Seven Times To Attack Your Attack Surface In 2021 - Netenrich
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
1 Seven Times To Attack Your Attack Surface In 2021
2
Managing cybersecurity is like Attack surface management (ASM) checks
staying in shape. There are endless all of these boxes and could well become
the next keto of cybersecurity—something
things we could do, lots of things we
everyone tries because they keep hearing
should do, and for most of us, a core about it, and many adopt long-term
set of things we end up doing on a because it works as advertised.
routine basis.
This book will explore ideal opportunities
The worldwide focus for businesses to try ASM in 2021 if you haven’t already.
in 2021 will be getting back in shape Try it anytime your team or company:
with massive investments in IT and
cybersecurity. As with fitness, we welcome Launches or promotes cloud- or SaaS-
new shortcuts—better, smarter, faster based services
ways of getting the results we want—and Merges or acquires another company
there’s no shortage of fads, ads, or expert
opinions. Finds or suspects Shadow IT
So, what new techniques and tactics Assesses third-party risk
should make the cut? Security
Prepares for a cyber audit
professionals must choose wisely.
Justifies your security spend
What’s realistic, practical, and doable
on a regular basis? Incurs serious breaches
What solutions and strategies meet You’ll see in detail what ASM brings to the
our needs right now and set us up for table that other weapons in your arsenal
the future? may not and how you can try it risk-free.
But first a quick intro.
Which deliver the greatest bang for the
buck on investments in tools, training,
and our most precious resource of
all—time?
3
What is Attack Surface Management?
Think of your digital footprint as suffer mishaps. ASM involves discovering,
a fast-moving, ever-changing assessing, prioritizing, and mitigating cyber
risk—on a continuous basis—across critical
target. The more publicly accessible
areas that lead to most breaches:
infrastructure or external-facing digital
assets you have, the bigger and more Brand exposure from domains, sub-
attractive the target becomes. domains, leaked credentials, and on
cloud storage or public code repos
Some elements in your digital attack Vulnerabilities, with a focus on risk to
surface—your company’s website for your company versus criticality only for
example—need to be right where they are, patch prioritization
with the proper security controls in place.
Others, like old domains, publicly exposed Misconfigurations that are difficult to
code repo, and other by-products of digital find any other way
transformation should not be where they are
and need to be cleaned up post-haste. Risks uncovered during discovery should be
correlated with real-time threat intelligence
Keeping your digital attack surface in for prioritization and metrics established to
good shape takes constant vigilance to let experts track progress.
make sure you find and fix risks before you
Netenrich’s ASI dashboard shows current risks, criticality, trends, and an overall exposure rating
at a glance for easy drill-down exploration.
4
Less risk with less effort “But why do I need another
Making it easy to visualize external risk tool?”
exposure and severity in one place increases
Chances are you already conduct pen testing
the odds that the team can act quickly to close
and vulnerability scans on a somewhat regular
out the most serious things fast, and chip
basis, and that’s a great start. You may also
away at the rest as time allows. To this end,
engage providers or dedicate analysts to run
attack surface discovery must be automated,
red, blue, or purple team exercises.
always-on, and near-real-time.
But efforts to mitigate external risk can’t stop
Advanced ASM solutions like Attack Surface
there. ASM offers a critical advantage versus
Intelligence (ASI) from Netenrich focus on
other strategies in that coverage is non-
actionability, with automated threat correlation
stop so nothing slips past you. You cannot
and prioritization, and expert intelligence from
manage dynamic risk by assessing it at one
our Intelligent Security Operations Center
point any more than you could build muscle by
(SOC) to help contextualize and propose
working out once a month.
remediation strategies.
ASM offers a singular combination of
actionable data and continuous coverage that
Integrated threat intelligence needs to become part of the routine, without
delivers rich context to prioritize creating more work and stress for those
involved. ASM also offers additional insights
and resolve risk faster. on risk that likely gets missed during most pen
test engagements.
So, let’s take a quick look at the best times to
get started, times when you save save time
and effort while making security stronger.
