Online Assets to include in your Attack Surface Management Strategy
It wasn’t that long ago when new computers, mobile phones, and various devices started to get introduced to offices worldwide. Today, this is the norm at every business. With the rapid proliferation of hardware assets, software that connects to these assets has followed this growth.
Riding the digital transformation wave has led businesses to continuously invest in technology to automate their processes, increase efficiency, and productivity, lower operational costs and improve customer experience and competitive advantage. According to IDC, the direct digital transformation investment is expected to reach $7 trillion from 2020 to 2023.
Undoubtedly, the most important purpose behind IT investments is to grow and protect the business. This digitization has also contributed to the growth of IT infrastructures needed to support these advancements.
Modern IT infrastructures and the role of online assets
IT infrastructure comprises components to operate and manage an organization’s IT services and environments. It’s usually a combination of hardware, software, networks, servers, physical facilities, and the data center.
Traditionally, an IT infrastructure would be made out of the usual above-mentioned hardware and software components. It would be installed and maintained by the on-premises and is for private use only.
With digital transformation and cloud computing increasing, and even more so in the post-lockdown world, a new type of IT infrastructure has emerged. Cloud computing has diversified companies’ infrastructures with digital assets not available on the internet. While this provides convenience to businesses, it also increases the attack surface that has to be managed.
Not only are these online assets external-facing and thus are more exposed to vulnerabilities, but they are playing a crucial part in today’s expanding attack surfaces.
An attack surface is the sum of the entire network, all IT environments, and IT assets, including both hardware, software, and online assets, that are exposed and can be exploited by threat actors to gain unauthorized access to sensitive data, such as proprietary code, and other company secrets. The larger the attack surface – the greater the risk of cyber threats.
What is Attack Surface Management (ASM)?
The simple fact that large attack surfaces are easier targets to attackers makes managing an organization’s attack surface and all assets that are part of it an essential way to improve your organization’s security posture.
All of these assets can be grouped into a few types:
Known assets: all assets known to the organization’s IT/security teams, such as the operating system, network services, servers, domains, subdomains, SSL certificates, web applications, VPNs, etc.
Unknown assets: any assets not under the control and management of the IT/security team, such as shadow IT, testing and staging environments and subdomains, and any apps or resources unknown to the organization.
Third-party assets: assets belonging to vendors and third-party providers that make up an organization’s supply chain with whom the organization exchanges sensitive data.
Continuously changing and growing attack surfaces increase the number of new and unmonitored assets, which can go through an unnoticed configuration change that can result in exposure. Thus, to be effective, any attack surface management efforts must span across all types of assets to be effective.
Attack surface management, or ASM, is a cybersecurity methodology that refers to identifying, classifying, and monitoring all assets of an organization’s IT infrastructure to uncover exposures.
A robust external ASM solution adopts an attacker’s perspective. In doing so, ASM identifies as many exposed assets as possible, including internet-connected assets, and the risk they pose.
Online assets to include in any ASM strategy
The part online assets play in an organization's attack surface and overall cyber resilience is evident. They are often the low-hanging fruit threat actors use to gain initial unauthorized access to your network and steal sensitive data. Some of the most high-risk online assets that should be a part of any ASM strategy include:
Email servers are a common target for attackers. Insecure email configuration settings like missing or misconfigured SPF, DMARC, and DKIM or known mail server vulnerabilities can be easily scanned for and discovered before attackers exploit them.
Web applications are where customers, partners, businesses, financials, and other sensitive information live. Thus, organizations must understand their web application architecture and any exposures that can be potential entry points for attackers. In order to reduce your overall attack surface, web apps, their components, and any vulnerabilities on them need to be identified and monitored.
A common example of web apps is websites. Websites are the main ways most organizations interact with their clients, so including all websites in an attack surface management strategy is crucial in achieving cyber resilience. Expired SSL certificates, inactive subdomains, websites redirecting to a potentially malicious destination, and vulnerabilities on third-party CMS are just some of the website weaknesses you need to be able to monitor for and uncover through your ASM efforts before cybercriminals exploit them.
With the rise in remote work and utilization of Voice over Internet Protocol (VoIP), used for communication over IP networks, there has been a rise in cyber attacks targeting this infrastructure. Skype, Zoom, Microsoft Teams, and other VoIP platforms are some of the most common examples of shadow IT, making them high-risk assets by default.
