External Threat Management

This is How Your Attack Surface May Be Larger and More Exposed Than You Think

The world has never been as vulnerable to cyber attacks as it is today. The sheer number of attacks organizations face, and the global scope of many of those attacks—the SolarWinds and the Microsoft Exchange vulnerabilities affected almost everyone—is putting today's CISOs on the hot seat. 

In the past several months alone, there have been more than a dozen zero-day exploits, an unprecedented rate of successful infiltration making the lack of control and visibility for security leaders painfully evident. 

Advanced persistent threats (APTs) are not only rising in frequency; their impact is increasingly devastating and widespread. Initially, the Microsoft Exchange vulnerability affected more than 400 thousand servers worldwide. These sophisticated attackers are taking advantage of the digital transformation resulting in the digital enterprise extending to the internet and the internet's innate connectedness. 

Each of the internet's components is an individual thread woven together to create the web as we know it. Today, being a part of this tapestry isn't a choice; if you have an internet presence, you are interwoven with every other entity on the web, including attackers. For the state-sponsored threat actors executing attacks against organizations all running the same vulnerable systems like SolarWinds and Microsoft Exchange, they're counting on this interconnectivity. 

There's no turning back the clock on the digital transformation and rise of the extended enterprise over the past decade, so there's no point in falling back on outdated cybersecurity methods to solve this crisis. We have to meet the challenges posed by the modern global attack surface head-on. 

First, we must realize that the internet's deep interconnectivity has the good guys, bad guys, and everyone in between linked via deep digital relationships. Then we have to answer how cyberthreat actors have used this to their advantage, and more importantly, how the security community can begin to use it to ours. 

Those who understand how these connections work, good guy or bad guy, are the ones who win. 

The SolarWinds Breach Exposed Massive Vulnerabilities

The current cyberthreat landscape is global in scale and ever-evolving. No one can stake out a piece of it and put up a perimeter to protect it anymore. Today, the internet is the perimeter, one that we all share whether we like it or not. The hack of SolarWinds was undeniable proof. 

Foreign hackers were able to exploit a backdoor, called SUNBURST, in SolarWinds’ Orion IT-monitoring software. It was nothing short of Orion’s full takeover, which meant unmitigated infiltration of the thousands of organizations that relied on Orion for IT purposes.

There is an alarming difference between the SolarWinds attack and other less effective APT breaches. Rather than being an isolated strike, the SolarWinds breach gave hackers access to organizations’ networks of third-party suppliers, partners, and vendors. Everyone who ran the corrupted technology was affected at once. 

SolarWinds (and subsequent attacks) exposed the potential vulnerability of any system connected to the internet. Before the attack, programs with the level of trust and access to customer networks that SolarWinds has were thought to be unhackable.

Finding out that such programs can be hacked and corrupted for months without detection shook the cybersecurity community. 

Victims of the SolarWinds breach include the Department of Homeland Security, the Treasury Department, the Pentagon, the Department of Energy, Intel, Deloitte, and Microsoft. 

SolarWinds also proved that APTs are more sophisticated than many thought possible. The revelation that hackers could Trojanize software from an IT company as trusted as SolarWinds was an eye-opener.

Just as the cybersecurity sector came to grips with the unprecedented SolarWinds intrusion, an even greater, more effective attack emerged: the Microsoft Exchange vulnerability.

We look at this sequence as a pattern that will undoubtedly continue.

I am CTO and chief data scientist at RiskIQ, where my team and I have been at the forefront in assessing and correcting the Microsoft Exchange vulnerability. We understand more than most what the latest spate of cyberattacks means: that everyone, not just the most valuable IP holders, is at risk due to the nature of big data and the sophistication of APTs and nation-state actors. 

Laying the Groundwork for Effective Threat Defense

It’s simply not realistic for your organization to defend itself from attacks like SolarWinds on your own. The scale of your organization’s attack surface—your digital supply chains, partners, IT to enable a remote workforce—has simply become too large. Meanwhile, internet-scale cyberthreats are the smallest of needles in massive data haystacks. 

In fact, cyberthreats have almost become more of a big data problem than a security problem. That’s why we’ve crawled the internet for more than ten years to build a real-time map that exposes the deep digital relationships that makes up the global attack surface. 

As we mapped the internet, we computed the relationships between cyberattack victims and perpetrators. We studied how internet components fit inside the picture to understand their role in enabling or thwarting threats. Organizations often aren’t even aware they’re running the vulnerable systems that act as inroads for attackers, so preventing attacks, let alone responding to them, is impossible.

This perspective allows organizations to know what they don’t know and understand, from a global perspective once thought to be impossibly large, where the threats and vulnerabilities most critical to them are hiding. 

The Advice We Give to Fortune 500 Companies

To defend their organizations, security teams need actionable security intelligence that provides a bird's eye view of the global attack surface and shows precisely how their organization's unique Internet relationships fit inside it. 

For your security program to successfully address the threats we face in 2021, it must:

Contain the necessary intelligence to know what the attack surface looks like. 

Attack surfaces are necessarily larger today, thanks to big data. Open-source intelligence gathering or network telemetry will no longer provide adequate threat detection.

You need security intelligence with a view of the global attack surface and keen insight into threats most critical to the enterprise's one-of-a-kind digital footprint.

Contain a robust budget for threat intelligence and forensic hunting capabilities

Your security team must be able to respond immediately and decisively to attacks like the SolarWinds breach. Are you investing preemptively in your threat intelligence data and systems so that, when the time comes, you can identify and combat the intrusion?

Chief Information Security Officers (CISOs) must have an advanced incident-response function and accompanying data.

Can your CISO answer the following questions?

 - What is the nature of the attack?

 - Which features of our network are vulnerable?

 - Has the company been breached?

 - What clues exist as a result of the attack?

Building your incident-response function, and trying to answer these questions, is extremely difficult if you're doing it as the attack happens. Rather than taking an on-the-fly approach, I advise investing in and honing your incident response infrastructure before the inevitable attack happens because SolarWinds will not be the last mass-scale supply-chain attack. It’s a harbinger of things to come.

Make sure that your organization is taking a preemptive approach to cybersecurity. As the latest rash of breaches shows, even the most secure organizations in the world can be victimized by the vulnerability of big data.

Read more about RiskIQ's Illuminate® Internet Intelligence platform and how it can provide your organization with the next-gen security intelligence it needs to tackle this new threat landscape.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor