By Nathan Wenzler, Chief Cybersecurity Strategist, Tenable
As more and more assets, services and applications become internet-facing or reside on the internet, security teams are frequently unaware of their full digital footprint. The reality is that people on the outside often know more about the organisation’s attack surface than those within.
Proprietary research from Tenable shows that as of June 28, 2023, 25 of India’s organisations with the largest market capital possess over 300,000 internet-facing assets which are susceptible to potential exploitation.
Exploiting public-facing assets is one of the most common attack vectors used by cybercriminals.
Nearly every company’s public-facing attack surface faces a barrage of attacks every day, and any external network, system or application vulnerabilities or misconfigurations open the door to a potential data breach. Achieving visibility in cybersecurity is a critical but challenging objective, and gaining complete awareness of assets is essential for bolstering defences against cyber adversaries. This sort of broader understanding of an organisation’s attack surface is emphasised in CERT-In’s advisories as a vital component of cybersecurity best practices.
A large part of the challenge in securing the sheer scale of the modern cybersecurity architecture lies in identifying all external assets, both known and unknown, understanding the security state and risk posture of those assets, and doing it before cybercriminals discover the most critical exposures. Yet, full asset visibility remains one of cybersecurity’s most elusive goals. A prime example of this is the Log4J vulnerability, where the inability to discover or detect log4j libraries everywhere they were in use within a huge number of applications and source code repositories slowed down most remediation efforts. With the tremendous asset sprawl and many assets outliving their initial use and running without being identified, organisations need scalable, automated tools like external attack surface management to eliminate security blind spots and get on a level playing field of visibility that cyber attackers possess.
Gaining full visibility into the external attack surface
The truth is that many organisations struggle with implementing comprehensive inventory controls for internet-facing assets because the means to scan the entire public internet regularly in search of any and all assets associated with the organisation is practically impossible to do manually or through traditional asset management tools and processes that can be leveraged within well-controlled private environments. The traditional concept of IP blocks and contiguous IP space is giving way to highly interconnected networks that extend to numerous cloud providers. Even for organisations striving for a proactive security posture, the challenge lies in identifying all assets everywhere they are.
Even with multiple tools for security, organisations may still struggle to achieve 100% visibility. It’s also why cybersecurity defenses don’t always align with what the attackers are focused on. A recent survey by SANS found that most organisations worldwide believe they don’t have a handle on what attackers would focus on and the weakest link for organisations was the lack of visibility into outside connections — or public-facing assets.
Given the modern digital business climate, all organisations have a significant number of these outside connections like services, devices, internet-facing apps, and APIs, which only becomes more complex when you take into account the growing number of users, infrastructure connections, and information exchanges with third parties that takes place in the normal course of conducting operations. This is the attack surface that organisations must understand and defend. And, here’s the hard truth: Organisations can’t prioritise and analyse their risk if they are unable to continuously detect and scan all assets including external assets. Anything less is only guesswork.
That’s why it’s critical for organisations to catalogue and manage all internet-facing assets to obtain a true understanding of their external footprint. This level of visibility is the first required step for any great security program aiming to defend against the more sophisticated threats that emerge.
Attack surface management for proactive security
In addition to establishing better visibility of the external attack surface for vulnerabilities and misconfigurations, organisations also need to understand how these risks can impact their business. This is particularly challenging in India where data categorisation and security are heavily focused on compliance requirements, with limited capacity to understand the security context.
For example, a security team examines an endpoint and discovers that it is not fully patched and is out of date. Many technical risk assessments simply stop there. However, from a business perspective, more context is required to meaningfully assess the level of risk this technical vulnerability poses to the business. Is this system an old test server with no critical data, or is it the primary web server supporting the organisation’s website? No two assets are the same in terms of what impact and criticality they represent to the business and all of its business functions.
Mature external attack surface management solutions allow organisations to establish visibility across the entire attack surface in minutes, easily categorise assets, and help businesses apply comprehensive filtering to make informed decisions. It answers some pressing questions for security teams. Is the user someone who would typically have use of valuable or sensitive data? What is the real significance of the data being accessed? What is the posture or health of user identities? Have the credentials been associated with unusual activity? What network activities has the user been associated with?
Context in cybersecurity matters as vulnerabilities and misconfigurations are plentiful and the ability to prioritise and address them can determine the success or failure of a security program.
This deficiency hampers effective risk assessment and undermines the very essence of a robust security program. Neglecting vulnerabilities and misconfigurations in the external attack surface could pave the way for costly and reputation-damaging cyberattacks. The external attack surface management provides a solution to help organisations mitigate these risks by offering objective insights into the external attack surface and facilitating prioritised remediation efforts.