5
1. Anytime you say the word “cloud”
It’s no secret that migrating apps and services Securing services
from physical systems to the cloud brings
risk. Security faces two major stumbling ASM targets the major hazards of cloud
blocks—loss or lack of visibility, and the migration such as services becoming exposed
dynamic nature of everything cloud. For as hosted cloud infrastructures spin virtual
example, Engineering or DevOps teams may machines (VMs) up and down. This happens
spin up machines in the cloud without thinking as VMs that serve a single purpose at some
through the potential security implications or point are left running when they’re no longer
making IT aware of new cloud instances. needed. Multi-cloud environments add to the
chaos as a large SaaS provider might operate
90 machines in Google Cloud one day, see
that spike to 110 the next day, and drop back
Cyber events like annual sales down to 80 the day after that.
require servers to scale up fast ASM also finds critical risks that may
to dramatically increase capacity. arise simply from services being left
unauthenticated, often due to simple
In the absence of impeccable misconfigurations. In one real-world situation,
digital hygiene among both Netenrich’s ASI discovered a company’s
open source automation server had become
clients and providers, these exposed leaving the Engineering team’s CI/CD
dramatic fluctuations can add pipeline at risk outside the organization.
sizeable risk. With large segments of the population
working remotely, users might move
things to the cloud to make it easy for
others on their team to check them out.
This might mean exposing public cloud
Continuous attack surface monitoring infrastructure without implementing
helps you stay on top of exposed or the proper controls, and without anyone
unauthenticated services and publicly knowing about it. An attacker targeting
exposed storage, even if one or more of your your company could come across these
cloud providers has gaps. ASM helps steadily oversights and start working backwards
improve best practices, and lets you see what to map your infrastructure to see what’s
matters as soon as it changes. unauthenticated, and what they can reach.
6 ASI detects publicly accessible unauthenticated services within 24 hours. Without an automated heads-up, finding these misconfigurations as they occur is virtually impossible at worst, and daunting and time-consuming at best. DevOps and CI/CD New software releases might result in code being left exposed in public repositories. Proper attack surface management would flag this within 24 hours and take IT professionals from at- risk to taking action in a few easy clicks. Within ASI, Brand Exposure is summarized with criticality indicated by color. In this example, Code Repository Check is shown in red making this a top priority. Clicking on the summary shows the two critical risks as indicated by the red bar.
7 Selecting the alert with critical severity brings up context, showing that the exposure has existed since November of the previous year. ASI points to the page which has the exposure to review and take action—all in seconds or minutes.
8
Without ASM, the DIY alternative to finding
such risks would be searching on your brand
name in Github and other code repositories “The second you say you’re a
and sifting through the results manually.
SaaS platform, people start
And while the process is tedious for the bad
guys too, if they’re intent on sizing up your asking questions about security.
attack surface, they may very well find such They want to know how we store
exposures before you do.
and transfer data, what types of
Conducting pen tests every few months compliance practices we follow,
doesn’t cut it. IT needs to know the moment
anyone uploads something to a public- how often we do vulnerability
facing repository that inadvertently puts the assessments. I would say security
company at risk.
is the one of the most important
factors in deciding to use our
Customer confidence services.”
According to OpsRamp, a Netenrich partner Viswanatha Penmetsa
and ASI customer, “The second you say Director of SaaS Operations at OpsRamp.
you’re a SaaS provider, customers start
asking about security.” If your company
operates monetized services in the cloud,
You may have a multi-faceted strategy that
you too face the added challenge of making
includes maintaining secure code practices,
customers comfortable with it. developing detailed strategies for hardening
techniques and methodologies. Even so, ASM
If an adversary hacks into your customer
can add great value in dynamically testing
portal, the potential exists for them to
security controls.
access customer data, or leverage web
applications hosted on servers inside As a provider, the goal should be to increase
your cloud infrastructure to compromise security earlier in the migration or DevOps
assets. Intentional misconfigurations lifecycle and throughout the coding process.
might also be employed to infect All releases should be gated by a security
customers as they access the portal with review. Since this doesn’t always happen, ASM
malicious code that can be traced back to offers an easy, always-on safeguard to help
you. Clearly, a loyalty killer. keep you current, and in control.
