Online security measures to protect organizations on the Internet were shown to be wanting again in 2018 - the same bad news about security outside the firewall that we’ve received the year before, and the year before that.
It took just 22 lines of malicious code to expose customer payment data for 380,000 British Airways booking transactions. Hackers accessed the personal data of millions of Starwood guests. And these were only two of the 21 major hacks in 2018.
All this leads to one conclusion: The traditional approach to online security is dead. In the past, cybersecurity focused on inward-facing strategies and solutions—everything inside the firewall. However, this approach ignored the Internet-facing attack surface: everything beyond the firewall, a varied collection of client-facing assets that hackers can and will discover as they research their next threat campaigns, as well as impersonating assets created to dupe users into giving up sensitive personal and corporate information.
A more outward-facing approach utilizing attack surface management (ASM) is now required to protect your business.
So, what exactly is ASM? How will it improve your cybersecurity efforts? We'll go over three ways you can modernize your online security and mitigate cyber threats in the new year with ASM.
What is Attack Surface Management (ASM)?
ASM deals with two overarching areas of cybersecurity:
- Protecting what you own.
- Protecting your organization and customers from rogue assets impersonating you.
This may sound simple enough, but the ramifications are momentous.
Traditional cybersecurity is like a wall around a castle: A hard perimeter is created as the primary means to identify and deal with intrusions. This is a reactive approach as threats are identified either at your network's firewall or by internal security scans.
However, today we have more Internet-exposed assets than ever before across web, mobile, and social channels. Many are hosted on platforms that sit outside the organization’s control and therefore outside the scope of existing security investments. Many are unknown to the security team and therefore not under management from a security perspective. The result is plenty of low hanging fruit on which cyber-criminals can feast.
While defending what you own is essential, it’s not sufficient in and of itself. Many successful cyber-attacks don’t try to exploit weaknesses in your assets but instead, take advantage of the behaviors of your employees and customers. Cyber-criminals create rogue assets that look like you to deceive employees and customers into giving up sensitive information or downloading malware.
Cybersecurity must be both more proactive and far-reaching in its approach to identifying and mitigating potential threats before they can attack. That could involve proactively addressing the security weaknesses in the things you own or identifying and taking down rogue assets before they can be used in a campaign. These two needs form the fundamental basis for ASM.
1. Identifying and Understanding Your Attack Surface
The first step in understanding your attack surface is to discover and inventory all your exposed digital assets. While many of these assets are known to the security team and sit firmly within their security program, there is often a significant percentage of assets that don’t.
These unknown assets could be as a result of what is known as shadow IT, where the business creates or outsources the creation of their own digital assets, or they could be assets a business acquires from mergers and acquisitions. Occasionally, internal assets are inadvertently exposed through misconfiguration or old assets are forgotten and drop off the radar. In any event, these unknown assets represent a real risk to the business, as they are unmonitored and unmanaged from a security perspective. We see time and time again in high-profile breaches that the way in was through one of these unknown unmanaged assets.
Once inventoried, assets must be assessed for compromise or potential weakness with the most severe issues prioritized and subsequently addressed. Over time, this process will harden your attack surface, making you a less attractive target.
Once you have a “white list” of owned assets, you can more easily detect and distinguish rogue assets impersonating your brand. While not all instances of brand infringement are malicious, all must be identified and assessed in a timely fashion. Examples of rogue assets include infringing domains, phishing pages, fake websites, fake mobile applications, and fake social media accounts and profiles.
2. Monitor Your Attack Surface for Threats
Of course, all the front-end security work you do will not eliminate the need for an ongoing assessment of your attack surface. Attack surfaces are continually changing—RiskIQ finds on average a five percent change in an organization’s owned Internet-facing assets per month. Rogue assets are often created to support a malicious campaign and taken down by threat actors only a few days, or even a few hours, later. Without continuous monitoring and assessment, your situational view can be markedly different from reality. In the past, IT security risk has been calculated by undertaking an evaluation at a point in time. While that may be sufficient for assets inside the firewall, it is wholly inadequate for assessing the risk of your Internet attack surface.
