By Rob Gurzeev, CEO and Co-Founder of CyCognito
Cybersecurity
risk grows in the darkness. This statement has never been truer than it is
today.
As businesses deal with the
explosive growth of cloud applications and services on their networks and an
ever-expanding number of partners, the attack surface they have to protect is
growing as well-and most of it is growing outside the sight of IT teams. That
creates a situation ripe for attackers, who typically pursue those high-value
targets that are easiest to compromise: the paths of least resistance.
This lack of visibility into
digital assets creates what is known as "shadow risk"- the threat posed by
security blind spots that leave assets exposed to attackers. According to
CyCognito's estimates, many organizations are typically only aware of 30% of
their true attack surface, leaving the other 70% potentially unguarded. For
today's enterprises, attack surface management does not just mean monitoring
the devices, applications, and services within their IT environment, but also
closely related assets that connect to their business but are owned and managed
by others.
Every organization has shadow
risk. Sometimes it remains hidden, and other times attackers find it and
exploit it. One example of the latter occurred in July 2019, when it was
discovered that an attacker had exploited a web application firewall
misconfiguration and gained access to Capital One's Amazon Web Services (AWS)
environment. As a result of the breach, the threat actor accessed a mountain of
data, including information from credit card applications. The company only
discovered the breach after a member of the public contacted them and reported
that a GitHub user had made a post about the attack. The intent here isn't to
single out Capital One. Rather, it's to note that scenarios like this are
likely to be the new normal unless organizations get better at exposing and
eliminating their shadow risk.
Think Like an Attacker - The Path of Least Resistance
Again, for attackers, these
security gaps are a boon. An intruder is most likely to choose the attack
vector that provides the easiest road to compromise. From a strategic
standpoint, attackers will first gravitate towards easily discoverable systems
exposed on the Internet to gain a foothold into an environment. For this
reason, assets an IT organization doesn't manage, or out of their direct line
of sight represent low-hanging fruit - a path of least resistance. Invisible to
the enterprise, they are security blind spots that allow threat actors to enter
business networks and remain undetected.
According to a 2019 study by IBM
and Forbes Media's Forbes Insights[1]
research practice, one in five businesses have experienced a cyber-incident due
to shadow IT, one source of shadow risk. And while 81% of organizations believe
these hidden resources need to be included in risk assessments, they don't hold
out much hope: almost half of organizations surveyed (46%) believe shadow IT
will make it impossible to protect their extended IT ecosystem.
Organizations cannot protect
assets if they don't know they exist, nor can they prioritize them correctly if
they don't understand their business context. With the massive ecosystem of
partners and the increasing number of devices, cloud applications, and users
that enterprises have to manage, shrinking an attack surface is not a viable
strategy. Instead, the focus should be on reducing the number of attack vectors
into the enterprise, which starts with understanding where the organization is
vulnerable.
Shining a Light - Finding the Unknowns
Getting a comprehensive view of
IT risk requires mapping an organization's entire attack surface. However,
legacy tools are falling short, partly because each one only addresses one
piece of the puzzle. For example, attack surface management (ASM) vendors push
products that typically only conduct port scans within defined, or easily
discovered, IP ranges. And these tools often fail to provide the actionable
guidance and intelligence needed to prioritize and remediate any threats they
detect.
Security rating services (SRS)
lack actionable remediation advice and offer only superficial assessments of
attack surfaces with many false positives. Penetration tests serve as a report
on a small slice of an organization's security posture at a particular moment
in time and are quickly out of date.
None of these legacy solutions on their own can help organizations find
the vulnerable assets they do not know about with the level of business context
needed to make strategic and actionable decisions about shutting down attack
vectors. What kind of business context?
Imagine a port scanning solution that reports back that you have 1,500 IP
devices using weak encryption (e.g., TLS 1.0), but that solution fails to focus
your attention on the one server that hosts your payment solution and is
exposing your customers' sensitive information. Without that business context,
the list of 1,500 IPs does more harm than good. On the other hand, attackers
are looking for just such an easy path to value.
These legacy approaches lack the
ability to answer fundamental questions that organizations need to address to
eliminate their shadow risk. For example:
- What's
the easiest way for attackers to gain "Admin" access to one of our networks?
- Is
my source code exposed to attackers somehow?
- Are
there IoT devices exposed to the internet that I don't know about?
- Are
we using default/weak credentials for our SaaS or security solutions?
- Do
we have any misconfigured cloud assets that expose sensitive information?
- Is
our customers' financial data exposed to attackers because of specific
third-party technology we're using?
Answering these questions is a vital
step in revealing shadow risk. If an organization doesn't have knowledge of its
full attack surface, its digital doors will remain open to cybercrime,
regardless of the amount of the budget spent on security.
Maximize Your Security Investments
In Verizon's 2019 Data Breach
Investigations Report, 69% of data breaches were traced to external actors. By
definition, this means that the victims' cybersecurity investments did not
sufficiently close the attack vectors to their organizations. A path of least
resistance, often found in assets the organization doesn't manage or know
about, can lead straight to the victims' systems and data. No amount of
security spending can protect assets and address threats that Security
Operations Centers do not even know exist.
To maximize security investments,
organizations need comprehensive visibility into their attack surface and the
ability to continuously assess, identify, and remediate potential attack
vectors. As the number of devices, cloud services, partner, third-party, and
subsidiary relationships that businesses manage continues to grow, so too will
the challenge of eliminating attack vectors in these swelling IT ecosystems.
Exposing shadow risk is where the process of addressing that challenge begins.
##
About the Author
Rob Gurzeev, CEO and Co-Founder of CyCognito,
has led the development of offensive security solutions for both the private
sector and intelligence agencies. Prior to founding CyCognito, he was Director
of Offensive Security and head of R&D at C4 Security (acquired by Elbit
Systems) and the CTO of the Product Department of the 8200 Israeli Intelligence
Corps. Honors that he received as an Israel Defense Forces Officer included
Award for Excellence, the Creative Thinking Award and the Source of Life Award.
[1] Source: "Perception Gaps in Cyber
Resilience: Where are Your Blind Spots?" Forbes Insights, 2019