Top 5 Attack Surface Risks of 2022
In a bid to contend with this year’s most prominent cyber threats, security teams everywhere have been forced to duly advance their understanding of what constitutes an attack surface.
A typical response from the community at large abides somewhere between the glaring redefinition of the traditional perimeter—that which incorporates the eroding, or blurring, of former demarcation lines—and the incidental yet insidious role of social engineering techniques ever threatening to run aground any significant defensive posture.
By contrast, cyber defense programs remain largely reactive and, frankly, quite disappointing at times. The idea of having an immersive, lessons-learned approach to security, whereby we generally assume to be faster in detecting attackers than they are in inflicting damage as a sign of success, has gone “up in smoke” in more ways than we care to admit.
And what better example than a recap of 2022’s 5 top cyber threats, through the lens of Attack Surface Intelligence, to emphasize the importance of having a unified solution to proactively and systematically engage cyber threats before they become cyber incidents.
Let’s have a look.
Poor cyber hygiene
Cyber hygiene is a broad topic with an equally large set of risk assessment implications. Drawing from the concept of personal hygiene in the public health discourse, it is foremost a foundational representation of years’ worth of empirical data and best practices around the suitable protection of digital systems and personal information. Unfortunately, to many in the field, it is also a complex abstraction laced with implementation deficiencies and hidden strategic costs, always making asset prioritization a subject of debate.
Some of the most riveting examples of poor cyber hygiene include the failure to encrypt data when required, the mishandling and exposure of Tier 0 assets, or the incorrect implementation of access management policies. Adding to the complicity is the exposure of databases, vendor-supplied default settings, and ports, which cyber actors can quickly sift out and turn into exploit opportunities.
As poor or weak institutional cyber hygiene can be envisioned as (essentially) self-inflicted damage, the opposite speaks volumes about the reality that, without a properly functioning cyber hygiene program, these organizations expose themselves to an even greater number of threats than most.
Incomplete Asset Visibility
Inaccurate or incomplete asset inventories can be considered the pinnacle of poor cyber risk management. A recent CISA Binding Operational Directive confidently exposes why: precise asset representation is an essential precondition to any modern cyber defense strategy.
Moreover, with the ever-more-normal and growing presence of cloud-based services—rolled out and decommissioned at staggering rates—it becomes imperative to avoid the nearby pitfalls that can quickly hurl your attack surface down an unmanageable path. After all, what’s more dangerous than looming vulnerabilities, either inherent or imposed, hiding away in remote corners of your public-facing inventory without the slightest hint of visibility?
The overarching success of Attack Surface Intelligence is precisely its ability to put this kind of “shadow” risk at rest once and for all by taking into account cloud asymmetries beyond the simple collection of IP addresses and ports. With such emphasis on context prioritization, organizations can finally fill in the gaps on the road to successful remediation and prevention.
As the concept implies, misconfigured cloud resources refer to the undisciplined administration of either storage buckets, networking components, or credential material responsible for exposing highly-sensitive information to attackers. Using Verizon DBIR’s parlance, this is where cybercriminals (opportunistic or not) continue to derive substantial profit; in fact, up to 13 percent of all system breaches can be attributed to overly-permissive entitlements across different cloud-based assets, according to the latest report.
There are a handful of reasons why this happens. On the one hand, there’s the sheer misinterpretation of the shared responsibility model, leaving ample room for ambiguity in the implementation of security controls amongst all stakeholders. And lax security controls can only mean one thing: Leaked credentials that allow unauthorized access to an even higher number of systems, leaving entire organizations utterly unaware of the extended risks. Add to this mix the pace at which we’re building, backed by poor engineering decisions, and the potential for misuse exponentially increases.
Additional concerns span the domain of containerized apps and any supporting runtime architectures, whose entire lifecycle can include security risks such as improper access rights at both the OS and application levels, “container escape” scenarios due to network misconfigurations, or the subversion of software orchestrators leading to systemwide compromise.
Similarly, with the growing influence of DevOps and the emphasis placed on CI/CD processes, there is a sense of urgency in protecting these from security risks or neglect—namely, those that entail the accidental exposure of sensitive credentials and secrets (often hard-coded and plainly visible), or the misconfiguration of code repositories leading to unauthorized access. Further analysis points to developer errors signaling unsanitized code and other qualitative mistakes, thus increasing the likelihood of exploitation considerably.
Almost no successful attack exists without some sort of intervening vulnerability. And 2022 is no exception when it comes to the active exploitation of an untold number of cross-cutting CVEs, ranging from the now-infamous Log4J (Log4Shell) to ProxyShell—a spillover duo from 2021 culminating in the likes of Follina (CVE-2022-30190)—as well as a handful of zero-days responsible for remote code execution and privilege escalation scenarios across organizations.
Customer-managed hardware and traffic-shaping appliances have also been at the forefront of the challenge. Recently, federal authorities released an advisory detailing three distinct Citrix Gateway and Citrix ADC vulnerabilities, impacting specific network pre-conditions (e.g., SSL VPN), including an authentication bypass labeled as critical with a score of 9.8. Earlier this year, a similar CVE impacting publicly exposed F5’s BIG-IP management interfaces had already shown signs of abuse by Chinese threat actors by the time the first patches were released.
Also, in 2022, security researchers were notoriously busy discovering and disclosing a linear progression of high-impact vulnerabilities throughout the open-source ecosystem. For example, cases like CVE-2022-3786 and CVE-2022-3602 led to significant upheavals, given OpenSSL’s considerable reach within the cryptographic community. Proprietary technologies also had their fair share of high-severity CVEs. As we noted in a previous post, two distinct Microsoft Exchange vulnerabilities simulating ProxyShell conditions surprised organizations while spawning a frenzy of possible mitigations and threat-hunting exercises for contingency purposes.
Finally, as we inch closer to 2023, we’d do well to heed CISA’s call to action through the use of their “Known Exploited Vulnerabilities” (KEV) catalog—an extensive collection of today’s top vulnerabilities (either successful or attempted) available to every organization for immediate download and consumption in a variety of formats. Some of these can take many hours to find through other technical means, so the KEV is an invaluable resource to have at hand.
Recognizably so, the year 2020 marked the definitive transition to a new work paradigm bustling with a host of hybrid work alternatives and fully-remote choices, with the safety net that was once the office constituent effectively fading under the new banner of flexibility.
In the past, we’ve alluded to the technical and organizational challenges facing businesses when an important part of the workforce goes mobile. For example, we’ve explored the dangers to privacy and confidentiality posed by public Wi-Fi and similar unprotected networks, the risks presented by exposed RDP endpoints, or the role of financially motivated APT groups in targeting small office/home office (SOHO) routers for botnet-like purposes.
Lastly, with the welcoming addition of “bring your own device” (BYOD) alternatives and the use of personal accounts in support of this model, cybercriminals are well placed to take advantage of known techniques to subvert corporate security protections. In a recent case, a Cisco employee—whose Google account had been compromised—granted unfettered VPN access to a cadre of ransomware groups in a series of attacks that led to these cyber gangs establishing a strong foothold on the internal Cisco network.
Undoubtedly, corporate information and technology services across the globe are currently under a wave of cybercrime. Compounding the problem is an ever-increasing availability of a veritable arsenal of exploit and attack tools at the disposal of practically everyone, forcing organizations to redouble efforts to minimize repercussions of a broader scale.
But whether the threat comes from the human side or the computing side, the reality is that, as the attack surface widens in both scope and complexity, cybercriminals continue to be disproportionately ahead of the game in terms of organization and resources; a technical slant now famously accounting for the bulk of advanced threats worldwide.