Owned Internet-facing assets need to be ‘experienced’ from the outside-in, not inspected from the inside-out. Today’s websites are a complex collection of applications, scripts and third-party services that come together when they render in the user’s browser. Only then can you see the full picture of what’s going on. In 2018 the card skimming group Magecart was able to compromise thousands of websites through hacking and adding JavaScript code to widely used third-party services, making it incredibly difficult for organizations using those services to detect. Links in web apps that look legitimate on the first inspection can take the user through a series of redirects to a phishing site or a site delivering malware. It’s only when you experience the site as a user that these things become apparent.
It’s a similar story for company-created mobile applications. Organizations place security tested apps in the primary app stores and assume their job is done. Most fail to understand the complexity of the app store ecosystem with its hundreds of app stores and the movement of inventory that takes place across those stores. Those apps you placed in two stores can overtime be found in dozens of stores. Along the way, some of those apps can be modified by malicious actors. Without regular policing and inspection of your mobile apps, there is no guarantee that your users are getting the experience you intended.
We outlined the risks associated with rogue assets earlier. Rogue assets are created by cybercriminals to support a campaign; i.e., a typosquatting domain hosting a fake website, fake social media accounts, mobile apps and malicious ads all directing users there. By detecting these assets promptly and taking them down, campaigns of this type can be disrupted in the setup phase or the early stages of the execution phase. The challenge is to find these assets promptly across the vastness of the internet. The days when this could be done by people has passed - today organizations require solutions using infrastructure and advanced machine intelligence along with timely processes to assess the generated events and take action.
3. Actively Hunt Your Adversaries
Online security solutions monitoring your network and endpoints are continually serving up suspicious indicators pointing to assets residing on the Internet. Threat Intelligence reports regularly detail threat actors and their tactics along with details of some of their infrastructure. The rogue assets that we covered earlier are hosted on infrastructure that is connected to other adversary owned infrastructure. The challenge for most organizations is how to quickly assess what they are dealing with so they can take appropriate action. It’s not enough to take defensive action against one URL or IP address when that is only a small part of what could hurt you. It’s important to know what else that asset is connected to - in other words, the entire bad neighborhood.
Because hackers can’t avoid interacting with core components of the internet, they leave a trail over time. Fortunately, there are organizations like RiskIQ that monitor those changes to create global Internet datasets that threat hunters can use to connect the dots to map out adversary infrastructure.
As much as this requires the right technology and tools, to modernize your online security also means implementing the philosophy and mindset necessary for today's threat hunter.
Find Them First
You can no longer wait behind a firewall for your enemies to come to you. Instead, you must take the fight to them.
Thankfully, big data sets will help identify emerging security threats before they find you. Sophisticated web crawlers can interact with thousands of websites every day and, by employing virtual user emulation, collect massive amounts of data for analysis.
Advanced correlation algorithms can then detect patterns of malicious behavior undetectable by the manual processes used in the past. Also, these breadcrumb databases of internet activities will produce more effective incident reports to help avoid future problems.
Work Together as a Team
Just as your digital assets are spread across a wide area, the same is often true for IT security departments. When staff becomes increasingly disparate, the tendency to silo information can be even more pronounced.
Effective communication is key on a variety of fronts including security updates and threat identification.
These lines of communication extend beyond just IT personnel. News about emerging threats must be continually disseminated throughout the organization. After all, each employee is also a network entry point which creates the potential for anyone to become an unwitting attack vector. The proper training must be implemented to help everyone avoid phishing, spear phishing, and other attacks utilizing human assets.
The Next Steps to Modernize Your Online Security
The internet landscape will continue to be dynamic. This means that waiting for threats to come to your firewall perimeter is no longer a viable option.
Your cybersecurity must constantly be evolving and include all three elements of an effective threat-hunting strategy:
- Security awareness beyond your firewall
- The right tooling and processes to proactively monitor your Internet attack surface
- Collaboration among critical departments and staff to ensure robust process and timely response
This proactive approach to ASM is not a luxury; it's a necessity.
Ready to modernize your security? Contact RiskIQ today to learn more about proactively planning and executing your company's digital threat management.
