface Exposure (ASE), part of Resolution Intelligence Cloud® from Netenrich, make discovered vulnerabilities actionable with threat correlation, context, and prioritization to accelerate remediation.
Now that you’re thinking like a hacker, let’s examine those seven times you should investigate and, if needed, shore up your attack surface.
1. You launch or promote cloud-and SaaS-based
Migrating apps and services from physical systems to the cloud introduces new risk. Security teams face two major challenges:
- lack of visibility
- the dynamic nature of cloud computing.
For example, Engineering or DevOps teams may spin up machines in the cloud without thinking through the potential security implications or making IT aware of new cloud instances.
Continuous attack surface monitoring helps you stay on top of exposed or unauthenticated services and publicly exposed storage, even if one or more of your cloud providers has gaps. ASM helps steadily improve best practices, and lets you see what matters as soon as it changes.
Cyber events like annual sales require servers to scale up fast to dramatically increase capacity. In the absence of impeccable digital hygiene among both clients and providers, these dramatic fluctuations can add substantial risk.
ASM targets the major hazards of cloud migration such as services becoming exposed as hosted cloud infrastructures spin up virtual machines (VMs) and leave them running when they’re no longer needed. Multi-cloud environments add to the chaos as a large SaaS provider might operate 90 machines in Google Cloud one day, see that spike to 110 the next day, and drop back down to 80 the day after that.
ASM finds critical risks that may arise from services that are left unauthenticated, often due to simple misconfigurations. In one real-world situation, Netenrich’s Resolution Intelligence Cloud discovered a company’s open-source automation server had become exposed leaving the Engineering team’s continuous integration and deployment pipeline at risk outside the organization.
Employees working remotely may move data to the cloud to collaborate or share information with colleagues. They can inadvertently expose public cloud infrastructure without implementing the proper controls, and without anyone knowing about it. An attacker targeting your company could come across these oversights and start working backwards to map your infrastructure to see what’s unauthenticated, and what they can reach.
Finding these misconfigurations as they occur is daunting and time-consuming, if not impossible, without an ASM solution like Resolution Intelligence Cloud.
Cyber events like annual sales require servers to scale up fast to dramatically increase capacity. In the absence of impeccable digital hygiene among both clients and providers, these dramatic fluctuations can add substantial risk.
2. Your company acquires another company
In most acquisitions, a bigger company acquires a smaller one
with less mature
cybersecurity defenses and processes. Ideally, during the due diligence period, the security team can assess potential risks of integrating systems and gauge the time and effort needed to do it safely.
While the security team’s findings probably won’t affect the decision to move forward with the acquisition, they can help inform negotiations around upfront costs and alert CIOs and CTOs to undiscovered or undisclosed breaches that represent brand risk.
ASM helps assess the target company’s overall security posture and find major gaps in defenses quickly. ASM can rank critical exposures to focus and fast-track initial clean-up campaigns. Analysts get a running start by simply plugging in and validating the security posture of the new entity and rooting out the nasty surprises, including:
- Issues that have persisted well beyond the normal time to remediate, potentially indicating they may have already suffered a breach without having realized it
- Typo-squatted domains
- Content management system misconfigurations.
3. You find or suspect shadow IT
When business users adopt non-IT-approved technology that falls outside of your security protocols, that “shadow IT” can put security at equal to or greater risk than phishing attacks.
For example, your Marketing team or one of its agencies may host web-based events or content, then fail to renew a domain name only to have an adversary hijack the URL and use it in a phishing campaign.
Attack Surface Exposure (ASE) can uncover external digital risk from shadow IT as it appears. The most likely vectors include IP addresses you didn’t know were associated with your brand, are part of a block you don’t know about, or are hosted by providers not sanctioned by your IT department. For example, your marketing team or one of its agencies hosts web-based content and fails to review a domain name. An adversary hijacks the URL and uses it in a phishing campaign.
Securing the servers is Amazon’s responsibility. Configuring and safeguarding the S3 buckets is the responsibility of the bucket owner. And that seems to be where things go wrong. The S3 buckets come with strong security out of the box. But the owners end up misconfiguring the buckets, leaving their IP addresses wide open on the web for anyone to sniff out, using tools readily available on code repository sites.
- FairInstitute.org
4. You’re assessing third-party risk
What you don’t know can hurt you. The challenge of third-party risk may be the classic use case for ASM: While you cannot control everything that happens on the internet, you should continually seek it out, monitor it, and address your risk in relation to it.
