Cybercriminals Aggressively Exploit Post-COVID Attack Surface
An understanding of the adjusted and aggrandized attack surface reduces data breaches and bolsters ROI of your cybersecurity investment.
According to the newly released Verizon’s Data Breach Investigations Report 2020, 70% of data breaches that occurred last year stemmed from external attacks. Interestingly, insecure web applications were accountable for an unprecedently high 43% of intrusions, almost double the figures from the previous year. While external web applications and APIs remain one of the fastest and easiest vectors to penetrate organizations from the outside, there is a multitude of other, largely underestimated, factors to consider in a cyber resilience strategy.
Many security professionals are now feeling a growing level of coronavirus fatigue amid an avalanche of overaggressive marketing by some cybersecurity vendors. The global pandemic has, however, indeed exacerbated the convoluted intricacy of the evolving threat landscape that we will briefly illuminate in this article.
Why Attack Surface Management Is Important?
In 2020, Attack Surface Monitoring (ASM), sometimes also interchangeably labeled as Attack Surface Management, has de facto become a must-have security product in a CISO’s arsenal. Its underlying purpose is to bring augmented visibility across your Internet-facing assets, spanning from web applications and domain names to public cloud, critical network services and IoT devices accessible from the outside. Maintaining a holistic and up2date inventory of your digital and IT assets is an inalienable component of effective cyber defense: we all know that you cannot protect what you don’t see. Moreover, most of the mushrooming compliance and regulatory requirements, expressly impose a crystal-clear visibility and risk-scored inventory of your assets.
Recently, the COVID-19 working-from-home practice triggered a mushrooming growth of new hosts and devices, exacerbated by a rapid proliferation of corporate data storage in unknown locations, from individual laptops to filesharing websites or public cloud. Unsecured VPNs and RDPs are merely a tip of the growing iceberg of shadow IT.
Some organizations have purposely reduced the scope of their continuous security monitoring to business-critical assets, or assets that process PII and other regulated types of sensitive data. They risk falling a victim to a silent breach of unknown and thus unprotected storage locations of the very same data, or its backups, located in a multitude of internal and external places. Unsurprisingly, incomplete visibility was recently adduced in a US Federal court as proof of negligence in the notorious Equifax hack case. Inclusive and up2date asset visibility is, however, just one of several pillars CISOs and their teams should be aware of to prevent data breaches, reduce costs and enhance their cybersecurity spending efficiency.
As outsourcing and offshoring continues to proliferate, enterprises of all sizes incrementally delegate software development to external companies, trying to reduce in-house costs and accelerate development. Both internal software developers and external teams are, however, prone to a frightening level of human error. Frequently, overburdened with the mounting complexity and volume of endless work, programmers may inadvertently set incorrect permissions to a GitHub project, or just confuse repositories, thereby exposing your Crown Jewels to the rest of the world.
Omitting the fact that a source code may be a protectable trade secret by itself, the source code may likewise contain API keys or even hardcoded credentials from production databases. Third parties usually have considerably lower standards of secure programming and the intertwined security processes of source code protection, aggrandizing the number of careless or negligent source code leaks.
Cybercriminals are well-aware of this low-hanging fruit, and continuously monitor specific authors or repositories for new code and commits, on top of relentless crawling for specific keywords or programming expressions in all public repositories that may indicate an exploitable software vulnerability or leaked password.
How to Avoid Third-Party Risks
Third parties also come into the game with snowballing data breaches affecting your vendors and suppliers that have a privileged access to your data or systems. The central pitfall of such security incidents is that they are virtually undetectable from a technical standpoint and thus remain unknown unless the aggrieved parties duly disclose them to you.
Regrettably, a dramatically low number of service-providers are sufficiently equipped today to quickly detect sophisticated intrusions that target their company in a multistep chase for your Crown Jewels. Commonly, such data breaches remain unnoticed, being a ticking time-bomb under a powder keg. A bright variety of stolen login credentials and data are today available on the Dark Web for sale. Anyone, equipped just with a web browser and a Bitcoin wallet, may acquire gigabytes of stolen data in a few minutes.
Consequentially, a growing number of cyber gangs firstly seek privileged credentials of your suppliers exfiltrated from their own or external websites and systems, prior to commencing a frontal assault against your infrastructure. The bigger your enterprise is, and the more external stakeholders you have, the greater the chances are to get unwelcome guests to your systems. Worse, many password collections and website database dumps, widely available on the Dark Web, likely contain a growing number of credentials stolen from your employees.
Strong password policies are infrequently enforced in a holistic manner across all corporate systems due to various compatibility issues, thus making somewhat archaic password reuse attacks highly efficient today.
At ImmuniWeb, we developed a free online tool to measure your organization’s exposure on the Dark Web, aimed to understand and assess the scale of the problem prior to any investment into a security solution.
Finally, one more formidable challenge is to properly scorecard the findings you may get amid the petabytes of source code files and innumerable Dark Web alerts. The information is largely composed of noise and entangled false positives, ranging from overt fakes to countless innocent mentions lacking any importance for your organization.
How to Choose the Right Solution
The remainder is often a set of arcane data requiring a lot of time and skill to duly analyze and prioritize. Properly trained Machine Learning models can cancel the noise in a considerable manner and distill meaningful data from gigabytes of irrelevant garbage. Therefore, when selecting an attack surface monitoring solution, ascertain that it has not just the best-of-the-breed detection capabilities but also effective filtering and prioritization features to save your time and money by doing effective triage.
Eventually, a broader and deeper visibility of external threats and risks brings you invaluable information from several deeply interrelated dimensions. A well-thought-through cybersecurity strategy may be quickly undermined through a single forgotten subdomain or API, negating the time and resources invested into security and compliance. A careless vendor or external consultant may likewise jeopardize your cyber resilience strategy in a few minutes. The better classified and risk-scored data you get, the more informed and thus effective your spending and prioritization will ultimately be.
Hence, consolidated visibility of your digital and IT assets is grossly insufficient if the monitoring is isolated from third-party risks stemming from public code repositories, Deep and Dark Web marketplaces. When selecting an Attack Surface Management vendor, ensure that it has all of the forgoing capabilities delivered in an easily consumable, prioritized and actionable manner.