As you migrate services to the cloud, And when you’re on the other side of the
ASM helps ensure assets and your digital equation—the customer side—using third-
footprint do not unknowingly become party services to handle critical business
exposed without the appropriate security functions such as Human Resources (HR),
controls being put in place. ASI quickly payroll, or benefits, you should ask potential
uncovers risk associated with customer providers about security certifications
portals, servers, network connections, and and best practices before unlocking your
applications exposed in the cloud. employee or customer data.
9
2. Mergers and acquisitions (M&As)
More often than not, a bigger The would-be acquired company might
company acquires a smaller one say, and may even believe that they’re
watching things 24X7 but does that mean
with less mature cybersecurity
all things?If you run their domain through a
defenses and best practices. When security rating service and they score low,
IT gets brought in early, like during what can be done about it?
due diligence or before anything
ASM helps assess the target company’s
gets announced, the security
overall security posture and find major
team can assess potential risks gaps in defenses quickly. That’s best-case
of integrating systems and better scenario.
gauge the time and effort needed to
More often than not, IT does not get
do it safely.
brought in early, and when it does,
Finding serious risk won’t generally affect development and network infrastructure
the decision to move forward with the teams get connected before security
acquisition. It can, however, help inform professionals. If IT gets handed a
negotiations around upfront costs and alert mess after an acquisition has been
CIOs and CTOs to unknown or undisclosed publicly announced, automating and
breaches that represent brand risk. operationalizing insight around external
brand risk using ASI speeds the cyber due
diligence.
10
ASM helps rank critical exposures to focus Merging security itself
and fast-track initial clean-up campaigns.
Analysts get a running start by simply ASM is one of several important tools
plugging in and validating the security for making sure the acquired company’s
posture of the new entity and rooting out assets and processes don’t introduce risk,
the nasty surprises. or work, into the acquirer’s incumbent
environment.
You need to know what’s out there that can
hurt you, how much it can hurt you, and For example, merging e-mail systems
how—and how fast—you can fix it. Attack and calendaring functions, simple as this
surface discovery offers actionable insight sounds, plays a huge role in determining
with sound indications of where to go next. whether users perceive the integration as
First, you can see what the other company a well-managed process. A lot goes into
might be missing, or that issues have this, but from a hygiene perspective, having
persisted well beyond the normal time to automated ASM can turn up breached
remediate, potentially indicating they may e-mail IDs and show whether specific
have already suffered a breach without usernames and passwords have already
having realized it. been compromised---an easy thing to clean
up before you move on to more complex
Once you get a baseline, efforts to aspects.
integrate disparate security teams,
assuming the acquired company has
one, and infrastructures can unfold more
quickly.11
You might also look at typo-squatted domains, which tend to get overlooked. Attack surface
discovery will show instantly whether domains that look like the acquired company’s public
sites exist, who they’re registered to, and whether the sites are actually active.
If you find someone mimicking
your brand, you might want to
drill down a bit to see what risk
rules got triggered during ASI
discovery. A quick correlation with
threat intelligence drives valuable
context around whether the IP a
domain is resolving to is known
to be associated with malicious
activity and should be tackled
first.12
Content Management
Systems (CMSes)
Misconfigurations relating to content
management systems occur frequently,
and one or both companies may already
have safeguards in place for this. Either
way, attack surface discovery offers a
near-real-time status check showing
when, where, how many, and how critical
exposure relating to CMSes is right now,
within a matter of clicks. Even if e-mail addresses, domains, CMSes
and other assets associated with acquired
ASI’s automated correlation with threat companies go away, IT needs to know the
intelligence shows whether known likelihood that systems have already been
vulnerabilities associated with a particular breached or data compromised. ASM can
system might indicate nefarious activity. help.13
The partner can take on detection, triage,
Or you can skip and response throughout the transition
the whole thing or on a long-term, even permanent basis.
Easily adopted solutions like Netenrich’s
Baselining risk is one early step in merging Intelligent SOC extend visibility, intelligence,
two disparate security practices. Integration expertise, and comprehensive capabilities
also means getting VPNs set up, deploying to the new environment quickly—with
sensors, training one or both teams on new minimal lift required by the parent
technologies that will remain in place in the company’s own team.
hybrid environment, and much, much more.
