Imagine you were responsible for the protection of a building.
You'd probably start by analyzing its entire interior and exterior, mapping every square foot to determine what defenses you need to put in place and where. Along with your locks and alarms, you'd want to install a network of surveillance cameras positioned to give you real-time visibility of the entire structure, i.e., anywhere a burglar could possibly show up. It's a pretty clear-cut formula that, once implemented, ensures you're ready to defend against intruders.
Securing a building is a metaphor that's used in corporate cybersecurity often, and for a good reason—it's a straightforward way of characterizing network security controls. Your firewalls and proxies are your locks, and your scanners are your security cameras, letting you know everything that's going on within your network. Traditionally, these things would leave you in good shape cybersecurity-wise. However, the world is rapidly changing, and so is the threat landscape targeting businesses.
Due to cloud server migration, hosting, and other digital media initiatives, a business's digital presence no longer fits neatly behind its tightly secured perimeter. Its attack surface sprawls out across the open internet, outside the scope of firewalls and endpoint protection, as a collection of millions of digital assets laid bare for all to see, including hackers, as they research their next threat campaigns.
This new reality for security teams means that the building metaphor must take a turn for the absurd to still represent what they need to protect. Now, imagine that building you're guarding is not only growing larger every day, but also its rooms are changing, rotating, and reorientating in real-time. The map you made of your building yesterday is no longer relevant today—you’ve lost track of many of the rooms, and new, hidden rooms have sprung up.
This metaphorical building is growing because the internet is growing, and not just the number of users; its actual size is continuously increasing. Over only two weeks, our crawling network at RiskIQ observed 3,495,267 new domains (249,662 per day) and 77,252,098 new hosts (5,518,007 per day) across the internet. For attackers, each of these represents a possible target or a piece of infrastructure they can use to take down a business. The building is changing because the internet is changing every second. Domain ownerships change, DNS resolutions shift, certificates expire, and frameworks require patching, to name just a few examples.
For businesses, most of their attack surface is comprised of assets belonging to three categories. First are the legitimate assets, which belong to companies under the purview of their IT and security teams. Second asset of the attack surface are those spun up by partners or employees without the knowledge of the IT and security teams, which are known as Shadow IT. Third, is a rapidly growing category known as ‘rogue assets,’ which attackers create to mimic legitimate businesses to target their customers in the wild. These phishing sites, fake mobile apps, and command and control servers are nearly impossible to detect at scale with traditional tools.
Digital assets in any of these categories can lead to a compromise of the business, and organizations that don't understand how they appear to attackers beyond their firewalls are at risk. Known assets require patching, Shadow IT can be forgotten about to everyone but hackers, and rogue assets are created in the internet's ever-growing abyss and can hide there indefinitely.
Internet visitors that use or interact with these assets are in the crosshairs like never before by attackers who view their clicks, traffic, credentials, and computers as commodities to be harvested and traded. Unfortunately, unlike the security cameras watching over our tightly secured metaphorical building, most security teams have no visibility into the open internet to see where their organization's brand is being abused.
For security teams, the sheer depth and breadth of what they need to defend may seem daunting. However, putting the massive scope of their organization's attack surface into perspective isn't impossible; it just requires them to look at their attack surface in a new way. Your organization isn't a building; it's a living, breathing digital entity that is going to change continuously. Embrace that.
This new attack surface can no longer be likened to a building, but mapping its area and having visibility across it is still crucial. Along with traditional firewalls and scanners to protect their network, security teams need the following:
- The ability to scan the internet: it's crucial to understand what belongs to you and what you look like to customers and attackers. Attackers perform reconnaissance to find and exploit unknown, vulnerable, and unmonitored internet-facing websites, applications, forms, and underlying infrastructure. According to Verizon and others, 70% of all successful breaches today originate on the internet.
- Visibility: organizations require rich internet data to be accessed automatically by their other security tools to add "outside the firewall" context to other security functions. Through this data with existing systems and processes, organizations can bring internet visibility to a range of additional security and IT operations tools to enrich the information they deliver, accelerate response or mitigation and improve the organization's cyber effectiveness.
- User-style interaction: security teams need to be able to interact with the entire internet as a user would. This capability helps them continuously monitor their assets as well as search for rogue assets in the wild, even as their attack surface -- and the internet as a whole -- grows and evolves. Fortunately, despite this drastic increase in what security teams are now tasked with protecting, basic tenets of cybersecurity haven't changed. With the right tools, security teams can apply the same rules that keep their internal networks safe to their entire attack surface.
Don't get overwhelmed on your way to a robust attack surface management plan. by gaining visibility and awareness, your company and its assets will be much safer. Find out more about attack surface management today.
The RiskIQ Intelligence Connector for Microsoft Azure Sentinel Is the Context-Rich Force Multiplier Security Teams Need
Digital initiatives have changed the enterprise attack surface and how organizations appear online, both to users and malicious actors. Meanwhile, the threat landscape has evo...