How event-driven architectures balance continuous security validation and intrusion
Find out how Hadrian’s event-driven architecture allows for continuous security validation which balances consistent testing with a lack of intrusion.Read more
Attack Surface Management and Vulnerability Management are both strategies used by offensive security professionals to identify vulnerabilities. However, increasingly, Vulnerability Management is not enough to manage rapidly expanding attack surfaces and the rise of supply chain attacks.
Hadrian advocates a version of Attack Surface Management which focuses on continuous security validation through event-driven testing. This approach better finds unknown unknown assets, improving asset discovery.
A digital attack surface includes all the assets of a company’s infrastructure which store data, both hardware and software. Attack Surface Management takes a holistic approach to mapping these assets with the intent of continual identification. A good attack surface management strategy will map multiple paths that an attacker may take to infiltrate the attack surface.
Attack surface management pays attention to how assets connect. An environment that has credentials to a company’s database is not a critical vulnerability on its own. However, if the database the credentials allow us to authenticate are connected to the internet this is a highly critical risk. Examining how assets connect provides for better threat intelligence insights and vulnerability assessments.
Common vulnerabilities within Attack Surfaces include:
Internet of Things
Vulnerable and outdated software
Unknown open-source code
Third party vendors failing to properly manage their assets
Vulnerability management is a subset of attack surface management. Vulnerability management solutions tend to look at a specific asset or a specific section of the environment. The assets targeted by a vulnerability management process tend to be more software based whereas attack surface management includes both hardware and software. There are many different vulnerabilities that may be targeted in vulnerability management:
Cloud or systems misconfigurations
Out of data or unpatched software/applications
Missing use credentials
Unencrypted information or data
The less holistic perspective of vulnerability management means it often misses how the assets connect, limiting risk assessment.
As attack surfaces expand a more holistic view is increasingly necessary. As companies make migrations to the cloud the scope for unknown digital assets in the network increases. The growth of the Internet of Things and the demand for cloud services has led to rapidly expanding attack surfaces.
In addition, cyber attacks are becoming more advanced. As attackers run tests on thousands of vulnerable assets in parallel, continuous security validation and proper asset mapping is increasingly important. Older techniques such as security by obscurity, vulnerability management and pentesting cannot keep up with the cadence of attacks.
Ad hoc implementation
Interactions with other organizations through mergers, acquisitions and supply-chain
Security professionals inundated with information
Shadow IT occurs when applications, devices or software are used without IT department approval. The growth of cloud services and remote working has increased the amount of Shadow IT present in company infrastructure.
Employees often use Shadow IT because they feel it helps them be more productive. It’s difficult for defensive security teams to monitor these applications and software because they simply don’t know it exists. However, Shadow IT does increase risks of vulnerabilities such as data leaks.
The rise of remote work has meant that tools and servers used often don’t match centralized security protocols. During the pandemic cloud services, and shareable data storage led to quick, decentralized implementation of software. Ad hoc implementations make it harder for defensive security teams to manage all the assets connected to the network.
Issues can arise when the assets connected to a network belong to third-party organizations in your supply chain. Some of the organizations you interact with may not have updated security protocols. For instance, in mergers and acquisitions the new company may not have up to date security patches.
Supply-chain attacks are also increasingly common. In a supply-chain attack, attackers access the network through the assets of a vendor or provider. For instance in December 2020, an attack on SolarWinds deployed malicious code into its Orion IT management software. The result was a huge data breach that affected thousands of other organizations.
Even with a strong attack surface management protocol the amount of information presented can be overwhelming. Security Magazine found that over half of respondents spent more than 20% of their time deciding how to prioritize alerts. As well, alert fatigue can decrease productivity as a result of burnout, stress and tension within the team.
Hadrian’s attack surface management strategy combines automation and event-driven testing to allow for holistic and continuous attack surface mapping. OSINT Reconnaissance and passive data sources extract data on real time traffic and vulnerability scanning.
The event-based framework allows for this data to be collected continuously, going beyond penetration testing. By approaching the attack surface from the outside Hadrian identifies the same attack points that an attacker would. This outside-in perspective helps to provide critical information about digital assets and prioritize them based on risk.