Virtualization Technology News and Information
Cybersecurity Risk Grows in the Darkness: The Path of Least Resistance

By Rob Gurzeev, CEO and Co-Founder of CyCognito

Cybersecurity risk grows in the darkness. This statement has never been truer than it is today.

As businesses deal with the explosive growth of cloud applications and services on their networks and an ever-expanding number of partners, the attack surface they have to protect is growing as well-and most of it is growing outside the sight of IT teams. That creates a situation ripe for attackers, who typically pursue those high-value targets that are easiest to compromise: the paths of least resistance.

This lack of visibility into digital assets creates what is known as "shadow risk"- the threat posed by security blind spots that leave assets exposed to attackers. According to CyCognito's estimates, many organizations are typically only aware of 30% of their true attack surface, leaving the other 70% potentially unguarded. For today's enterprises, attack surface management does not just mean monitoring the devices, applications, and services within their IT environment, but also closely related assets that connect to their business but are owned and managed by others.

Every organization has shadow risk. Sometimes it remains hidden, and other times attackers find it and exploit it. One example of the latter occurred in July 2019, when it was discovered that an attacker had exploited a web application firewall misconfiguration and gained access to Capital One's Amazon Web Services (AWS) environment. As a result of the breach, the threat actor accessed a mountain of data, including information from credit card applications. The company only discovered the breach after a member of the public contacted them and reported that a GitHub user had made a post about the attack. The intent here isn't to single out Capital One. Rather, it's to note that scenarios like this are likely to be the new normal unless organizations get better at exposing and eliminating their shadow risk.

Think Like an Attacker - The Path of Least Resistance

Again, for attackers, these security gaps are a boon. An intruder is most likely to choose the attack vector that provides the easiest road to compromise. From a strategic standpoint, attackers will first gravitate towards easily discoverable systems exposed on the Internet to gain a foothold into an environment. For this reason, assets an IT organization doesn't manage, or out of their direct line of sight represent low-hanging fruit - a path of least resistance. Invisible to the enterprise, they are security blind spots that allow threat actors to enter business networks and remain undetected.

According to a 2019 study by IBM and Forbes Media's Forbes Insights[1] research practice, one in five businesses have experienced a cyber-incident due to shadow IT, one source of shadow risk. And while 81% of organizations believe these hidden resources need to be included in risk assessments, they don't hold out much hope: almost half of organizations surveyed (46%) believe shadow IT will make it impossible to protect their extended IT ecosystem.

Organizations cannot protect assets if they don't know they exist, nor can they prioritize them correctly if they don't understand their business context. With the massive ecosystem of partners and the increasing number of devices, cloud applications, and users that enterprises have to manage, shrinking an attack surface is not a viable strategy. Instead, the focus should be on reducing the number of attack vectors into the enterprise, which starts with understanding where the organization is vulnerable.

Shining a Light - Finding the Unknowns

Getting a comprehensive view of IT risk requires mapping an organization's entire attack surface. However, legacy tools are falling short, partly because each one only addresses one piece of the puzzle. For example, attack surface management (ASM) vendors push products that typically only conduct port scans within defined, or easily discovered, IP ranges. And these tools often fail to provide the actionable guidance and intelligence needed to prioritize and remediate any threats they detect.

Security rating services (SRS) lack actionable remediation advice and offer only superficial assessments of attack surfaces with many false positives. Penetration tests serve as a report on a small slice of an organization's security posture at a particular moment in time and are quickly out of date.  None of these legacy solutions on their own can help organizations find the vulnerable assets they do not know about with the level of business context needed to make strategic and actionable decisions about shutting down attack vectors.  What kind of business context? Imagine a port scanning solution that reports back that you have 1,500 IP devices using weak encryption (e.g., TLS 1.0), but that solution fails to focus your attention on the one server that hosts your payment solution and is exposing your customers' sensitive information. Without that business context, the list of 1,500 IPs does more harm than good. On the other hand, attackers are looking for just such an easy path to value.

These legacy approaches lack the ability to answer fundamental questions that organizations need to address to eliminate their shadow risk. For example:

  • What's the easiest way for attackers to gain "Admin" access to one of our networks?
  • Is my source code exposed to attackers somehow?
  • Are there IoT devices exposed to the internet that I don't know about?
  • Are we using default/weak credentials for our SaaS or security solutions?
  • Do we have any misconfigured cloud assets that expose sensitive information?
  • Is our customers' financial data exposed to attackers because of specific third-party technology we're using?

Answering these questions is a vital step in revealing shadow risk. If an organization doesn't have knowledge of its full attack surface, its digital doors will remain open to cybercrime, regardless of the amount of the budget spent on security.

Maximize Your Security Investments

In Verizon's 2019 Data Breach Investigations Report, 69% of data breaches were traced to external actors. By definition, this means that the victims' cybersecurity investments did not sufficiently close the attack vectors to their organizations. A path of least resistance, often found in assets the organization doesn't manage or know about, can lead straight to the victims' systems and data. No amount of security spending can protect assets and address threats that Security Operations Centers do not even know exist.

To maximize security investments, organizations need comprehensive visibility into their attack surface and the ability to continuously assess, identify, and remediate potential attack vectors. As the number of devices, cloud services, partner, third-party, and subsidiary relationships that businesses manage continues to grow, so too will the challenge of eliminating attack vectors in these swelling IT ecosystems. Exposing shadow risk is where the process of addressing that challenge begins.


About the Author

Rob Gurzeev 

Rob Gurzeev, CEO and Co-Founder of CyCognito, has led the development of offensive security solutions for both the private sector and intelligence agencies. Prior to founding CyCognito, he was Director of Offensive Security and head of R&D at C4 Security (acquired by Elbit Systems) and the CTO of the Product Department of the 8200 Israeli Intelligence Corps. Honors that he received as an Israel Defense Forces Officer included Award for Excellence, the Creative Thinking Award and the Source of Life Award.

[1] Source:  "Perception Gaps in Cyber Resilience: Where are Your Blind Spots?" Forbes Insights, 2019

Published Wednesday, September 02, 2020 7:40 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<September 2020>