Ideally, the provider would help manage
If the acquired company’s practice is both threat detection and risk mitigation
not on par with that of the new parent holistically to further streamline the
company and can’t get there anytime soon, process.
outsourcing instead of integrating offers
a viable strategic alternative. Some or Whether you decide to onboard or merge
all of the company’s SOC efforts can be another company’s security infrastructure
transitioned to a managed security service with your own over a period of months, or
(MSSP) or SOC-as-a-Service partner much continue to operate it separately, team leads
faster than you could bring them up to can be assured that the bases stay covered,
code. even as skills and tribal knowledge exit the
playing field.
Exposures,
Threats Opportunities
Intelligent SOC
Resident malware Brand exposure
Ransomware Code exposure
Phishing Vulnerabilities, internal + external
Exfiltration Certificates
Bots Domain risks
User-based Misconfigurations
Saas External infrastructure
Cloud exposure
Third party
A modern Intelligent SOC features managed threat detection and attack surface management
to proactively address security posture. Integrated threat and attack surface intelligence helps
close down exposures that usher in threats down the road. An Intelligent SOC features real-
time discovery, contextualization, prioritization, and L1 triage while reining in brand exposure to
reduce alerts and prevent future incidents.14
3. Shining the light on shadow IT
It’s taxing enough to worry about Securing the servers is Amazon’s
threats lurking outside your company responsibility. Configuring and
without losing sleep over risks created safeguarding the S3 buckets is
within. But more and more, Shadow IT
the responsibility of the bucket
puts security at equal or greater risk
than phishing attacks and other tried-
owner. And that seems to be
and-true campaigns. where things go wrong.
New online presence, for example, might
The S3 buckets come with strong
get created by anyone seeking a shortcut security out of the box. But the
or workaround for time-consuming IT owners end up misconfiguring the
procedures. Obviously, that happened a lot
in 2020. buckets, leaving their IP addresses
wide open on the web for anyone
Your Marketing team or one of its agencies
may have hosted web-based events or
to sniff out, using tools readily
content that did not pose much of a threat available on code repository sites.
in and of themselves. But someone might
forget to renew a domain name only to FairInstitute.org
have an adversary hijack the URL for use in
a phishing campaign.
Odds are good that anything created on
the fly without IT’s knowledge has not
undergone scrutiny for compliance, routine
updates, branding, copyrighting, etc. So,
if external digital exposure got created or
left behind by someone circumventing IT,
your Security team never knew to monitor
that presence for threats, vulnerabilities, or
other digital exposure.15
This is not to say that shadow IT only In 2020, protocols likely became compromised
gets created by the likes of Sales and by employees working from home creating
Marketing. Cloud storage processes, IP external access to remote into the office and
addresses, and services all may contribute inadvertently leaving SSH remote access
to the problem at one time or another. protocols exposed. Once you find IPs you
didn’t know belonged to you, or that were once
Continuous ASI discovery uncovers legitimate but should since have been shut
external digital risk from Shadow IT as it down, risk can be quickly eliminated.
appears. The most likely vectors include:
Exposed cloud services. As detailed
IP addresses you didn’t know were earlier, shadow IT would also include assets
associated with your brand, are part of exposed in hosted cloud services of which
a block you don’t know about, or are IT is unaware. For example, IT might migrate
hosted by providers not sanctioned by everything to Amazon Web Services (AWS)
central IT departments. For example, a and ASI discovers assets in Azure.
company might officially host corporate
infrastructure with Verizon and discover ASI keeps a constant watch over your cloud
through ASM that a bunch of IPs hosted by footprint, flagging anomalies like public-
other providers are affiliated publically with facing Amazon S3 buckets within the Brand
the organization. Exposure category.