There may be no direct liability for glitches in another company’s defenses, but identifying and addressing third-party risk including your vendors, partners, and other affiliates is a best practice that strengthens your cyber risk posture.
If you suspect you’re going to be the focus of a third-party risk assessment, ASM helps you manage exposures that can be used and held against you. Adding ASM and security ratings to regular certifications, pen testing, and SOC2 reports shows stakeholders you’re taking a comprehensive and innovative approach to visualizing and shrinking potential exposure. Cybersecurity ratings reflect an organization’s overall reputation as a safe company to do business with and rank its performance versus competitors or companies in the same industry. Insight into peer ratings provides value in baselining third-party risk from IP addresses and vulnerabilities, but it does not offer deep technical insight into other aspects of digital risk, such as those associated with cloud and web application exposures described above. Nor can ratings services trace specific IPs of interest to a particular provider without building technical integrations to the other party’s systems.
ASM lets you see the source of risk from a particular service and quickly drill down to see what’s at risk and how to fix it. Having done the hard work of integrating to Google Cloud Platform (GCP), Azure, AWS, and other leading public infrastructures, Resolution Intelligence offers quick context that speeds resolution. ASM complements ratings with actionability as you delve into phishing, typo squatting, and unauthenticated services, some of which are not reflected in risk ratings.
5. You’re preparing for a cyber audit
ASM streamlines and fast-tracks the cyber audit
process by arming you with proof of
coverage. Mapping items covered by ASM discovery to specific controls listed in popular cybersecurity frameworks such as NIST 800 or CSF, COBIT (Control Objectives for Information and Related Technologies), and other industry-specific models makes it easier to check the box and go on to the next thing without having to spend more time tracking down evidence.
ASM products like Resolution Intelligence offer precise evidence to satisfy auditors that you’re monitoring specific elements of individual frameworks and mounting an aggressive defense overall. Once again, a lot more goes into preparing for an audit, but anything that can help check boxes in multiple areas — and equip you to focus other efforts like vulnerability management — is a definite plus.
6. You need to justify your security spend
It’s harder to justify spending on prevention than action. If nothing happens for a period of time, is that because you were prepared or because hackers were taking it easy? ASM plays a vital role in preventing incidents from happening and delivering ongoing coverage — and it can provide its own cost justification in several ways.
ASM dashboards should demonstrate a steadily shrinking attack surface. They can show that you’ve got things covered during predictable spikes (such as during holiday shopping seasons), market fluctuations, and event registration. That means fewer opportunities for breaches to happen and greater ability to detect and respond faster if they do. Over time, you can demonstrate that you’re reducing exposure — and work. You can compare results to industry standards for companies like yours and seek out cost metrics for specific, known intrusions.
Resolution Intelligence Cloud maps your security posture to the MITRE ATT&CK® framework so you can identify and remedy detection gaps, in general and in relation to specific, known threat actors, saving you time and preventing threat exposure.
7. You’ve had a serious breach
We saved the worst for last. When you’ve had a serious breach, you’re under the microscope. As incident response (IR) winds down and things inch back to normal, it’s worth the effort to dissect the initial infection or attack vector, and understand why it occurred and how long it existed. Once you understand what happened, you can take steps to prevent the a similar breach by limiting your attack surface exposure.
For example, Resolution Intelligence not only finds vulnerabilities in your attack surface exposure, it also identifies risky behaviors that can indicate attacks and prioritizes them based on criticality, but ranks it in terms of criticality based on the likelihood of it being used against you. In one real-world scenario, Resolution Intelligence discovered code that had been left exposed in a Github repository for nearly two years, with API keys embedded.
The aftermath of a breach is an obvious time to re-assess how to avoid future breaches. If you don’t have continuous external risk assessment in place, this is the perfect time to make the case for adding ASM to your security best practices.
The continuous nature of ASM represents a major step in becoming more predictive and proactive, ultimately saving time and money – and reducing the impact of future breaches.
8. Bonus!
When should you attack your attack surface? Now.
Hackers need only to find one attack vector one time to take you down. ASM should happen continuously because your attack surface changes on a continuous basis, often without you realizing it.
Any business event that involves monitoring for continuity should include a comprehensive cybersecurity assessment featuring attack surface management. Done right, ASM gets smarter over time. Moreover, it eliminates manual processes that can prevent essential investigations from taking place, and it avoids wasted or duplicated efforts.
Schedule a secure operations assessment with a Netenrich security expert to learn how Resolution Intelligence Cloud helps you manage your attack surface and minimize your cybersecurity risk exposure.
