The Art of Defending Your Attack Surface
Digital transformation initiatives across all verticals and organizations have caused an increase in the complexity and volume of internet-facing assets. This change brings up the question of how can security teams build processes around assets that they can’t see, or don’t even know exist?
We sat down with Matt Bittick, the head of the Attack Surface Risk Management program at Cummins, to discuss strategies and methodologies for protecting your expanding digital attack surface, and how utilizing Recorded Future can help with prioritization and risk reduction.
(Recorded Future) Before using Recorded Future, how were you attempting to secure your attack surface?
(Matt) Painstakingly. Using open source tooling is kind of the easiest way. We try to get from the business what they know in our inventory management systems. Spoiler alert, it’s not much, and then we work from there. A lot of Nmap, Kali Linux, built-in tools as well. Reconning, and just trying to build out what that inventory could even be and find everything. It was very labor intensive.
For many organizations, it takes over 80 hours to perform their attack surface discovery. Is that something you were finding as well?
Yeah, that’s exactly right, we found on average we’re spending about 80 hours. The old adage in the intelligence community is when intelligence is neither timely or actionable, it’s just news and it’s old news at that. So spending that long to find something in a space that’s dynamic, like your attack surface, that’s not ideal.
Enjoying what you’re reading so far? Watch the full fireside chat video!
After implementing Recorded Future Attack Surface Intelligence, how has that helped improve your visibility and efficiency?
Immensely. We talked about the efficiency piece and about all the labor that would go in just for inventory and mapping. It’s significant, right? So cutting that out, and now it's all ready for me in the morning. I can come in, I know what the attack surface is, cause it's already been done. I don't have to spend all day plugging away in a command line interface just to find some assets.
One big difference that we found compared to when I started when we were doing this manually, and now I'm pretty confident in my ability to conduct reconnaissance on an organization, but we still found that there was a delta of about 20% of the attack surface that I wasn't finding on any given day.
There's multiple reasons for it, but I'm also confident that any person whose career is malicious exploitation of somebody's organization for cybercrime, they're probably better at it than me. So we want to have the best image that can be produced, and I find that incredibly valuable from the product.
What do you need to have a successful Attack Surface Risk Management program?
You know it's a really great question, and I think visibility, asset inventory, and the mapping is the start of your journey. We believe that you need workflows, you need processes, and you need ways of handling that. So to be successful, you need to not only know what your problems are, but also how to deal with them.
We have two main problem statements when we're looking at this attack surface problem:
- What is our attack surface?
- And then how do we secure it?
There's also a couple of different actions you take, whether it's remediation or reduction. We love reduction. If it can't be on the Internet. Great. Let's get it off there.
How would you describe the importance of protecting your digital attack surface, and the role that Recorded Future plays in that protection?
I think there's kind of a three-pronged approach when you're showing the importance of an attack surface program to your CISO. First, I always try to paint a picture for the CISO. The organization is their castle, right? And they're sitting there defending it. I think the best way to even pitch the idea of attack surface to a CISO is to show what it is and come prepared with the measurement of this is how much of your castle is just open. Is there a big old hole in the wall? If 50% of the castle's penetrable or just has an open door, there's not much point to the castle.
The second piece is then showing how you're going to take action on that, and the processes you’re building and the way it’s going to be done. I think that's where Recorded Future comes in, both in showing the original attack surface, but also in the value it brings. For me, what I think is really key is the fact that Recorded Future Attack Surface Intelligence is more than integrated, it’s a part of our cyber threat intelligence platform so we can take that risk assessment to the next level.
When you’re looking at two different vulnerabilities that are possibly both critical per the CVSS score, which one's more important? Well, probably the one that the APT who's interested in your type of organization or industry and it's a part of their TTPs, or it's being actively used in your threat landscape. We really want to go after that first. When you can show how in a resource constrained environment where you need to rack and stack your priorities, I think that’s key. I’m sure there’s nobody in the audience who feels like they have enough resources.
The third piece is to show the value that it brings to your organization. As you bring these processes online, map that attack surface, then measure it, understand how big it is and measure the problems that exist within it. And then you can present the value in the reduction of your overall attack surface. That's why we refer to my role as a risk reduction role, because we're showing how maybe our attack surface is expanding, but our risk profile is constricting. And that's really where you start to show the value of an attack surface tool and an attack surface program.
I'll also say this, I don't think you have to do all 3 of those things in one presentation. That evolves over time, it certainly did for us. When I first came we had the problem of “Hey, we have an attack surface. We don't know what it is. We don't know what to do about it.” So it took a whole lot of build up to reach those points. And I think that as long as you're keeping those touch points with your CISO and helping them understand what the risk is and what could happen if we don’t do anything about it.
Why do exposed admin panels present a big risk along your attack surface?
With exposed admin panels, it’s kind of an interesting conversation, but it’s a direct interface into that software platform. You may see varying types of Apache, Drupal, sometimes even admin panels for firewalls. The reason that’s a problem is, there's always the potential for out of the box configurations not being changed. So if you have default credentials, what was the point for deploying a firewall? That’s always a key risk, but assuming you have a little more mature processes and somebody didn’t mess up, things happen. Sometimes even the most expert person can make a mistake, maybe they didn’t have enough coffee that day.
Additionally, there’s brute forcing potential. Why open something up that really doesn’t have a need to be external to begin with. We have VPNs, we have remote administration. You can come into your internal environment from your own home nowadays and navigate your admin panel that way, instead of just having these logins available for brute forcing. That’s a huge issue that you could just mitigate by saying “Hey, let’s just take this off. Let’s just move this inside.”
When we look at successfully protecting the attack surface, what does that look like? Is there an end state?
That's almost the first question I got asked by my CISO when we started looking at this problem. And the answer is that the attack surface is way too dynamic for it to ever be an end-state objective. I personally believe that there's goals for management to get to an acceptable level. In the risk space, you'll never have zero risk. There's always going to be residual risk. And even if you do hit zero, it's not going to stay there.
Unfortunately, well fortunately for the world, the cloud exists. Cloud is a fantastic business tool. But Cloud is on and off, you know. It's incredibly dynamic and things shift so often and the ability for the company to be so elastic in expanding its attack surface at such a rapid rate is critical. So to reach an end state, that goalpost is never going to be sitting still. You're always going to be chasing the next thing and driving that wave of risk down, but we do believe that you can have it within a certain margin that's acceptable for both the cybersecurity organization and the business to operate with.
Want to learn more about how Matt and his team at Cummins protect their organization’s attack surface?