4. Sizing up third-party risk
Third-party cyber risk overshadowed some The attack on the Solar Winds ecosystem
pretty hot topics toward the end of 2020 got us thinking about what can and should
proving once again what you don’t know can happen in the wake of a similar disaster. As
hurt you. This challenge may be the classic unwitting victims by association, we’re asking
use case for ASM in that, while you cannot what we can rightly (and legally) expect to
control everything that happens on the public pursue or demand. As cyber citizens seeking
Internet, you must continually seek it out, to reassure and protect our own partners and
monitor, and address your risk in relation to customers, what proof can we provide that
it. we’re doing all we can?16
These seemingly simple questions have ASM vs. security ratings
complex implications. While no direct liability
may exist for glitches in another company’s Chances are one or both companies
defenses, the goal of minimizing third-party subscribe to a cybersecurity ratings service.
risk clearly merits an all-out, anything- These scores reflect an organization’s overall
and-everything strategy. Including your reputation as a safe company to do business
vendors, partners, and other affiliates in your with and rank its performance versus
strategies and best practices helps instill competitors or companies in the same
confidence while strengthening your overall industry.
cyber risk posture.
Insight into peer ratings provides value
If you suspect you’re going to be the focus in baselining third-party risk from IP
of a third-party risk assessment, a deep dive addresses and vulnerabilities, but does
with ASI helps clean up the high-end critical not offer deep technical insight into other
exposures that can be used and held against aspects of digital risk. For example, those
you. Perception-wise, adding ASI and security associated with cloud and web application
ratings to regular certifications, pen testing, exposures described above. Nor can rating
and SOC2 reports shows stakeholders you’re services trace specific IPs of interest to a
taking a comprehensive and innovative particular provider without building technical
approach to visualizing and shrink potential integrations to the other party’s systems.
exposure day-in, day-out.
Conversely, ASM lets you see the source of
risk from a particular service and quickly drill
Simply highlighting down to see what’s at risk, and how to fix it.
Having done the hard work of integrating to
any and all exposed domains Google Cloud Platform (GCP), Azure, AWS,
and IPs, exposed services and other leading public infrastructures,
Netenrich ASI offers quick context that
and whether they’re fully speeds resolution.
authenticated offers
In general, ASM complements ratings with
a solid start. actionability as you delve into things like
phishing, typo squatting, and unauthenticated
services, some of which are not reflected in
risk ratings.17
5. Getting ready for cyber audits
Show of hands:
Who likes the word “audit”? Right. Are you patching external systems? ASI
shows that you are. Do you have services
And while we do our best to avoid them in exposed publicly? ASI can show you do not
life, they’re an inevitable reckoning point or that you’re monitoring for them and can
in doing business. As with third-party skip that step.
risk, ASM can streamline and fast-track
the process by arming you with proof of Solutions like Netenrich’s ASI offer
coverage. precise evidence to satisfy auditors that
you’re monitoring specific elements of
Mapping items covered by ASM discovery individual frameworks and mounting an
to specific controls listed in popular aggressive defense overall. Once again,
cybersecurity frameworks such as NIST a lot more goes into preparing for an
800 or CSF, COBIT (Control Objectives for audit, but anything that can help check
Information and Related Technologies) boxes in multiple areas—and equip you
and other industry-specific models makes to focus other efforts like vulnerability
it easier to check the box and go on to the management—is a definite plus.
next thing without having to provide more
detailed evidence.18
6. Justifying your security spend
Like that gym membership fee that
hits your account on the first of the
month, IT tends to be a “What have
you done for me lately” proposition,
with one nasty difference. When it
works, nothing happens, and nobody
notices.
When even one little thing slips by you,
avoidable or not, havoc ensues, and
everyone hears about it. Making headlines
leads to making heads roll as the whole
effort gets deemed a failure.
ASM plays an increasingly vital role in
preventing that from happening, delivering
fast, ongoing coverage and investment
value. ASI dashboards afford you an easy
way to show a steadily shrinking attack
surface, or that you’ve got things covered
during predictable spikes around things like
holiday shopping, market fluctuations, and
event registration.