These assets are vulnerable to many threats, including denial-of-service, traffic interception, and insecure VoIP systems can be an entry point to access more sensitive data. VoIP assets don’t typically receive much attention from organizations when addressing their security posture, but they are an important part of any ASM effort.
VPNs have always been a standard part of an organization’s IT infrastructure. Still, these online assets have become even more widespread with the rise in remote work, as VPNs remain the most commonly employed method to enable remote access. A VPN acts as an extension of your network to a remote endpoint, or a remote workforce, with thousands or tens of thousands of remote endpoints accessing company resources.
However, the VPN itself is exposed to the internet and can pose a significant risk to organizations. Last year, several critical Pulse Secure VPN vulnerabilities were reported to be exploited by malicious actors that could be leveraged to access internal networks. When a new vulnerability is discovered, it’s a race to patch them before attackers can exploit them. This is why detecting and monitoring your VPNs and remote access points is crucial in maintaining your security posture.
Common risks with online assets
Online assets make up a large portion of an organization’s attack surface, and the complex mazes of their interconnected infrastructure make them a common target for malicious actors. Here are some of the most common risks with internet-facing assets:
Public and private cloud environments are an easy and affordable way for organizations to grow their IT infrastructure. While the move to the cloud has enabled organizations to improve their business operations, it has also triggered new security issues.
Due to the sheer complexity of cloud environments, cloud misconfigurations are common and can happen for many reasons. Some may include failure to change default settings that aren’t often set for privacy and security or simply inadequate access control.
Web applications vulnerabilities
Web applications communicate and share data with numerous interconnected third- and fourth-party services. Many of these web apps exchange sensitive personal and business data with these parties, and malicious attackers pay close attention to these interdependencies and look for potential vulnerabilities and misconfigurations directly in their target apps or their digital supply chain. The OWASP Top 10 Web Application Security Risks is a document that provides resources on the most common application vulnerabilities that threat actors could exploit.
Most companies use multiple email servers for communication, and security configuration can vary greatly with multiple providers. This makes email one of the most easily exploitable attack vectors in an organization’s IT infrastructure.
Known mail server vulnerabilities such as remote code execution vulnerabilities and CVE-2022-41040, as well as CVE-2022-41082 in Microsoft Exchange Server and Exim vulnerability (CVE-2022-37452), are common targets for attackers looking to quickly capitalize on insecure mail servers. Attackers can scan for vulnerable mail servers and target a large pool of organizations. Once they gain access, they can use collected information to run phishing attacks against an organization’s partners and customers.
Shadow IT is the term to define all software, hardware, applications, and any other services and resources used in an organization without explicit approval and knowledge of the IT/security team. A personal VPN used for testing, Dropbox, messaging apps, and productivity tools — online assets make up a big part of modern shadow IT. Since these assets are unknown to the responsible team, they can’t be monitored and properly secured, acting as easy targets for attackers.
The speed with which organizations can provision and de-provision new instances often lead to copious amounts of forgotten assets. While unmanaged assets can be harmless, they can also point to sensitive areas of your systems, such as in the case of forgotten staging and testing environments left by developers. Assets left untouched for months or even years often run outdated software with known vulnerabilities easily exploitable by attackers.
How Hadrian can help you take stock and provide insights on your internet-facing assets
Achieving complete visibility across your asset landscape can be challenging when there can be hundreds or thousands of assets so having a robust solution to monitor your growing online assets is crucial in managing risk.
Hadrian goes one step beyond automation. Hadrian mimics how an attacker would approach your organization by combining the traditional attack surface management capabilities with expert open-source, passive, and active data reconnaissance to accelerate online asset discovery. This approach allows insights to be acquired in real-time, which is crucial for catching any changes or issues before attackers do.
Hadrian’s external approach to ASM provides deep insights into relations between assets and can help to illuminate critical vulnerabilities and risks. Furthermore, with the attack graphs approach to mapping attack surfaces, your security teams can effectively visualize these constantly-changing asset relations. By linking assets, Hadrian ensures a comprehensive view of the attack surface, considering multi-platform cloud environments and a wide variety of online assets.
Interested to learn how Hadrian can empower your attack surface management strategy? Book a demo today.