In the modern era of interconnectedness and digitalization, the risk of cyber threats has increased in complexity and persistence. Organizations must adopt a proactive and strategic approach to security to safeguard their assets and minimize the likelihood of cyberattacks.
One essential strategy in this regard is attack surface management. It enables businesses to identify and address potential vulnerabilities and exposures comprehensively. By adopting a contextual perspective on threats and understanding the extent of their exposure, organizations can establish a structured process for assessing and mitigating risks.
In a recent webinar, a team of experts that included Barry Coatesworth, Guidehouse Director of Risk, Compliance, and Security, Kory Daniels, Trustwave CISO, and Ed Williams, Trustwave VP of Penetration Testing, debunked misconceptions surrounding attack surface management and shed light on its benefits.
They emphasize how this strategy enables businesses to gain a comprehensive understanding of potential threats, prioritize risks effectively, and develop a systematic approach to minimizing exposures. Furthermore, they provide practical guidance on building cyber resilience from the ground up, advocating for exposure management as an integrated solution to reduce overall business risk.
Kory – Let's start off with the basics. What is attack surface management? And why are we talking about it today? Why is more attention paid to this terminology now versus, let's say, two, three, or even five years ago?
Ed – What we're doing as an industry now isn't working. I think we can all be honest with that. We're still seeing attacks with organizations getting compromised. So, what we're doing traditionally in terms of pen testing, vulnerability scanning, red teaming, all of that stuff, wrapped up with policy and governance, isn't quite delivering what we need.
We need to do something else. I see it as a continuous process of finding, classifying, and then assessing the security of the entire organization. And the important part is it is continuous. I come from a pen testing background, and pen testing isn't always continuous. It's normally a one-and-done type of engagement. In the pen tests I have done, we may only look at a small part of an infrastructure or a small part of a web application, and what we find is usually not very good for the organization. In fact, more often than not, it might be bad or very, very bad. So, we need to reassess how we look at the entire organization.
Barry – The three things I focus on are passwords, patching, and people. Any of these attack surfaces, such as really weak passwords, unpatched systems, and all sorts of people having access, tend to always cause a breach or play a role in a breach. I think having all three of those things taken care of and locked down is part of attack surface management. Doing so not only reduces overall risk for business but also gives the security team some peace of mind.
Kory – We continue to see third-party risk. I'll call it supply chain resilience or supply chain attack surface management. How does attack surface management play into defending one's supply chain?
Barry – Enhancing attack surface management can significantly bolster supply chain security. There are several measures we can implement to achieve this goal:
Kory – How do we ensure continuous verification and discovery of how our attack surface is developing? I think by focusing on these strategies, we can fortify our supply chain security and safeguard against potential threats more efficiently. What are your thoughts?
Ed – The fundamentals of maintaining good cyber hygiene have not changed over the past two decades or for as long as I've worked as a pen tester. This particular issue stands out more prominently than others. It's astonishing how frequently organizations overstate their current maturity levels and emphasize implementing new technologies and acquiring advanced knowledge. However, when we conduct actual penetration tests and assess the environment, we often encounter basic issues. By "basic," I don't mean trivial; I mean widespread and challenging concerns. As Barry mentioned, people are often at the heart of these issues, including patching and passwords.
In my experience, focusing on passwords, patching, and policy tends to uncover the root of many problems. These are the fundamental elements that frequently cause difficulties for individuals and highlight the lack of maturity in certain aspects of a business. The results can be quite revealing when conducting penetration tests for assurance purposes, and they often yield binary outcomes. It's either good or bad, great or not.
During the post-assessment review of a pen test, we commonly encounter two responses when we have successfully compromised an environment. The first is, "We were aware of that vulnerability, but we decided to ignore it," and the second is, "We were not aware of that vulnerability." Understanding these responses is crucial in comprehending the basics. It means ensuring that asset and data flows are fully understood.
Once you have a clear understanding of your assets and data flows, you can focus on maintaining proper hygiene throughout the organization, whether it involves mainframes or PCs running Windows NT. Every aspect of the company must be secured and protected. Of course, there may be exceptions, such as legacy systems or overlooked areas. Still, there are always measures we or a client can take to mitigate and reduce risks, making it harder for malicious actors to exploit vulnerabilities.
So, my recommendation to anyone who comes across this information is to prioritize focusing on the basics consistently. Ensure that every corner of your organization is secure, and assess why patching, sorting, and policy implementation may not be effective in place if they are lacking. Remember, these basics are not easy because they are simple; they are challenging in their implementation, and maintaining proper cyber hygiene across everything is an arduous task.
Barry – In my experience, most organizations have enough technology, and the walls are high enough. Still, they're not actually utilizing technology to its best availability, or they're just not getting the basics done. The basics are what catch people most of the time. There will always be advanced threats, but the basics usually cause issues.
It's hard to deal with and get your arms around large, complex, heterogeneous environments, but it's essential, absolutely essential. Part of that task is good asset inventory. I've seen organizations where they've had a Windows NT or XP machine on the network, which should have been decommissioned years ago. In fact, they thought it was in fact decommissioned, but didn't know it was still running.
This brings me to the next item, which is supporting things on your network that shouldn't be on your network. But they are because you have a lack of visibility; you don't know it's there. Shadow IT occurs when people put things on the network for development purposes or testing purposes without informing anyone or it wasn't documented correctly.
Kory – How do you prioritize increasing your efforts at attack surface discovery in your cloud and OT environments?
Ed – I'll begin with a very simple answer. It's always the cloud and accurate data that should be prioritized. If you don't have accurate data, then you cannot be sure what your attack surface is and not sure what's in the cloud. Without accurate data, you will be putting resources and effort into things that might not be necessary, and in today's environment, you need to be careful with your resources, both financial but also personnel resources, where you've spent time and effort to deal with these risks.
Barry – I agree with that. Each organization is unique, with its own set of priorities and areas of importance. These priorities can include data records, information, or other factors. Therefore, it is crucial to comprehend what is critical and essential to the business and then proceed by working backward from that point.
During our discussions, we often delve into topics such as red teaming and purple teaming, which are integral to an effective plan. The focus is on identifying what is key and critical to your organization. What is the one thing that, if compromised, would prompt an urgent phone call on a Friday afternoon? Once this is determined, you can then develop a comprehensive strategy that covers all bases, incorporating various technologies such as scanning, penetration testing, red teaming, continuous scanning, or any other approach that aligns with your preferences.
Barry – The other issue with prioritization is an organization cannot protect everything equally. It's essential to make reasonable allowances and not overload your network or infrastructure. Understand the specific routes and safeguards for your personally identifiable information (PII) and other critical assets. Determine what needs higher levels of protection and what can be assigned lower priority. In certain cases, or instances, you might need to make sacrifices or trade-offs, although it's not an easy decision to make.
It takes courage to acknowledge that it's impossible to secure everything comprehensively. Trying to provide protection for every single aspect would be unfeasible for the business. In fact, it can slow down operations and lead people to cut corners. Instead, focus on critical systems and prioritize the implementation of robust controls for them. Simultaneously, exercise caution and reduce the number of controls in less critical areas. It's crucial to strike a balance.
When securing your network or infrastructure, keep in mind that your engineers may seek workarounds not out of malicious intent, but simply to accomplish their tasks efficiently. If they encounter excessive security measures or barriers, they might find ways to bypass them, potentially compromising the overall security posture. Therefore, it's important to find the right balance between securing your assets and providing a practical environment for your team to perform their duties effectively.