Moreover, you can literally demonstrate
that you’re eliminating exposure—and
work—as time goes on to avoid risk in the
first place. Though harder to quantify than
saving experts time, lessening your appeal
ASI sifts through and correlates alerts to close false positives
and present users with only real risk that warrants attention,
as a cyber target is a powerful factor in
along with strategies for attending to it. assessing ROI on any investment.19
Higher value from existing
defenses
Who among us has never let a forty-dollar hackers to size up your infrastructure for
ab roller gather dust in the corner? ASI attack?
complements and replaces other, more
expensive tools you already own but might While complementing pen tests and
not be fully leveraging. multi-colored attack team exercises as
discussed above, ASM can also help
For example, if you engage digital bounty narrow the scope or focus to speed and
hunters to discover potential bugs related increase ROI on those investments as well.
to known exploits and vulnerabilities, And if you can’t afford to do it all, ASM
you might expect to pay $10K to $20K may well represent the biggest time saver
for just one discovery. ASI automatically and broadest scope of discovery—in other
finds a whole bunch, and keeps doing so words, the greatest value—in reducing
continuously, often at a fraction of the cost. external risk exposure.
So, why invite (much less pay) even friendly
7. You just got breached
We saved the worst for last here, but at the
end of the day, this is what it’s all about.
Everything comes under the microscope
in the wake of a breach. As incident
response (IR) winds down and things inch
back to normal, it’s well worth the effort
to dissect the initial infection or attack
vector, and why and how long it existed.
Once you understand what happened, you
can take steps to keep the same exposure
from putting you at risk again.
Most attacks succeed because a public-
facing asset opportunistically gets
compromised. ASM tackles this head-on.
If you got hacked through some external
exposure you didn’t know you had, what
better time to do a fast yet thorough search20
for others and start closing doors? Aside from dealing with the low-hanging
fruit, the aftermath of a breach is an
Actionable ASM discovery not only finds obvious time to reassess normal. If
risk but ranks it in terms of criticality you don’t have continuous external risk
based on the likelihood of it being used assessment in place, this may be the
against you. In one real-world scenario, perfect time to make the case for adding
ASI discovered code that had been left ASM and other high-value, low-overhead
exposed in a Github repository for nearly techniques to your SOC best practices.
two years, with API keys embedded.
Finding something that specific is a bit The continuous nature
like finding a needle in a haystack from an
adversary’s point of view, but it happens. of ASM represents a major step
The fact that code remained exposed for in becoming more predictive and
so long is a good indication that someone
proactive, which is always front-
may have already chanced upon it and
begun capitalizing. and-center on the heels of a nasty
breach.
8. [Bonus] The cruel reality of cybersecurity lives on.
You need to see and secure everything all
It’s tomorrow
of the time because hackers need only
find one attack vector, one time, to take
you down. As shown throughout this book,
ASM needs to happen on a continuous
basis because your attack surface changes
on a continuous basis, often without you
realizing it.
When should you attack your At the end of the day, Netenrich’s ASI and
attack surface? Right now, Intelligent SOC offer a structured means
of becoming better and better—instead
tomorrow, and every day from
of more and more exposed—as things
now on. Just like exercise. change.21
The smart way
forward, and how to
head out. For free.
To sum up the potential use cases
described above, attack surface
monitoring should be done anytime your
organization:
Rolls out new infrastructure or migrates
apps and services to the cloud
Merges or integrates another company’s
systems with your own
Anticipates major spikes or deviations in ASI + Intelligent SOC =
volumes and utilization Less risk with less effort
Any business event that involves monitoring The more complex your security
for continuity should include a comprehensive operations become, the more
cybersecurity assessment featuring attack specialized tools (that don’t
surface management. Done right, ASM gets talk to each other) and types
smarter with each passing day, and every of intelligence you have to
risk vector resolved. Moreover, it eliminates manage. The real value of
manual processes preventing essential these investments comes from
investigations from taking place and avoids operationalizing the data and
wasted or duplicated efforts. insights to speed response, which
no one has time to do.
Every new workout craze or fitness innovation
has an infomercial that ends with a risk free Netenrich Resolution Intelligence
offer, so why not see the analogy through delivers the automation, context,
to the end? For a limited time, Netenrich is and expertise needed to flip the
offering free trials of ASI on its own or as part equation. Our Intelligent SOC, ASI,
of Intelligent SOC. and global threat intelligence are
all integrated to deliver actionable
data that promotes resolution
within minutes.22
Learn more and start seeing results within
days. For real.
www.netenrich.com/try-asi
Oh, and did we mention it’s continuous?You can also read
