How Unknown Risks Are Causing Cybersecurity Strategies to Evolve
Cyber risk management has become increasingly challenging. Historically, vulnerabilities were CVEs (Common Vulnerabilities and Exposures), known issues in the software from technology vendors. Today nearly every company builds their own software, this could be an e-commerce webstore, a partner portal for a logistics company, or an interface for manufacturing equipment.
In-house developed software can introduce risks, such as those cataloged in the OWASP Top Ten. Furthermore, the high volume of applications deployed by organizations increases the chance of a misconfiguration, like those compiled by CISA.
Mitigating only CVEs makes organizations reactive, only able to resolve risks in their in-house software once a breach has occured. Instead of a reactive approach, organizations are increasingly adopting an offensive security strategy as part of a proactive method of safeguarding their digital assets.
Offense is the best defense
An offensive strategy can help enhance a company’s overall security posture through the proactive discovery of the kinds of coding flaws, misconfiguration or improper software applications that lead to hacker exploits. This often depends on a variety of methods; historically this has included vulnerability scanning and penetration testing, but more modern, automated approaches are coming to the fore. These newer methods empower security personnel to plug vulnerabilities before a cyberattacker can occur.
In this way, offensive cybersecurity can play an important role in risk mitigation by probing for weaknesses. This encompasses a range of security operations in the hope that a broad spectrum of insights will be uncovered. For example, some businesses choose to launch bug bounty programs that invite ethical hackers to find vulnerabilities in exchange for financial rewards, such as Google’s Vulnerability Reward Program.
Automated penetration testing, red teaming, and vulnerability disclosure programs are other alternatives employed by businesses looking to switch their cybersecurity strategy to an offensive one. There’s no single correct strategy. In fact, many organizations utilize multiple tools and processes to thwart cyberattackers. The main thing that unites them is that they don’t depend on businesses waiting to be attacked before taking action.
It is noteworthy, however, that in a survey conducted by the SANS Institute, the top four proactive security measures (vulnerability management, manual penetration testing, red teaming, and blue teaming) that are currently in use were all dependent on human security personnel. Given the pace at which new exploits are emerging, this could mean that even offensive security strategies are unable to keep pace with malicious actors.
Beware the unknown
The adoption of a more proactive approach is, in part, being driven by the presence of unknown threats - the kind that can reside in a network or piece of software for years undetected. As a case in point, the infamous SolarWinds hack of 2020 had been underway for months prior to the incident coming to light. Unsurprisingly, 75% of respondents found that unknown risk was causing them to increase their offensive security practices
In order to gain a holistic view of where these unknown risks may reside, it is essential for businesses to have a clear view of their attack surface - all of their digital assets that could be used by an attacker to gain access to or extract data from a system. Due to the rapid process of digital transformation underway at many companies, their attack surfaces are increasing in size all the time.
In light of the broadening attack surface, organizations are looking to attack surface management tools to safeguard their digital assets - and some companies are integrating these with their offensive security operations. This is because there is significant overlap in the objectives underpinning each approach, with 39% of respondents to the survey indicating that unknown and untested digital assets are among their top attack surface concerns.
Attack surface management tools can help businesses to pinpoint where their vulnerabilities reside, but even then these can place a great place a significant burden on security personnel. Instead, Automated Penetration Testing can scan your attack surface autonomously. This avoids many of the concerns that prevent organizations from adopting external attack surface management (EASM) tools, such as cost, staffing concerns, a high rate of false positives, and lack of integration options.
While EASM tools can lack the comprehensive range of offensive security capabilities required to find risks, automated penetration testing solutions emulate hackers for comprehensive security validation. Instead of periodic tests and the assessment gaps that accompany them, automated penetration testing discovers and validates risks continuously, alerting security staff whenever remediation is required.
Planning for tomorrow
Ultimately, it’s important to realize that the cybersecurity space is in a constant state of flux. Last year, internet users worldwide discovered over 25 thousand new common IT security vulnerabilities and exposures - the highest reported annual figure to date. The methods employed by attackers - from ransomware to deep fakes - are constantly evolving too. Organizations can’t afford to wait around for a breach to occur. The financial and reputational damage that this could result in may be irreparable.
Fortunately, more businesses are fighting back against the rising tide of exploits. In fact, according to the 2023 IBM Data Breach Report, 35% of organizations now invest in offensive security after a breach (the fourth most common investment). These businesses are incorporating new technologies as part of an offensive cybersecurity strategy - technologies like AI and automation. By validating their defense in this way, in combination with improving transparency around their attack surface, organizations can be prepared for the next attack before it takes place.
At Hadrian, we have long pioneered offensive security practices. We adopt a hacker’s perspective to bolster companies’ security at scale, contextualizing risks and prioritizing resources. With our continuous asset discovery solutions, you can gain complete visibility of your attack surface before it’s too late. Then you know where your risks lie. Then, it’s time to go on the attack.