The early warnings came fast and furiously over every possible media outlet covering the recent conflict in Ukraine: Russia was aggressively stepping up its cyberattacks in a colossal effort to preemptively disrupt cloud services throughout its soon-to-be embattled neighbor.
Shortly after, hacktivists and threat actors alike began a series of glittering maneuvers to showcase significant attack vectors aimed at crippling similar critical infrastructure across the aisle. Festooned with a newfound purpose, state-sponsored collectives took particular advantage of poor cyber hygiene found in government sites by unleashing multiple waves of website defacements and data-wiping malware, as well as renewed phishing campaigns targeting one of the bedrocks of remote communications—the user identity space.
With no definitive detente insight, the potential for an abrasive spillover of these conditions into the corporate ecosystem is just a matter of time.
Walking a tightrope
In a previous article, where we introduced the notion of Attack Surface Intelligence (ASI) as a preventive mechanism, we reaffirmed the importance of having adequate visibility over all public-facing assets to effectively guide monitoring operations and keep malicious actors at bay. Anyone interested in learning how this concept recently entered the canon will only need to look at some of the buzzwords or references commonly associated with it—continuous monitoring, risk prioritization, fast vulnerability remediation, proactive analysis and detection, brand exposure; in short, ASI helps security practitioners expose certain areas of the network having questionable oversight to ensure that access (authorized or not) to those critical systems does not go unchecked.
So, if your organization is still fumbling with the idea of incorporating an ASI solution into its cyber corpus, we’re here to remind you that they are walking a delicate tightrope. By now, there should be little disagreement about the fact that cloud computing threats, and similar ones, are on the rise, with the war in Ukraine highlighting and exacerbating some of the worst trends. For example, attacks on remote desktop services now account for 30 percent of known targeted network threats. Vaunted malware groups are also notoriously visible these days, often taking advantage of infrastructure such as weak subsidiary networks and staging environments, unbeknownst to security teams, to deploy an extravaganza of both novel and aging techniques.
Consequently, phishing and other social engineering attacks continue to exhibit significant growth as the hybrid workplace struggles to come to terms with an evolving tapestry of BYO[X] (add your own X here) devices. The result? For instance, a growing number of users are being targeted for the existence of cloud service accounts linked to their profile, which can severely increase the likelihood of a damaging incident should a single phishing attempt succeed.
A call to action
The early stages of any journey are always filled with a certain level of indecisiveness. Adding to that are the typical impositions and attenuating conditions dictated by any underlying circumstances. Thus, an important budding scenario is to imagine that once we’ve understood and covered the basics, any ambiguities can be further distilled or altogether eliminated if need be. Arguably, this is what takes place when corporate leaders and organizations are tasked with arriving at a strong security posture.
In an unprecedented spirit of heightened awareness, CISA has recently formulated a series of clinical measures and recommendations designed to target cyber risk in a checklist-type approach to ensure that critical systems and applications are given more attention than usual. Topping this list is having an accurate representation, or mapping, of any internet-facing assets bolstered by a process of continuous discovery and identification well beyond the vulnerability landscape—this includes:
- Open ports and protocols
- Domains, mergers, and acquisitions
- TLS certificates
- Hosting platforms, code repositories, and data APIs
- Third-party services and applications
- Shadow IT services
- Cloud and software misconfigurations
This idea of collectively discovering, mapping, evaluating, and (preferably) scoring an organization’s internet-facing digital presence is not new. In fact, companies have been doing so quite extensively over the last few years with some degree of success—meanwhile, key challenges remain in areas where endpoint data sourcing is either incomplete, inaccurate, or altogether inaccessible.
The road to sanity
As mentioned, the value of frameworks like ASI over more traditional vulnerability-seeking software comes from its ability to provide continuous coverage of risky areas and exposures at scale, giving stakeholders and other decision-makers an opportunity to carefully align monitoring resources with increasingly complex network conditions.
Similarly, our very own SecurityTrails’ Attack Surface Intelligence features essential capabilities such as asset inventory and management, adjusting to the demands placed on security teams who are constantly seeking to remediate any gaps in coverage. In addition, ASI can be an excellent tool in the hands of proactive C-level executives looking to sort out investment requirements and opportunities gleaned from a contextualized mixture of Attack Surface Management (ASM) and threat intelligence sources.
Lastly, our ASI’s modular nature can accommodate a host of new integrations (e.g., alerting) and improvements without any intervention from a user’s perspective. A driving example of this sort of transparency is represented by our latest Risk Rules module—a major step in an attempt to link hosts with any correspondent CVEs under a single interface, while providing actionable metrics based on risk classification without the noisy backdrop.
Ideally, once an organization has completed the asset discovery process, it’s time to look at any items that require immediate action; this can easily be done from the Issues tab, where you’ll be able to see the top risks. On the right tab, you’ll find the Hosts table, where you can visualize all risks filtered by High, Moderate, and Informational scores. This is extremely useful when creating a ‘whole picture’ of your digital assets and the risks that may be affecting them.
This is exactly the type of data that helps analysts progress from asset discovery to risk mitigation. In other words, by understanding what the relevant threats are and what an accurate digital footprint looks like, security teams can quickly prioritize any remediating steps.
Summing it up
Software and hardware vulnerabilities permeate cyberspace; there’s just no way around it. In principle, however, aside from the human factor, much of the harm that results from a data breach can be traced back to a lack of proper visibility across corporate boundaries.
ASI has the potential to disrupt the old paradigm of looking at the public IP space as a single, monolithic structure with point-in-time restrictions. We’re talking about a new way of subjecting the external attack surface to rigorous monitoring using contextualized risk events and threat intelligence to have a meaningful impact on security operations.