Rob Gurzeev, CEO and Co-Founder of CyCognito, explores external attack surface soft spots tied to an ever-expanding number of digital assets companies too often struggle to keep track of and manage effectively.
Internet Protocol (IP) addresses and the devices, web services and cloud assets behind them are the lifeblood of modern businesses. But too often companies amass thousands of digital assets, creating an unmanageable mess for IT and security teams. Left unchecked, a single forgotten, abandoned or unknown digital asset is a cybersecurity timebomb.
Why should seeing and managing every single digital thing in your network be a priority? The odds are they are the fastest growing part of your organization’s infrastructure. Effective digital asset management – including IP address visibility – is your foundation to thwart an attacker’s path of least resistance into your network.
For the past two decades, security teams have focused on internal asset risk. Public-facing digital assets and IP addresses were part of the “DMZ,” a fortified and very limited perimeter to defend. But then came digital transformation, spurred by a global pandemic and an ensuing work-from-home trend, and network boundaries melted, giving way to the everything-is-a-hosted-service modern architecture of today.
Digital Assets: Dead, Forgotten and Dangerous
The digital transformation of business over the past two years has spurred a tsunami of new web applications, databases and IoT devices. They have created a massive new attack surface for organizations, which includes complex cloud-native IT infrastructure. Potentially exposed are thousands of APIs, servers, IoT devices and SaaS assets.
Unknown or poorly managed, any external-facing asset can act as an invitation for an adversary to breach your network. Attackers can then steal data, spread malware, disrupt infrastructure and achieve persistent unauthorized access.
When we talk to companies about their attack surface, we seldom hear them express confidence about mastering their digital assets. Many companies still keep track of IP addresses, and in turn connected assets, via an Excel spreadsheet. Efficient? Only for the smallest of organizations. A 2021 study by ESG found 73 percent of security and IT pros depend on them.
Priority number one is your company’s crown jewels – data. And I would argue, protection of IP addresses and connected assets deserve a more modern management approach that can squash issues before they surface.
Good Intentions Can Go Awry
But even companies with good intentions can make errors. Let’s say an enterprise helpdesk creates an internal ticketing system accessible only through an internal URL. An adversary might leverage the URL’s underlying IP address and open a network backdoor (or port) by adding “:8118”.
That’s why IP addresses, including related technology such as ports, domains and certificates, can represent significant security and reputational risk.
The result can be a graveyard of digital asset soft spots that too often become entry points for adversaries, such as forgotten or poorly managed DevOps or SecOps tools, cloud products and device web interfaces.
Within today’s complex enterprise, system administrators typically only have visibility into a subset of devices they are responsible to manage. And if the asset isn’t on your radar screen you can’t mitigate the risk.
Why Managing IP-Connected Assets is Like Herding Cats
Among CyCognito’s customer base, over the past 12 months we have seen the number of IP addresses (and related digital assets) grow within organizations by 20 percent. That growth at least partially is attributed to cloud adoption and a reliance on connected devices and web app that inhabit corporate networks. But often overlooked is infrastructure sprawl when a company may grow or shrink.
Merger and acquisition (M&A) activity, for example, can often leave an enterprise flat-footed when it comes to getting their arms around IP address management. Let’s say a hotel conglomerate acquires a smaller competitor. When that happens it also inherits a potential minefield of unmanaged and unknown IP addresses and domains.
Dead and forgotten domains – a different type of digital asset – often fall prey to what is known as a dangling DNS record, where an adversary can take over a forgotten subdomain by reregistering it. Those subdomains, which formerly connected to company resources but are now fully controlled by a bad actor, can then be used to reroute a company’s web traffic, causing data loss and reputational damage.
Similarly, divestitures of subsidiaries can result in abandoned infrastructure and orphaned digital assets and related web apps. These forgotten assets are often overlooked by IT teams, but not by opportunistic hackers.
Worse are insecure ports leaving devices open to default credential attacks. After all, for an adversary to scan for and find open ports, they need a poorly managed cloud service or IP-connected hardware.
Lastly, unmanaged IT infrastructure and assets obtained through an acquisition, can waste valuable time. Consider how a poorly managed IP address could send IT security teams on high alert to understand why company assets are being used in a country it doesn’t do business in.
To protect the critical data, thwart malware infection and prevent breaches, part of the answer is effective digital asset management and IP address visibility. Too many system administrators are still beholden to that archaic spreadsheet-based asset management system.
Additionally, legacy scanners that ignore attack vectors and detect only CVEs in known assets, aren’t up for assessing risk tied to the multitude of digital assets within a company. For example, in the previous case of the internal ticketing system – accidentally being exposed to the internet through the URL https://X.X.X.X[:]8118 – port scanning on that IP will find nothing but an HTTPs service at best. Scanners definitely won’t understand the context and criticality of the exposure. Same goes with accidentally open directories on company-owned cloud assets, which could contain employee credentials and terabytes of sensitive data.
Ignorance is not Bliss & Seeing Is Believing
Of course, digital assets aren’t dangerous by default. Rather, the risk is tied to management of an IT stack and the ability of a sysadmin to juggle the myriad of connected applications tied to on-prem, off-prem, managed and unmanaged services.
The conundrum is, “how do you manage what you don’t know is there?”
Implementing network segmentation, with zero trust solutions and aggressive IP and port scanning, along with asset discovery, are all needed responses to the problem of mitigating the threat. But these solutions do not address 100 percent of the problem.
It is like giving a community a clean COVID bill of health based on testing 20 percent of the residents. Without the other 80 percent tested you really have no idea how safe you are.
Even perfect vulnerability management of 90 percent of an attack surface doesn’t matter when 10 percent may go unseen and unmanaged.
Costs associated with inefficient discovery tools and limited IT resources for fixing found issues are also roadblocks to effective attack surface management.
A new mindset around the “discovery” of exposed critical assets is needed for attack surface management. Continuous discovery of those paths of least resistance for attackers at scale, coupled with security testing and contextualizing the risk of valuable assets being compromised is vital. CyCognito is pioneering this idea around exposure and risk management versus slow, limited scope and expensive vulnerability management.
Imagine seeing your entire attack surface – and those of your subsidiaries – and being able to prioritize fixes based on a risk profile that tells you the probability of the specific asset being hacked. In the context of digital assets, visibility into your entire IP landscape and prioritizing what needs to be addressed first can go a long way toward a safer IT environment.
The bigger picture? Adversaries always seek the path of least resistance. They avoid harder attack paths because they tend to be noisy and increase the risk of a defender detecting and responding. A modern approach to external attack surface management should leverage the same path-of-least-resistance principles of asset remediation prioritization, mean time to recovery (MTTR) reduction and answer the question: “Are we secure?”
Rob Gurzeev is the CEO and Co-Founder of the external attack surface management firm CyCognito. He is an offensive security expert focused on delivering cybersecurity solutions that help organizations find and eliminate the paths attackers exploit.
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.