SecurityTrails Blog · Mar 22 · by Gianni Perez

Staying Ahead of Malicious Intent Using Attack Surface Intelligence

Reading time: 5 minutes
Listen to this article

Last year's Verizon Data Breach Investigations Report remained largely commensurate with preceding ones that implicitly argued in favor of adapting sound attack surface intelligence initiatives to curb the steady growth of cybercrime.

Needless to say, this pursuit is anything but trivial; easier said than done, others would say. In building complex digital infrastructure, where the frequent mode du jour entails the debilitating choice of technology accretion overcareful system design, the incumbencies derived from such an undisciplined architectural layering are all too obvious: a systemic increase of risk in all its derivatives, data mishandling resulting in opportunistic gains from an attacker's perspective, and misplaced defensive mechanisms that burden security teams beyond measure.

Moreover, identifying malicious intent on the part of threat actors categorically implies the incremental discovery of discrete attack vectors from all sides of cyber defense. For example, are there any specific external-facing endpoints or cloud services coming under constant scrutiny from unknown sources, and, if they are, have all obligations been met to ensure the proper monitoring and protection of those assets? Conceptually, it follows that the sum of all these data paths constitutes the vulnerability space that any pragmatic attacker is likely to target first.

Challenges in detecting malicious intent in IT infrastructure

As cloud computing implementation continues to expand, so too must our collective pursuit of adaptive security measures. And there isn't a lack of variety when it comes to identifying any potential challenges in this area.

Architecturally speaking, for instance, the ecosystem's rapid expansion is known to drastically exacerbate zones of unidentified exposure as speed and productivity take precedence in the race for competitive advantage—a proven, warning indicator of risky behavior backed by an entire lineage of past and recent corporate data breaches. Similar models suggest that software-defined resources suffer from a critical subset of these conditions as SaaS becomes the predominant player across organizations.

Hewing closely to this understanding that the cloud inherently exhibits complex behavior, however, it is often trivial to identify patterns that may lead to unintended consequences. Ironically, many companies are still choosing the reactive approach to security despite a mounting amount of evidence suggesting that miscreants are not only getting craftier at targeting specific technologies, but they are doing so in a quicksilver fashion with the help of open-source proofs of concept and automation. There is also the misplaced assertion that asset inventory platforms and vulnerability scanners are able to tell the whole story while, in reality, they can leave important visibility gaps or even askew some results.

Finally, we have the rapid evolution of containerized (cloud-native) services, orchestration, and serverless functionality for which traditional security controls have proven fairly inadequate. This is due in great part to the arbitrary rate of change that these systems can experience throughout their lifetime and the lack of real-time visibility offered by most specialized tools.

How ASI helps correlate malicious intent

To continuously measure and monitor these digital assets in a manner that correctly aligns with any established security posture, organizations must commit to incorporating new levels of detection as the attack surface contracts and expands—this is collectively known as Attack Surface Intelligence. Again, the goal is to arrive at a risk profile that takes into account the constantly moving landscape of cloud-native applications using meaningful indicators.

Reducing the expanse that separates security practitioners from proactively protecting critical infrastructure entails round-the-clock visibility and monitoring. A one-sided approach here is to look at the vulnerability space in a symmetric fashion, allowing any pertinent metrics to dictate the course of action as far as remediation is concerned. Attack surface intelligence (ASI) and management (ASM) capabilities, however, allow us to combine a sustained influx of extended visibility data with the ability to triage any potential exposures that may (particularly) appeal to attackers.

Similar scenarios can be applied to alerting: the cornerstone of every defensive security effort so frequently misinterpreted as an early warning discipline. Monitoring with the help of ASM, however, can quickly turn the tables on the lack of proper endpoint visibility that makes detection development difficult, if not impossible.

A case in point is SecurityTrails' recently-launched Risk Rules feature which allows any organization to detect vulnerabilities, service misconfigurations, and similar relevant threats over all IT assets. Are there any public-facing resources suspected to be at risk from a particular exploit? With the help of guiding ASI features such as Risk Rules, security teams can steer alerting capabilities towards those resources to dynamically enhance the detection domain by coupling in-scope vulnerabilities with proactive monitoring.

Risk-Rules feature

Misconfigured services and software are also at the top of the list. Whether it's an open port unintendedly advertised or some discrete software component misconfigured to allow out-of-the-box functionality (for example, databases listening on public IPs), or even shadow IT deployments, ASI is representative of the sort of correlation required to pair changes to digital infrastructure over time with the sophistication of evolving new threats.

Misconfigured services and software

Consequently, open ports can be easily detected thanks to our proprietary passive technology that guarantees that these not only remain visible but continuously monitored.

Open ports detection

In summary

In this article, we've attempted to uncover the importance of ASM platforms as they extend the threat assessment domain to include the signaling of malicious activity in a concerted effort to preemptively contain threat actors. In contrast to this emerging paradigm, we briefly mentioned traditional approaches to perimeter security while highlighting some of the key deficiencies posed by inadequate visibility into critical devices and applications.

In short, ASM recognizes the need for a foundational strategy that can effortlessly share target telemetry with log and vulnerability management entities, adventitiously speeding up the path to remediation and containment in the case of a security incident. Armed with all these capabilities, security practitioners can decisively wend their way towards a more contextualized risk elimination plateau by depriving attackers of easy entry points into the organization.

Gianni Perez Blog Author

Gianni is a technical writer at SecurityTrails and adjunct college cybersecurity instructor with over two decades of infosec experience. He knows firsthand the demands security professionals face, and draws upon his knowledge of IT systems - from administration and software dev, as well as automation, to provide valuable security insights that make a real difference.

Subscribe to the SecurityTrails newsletter
Sign up for our newsletter today!

Get the best cybersec research, news, tools,
and interviews with industry leaders