Why “Shields Up” Starts with Understanding and Protecting the Attack Surface

Written by

Since Russia invaded Ukraine in late February, concerns have been mounting about the cyber war ‘spilling over.’ Western governments are now actively preparing organizations for an unprecedented Russian cyber assault on critical infrastructure assets. President Biden recently reiterated warnings that “the Russian government is exploring options for potential cyber-attacks.” It’s a view shared by the UK. With destructive malware already taking out hundreds of targets in Ukraine, this is not a warning to be taken lightly. There are also reports of ‘patriotic’ Russian cybercrime groups ready to flex their muscles if the order is given.

In this context, firms must get serious about the potential threat from the east. In following the US “Shields Up” guidance, the best way to harden defenses and the digital perimeter is first to understand the corporate cyber-attack surface. That means knowing where critical vulnerabilities, unmanaged and misconfigured assets, remote access points and open ports are located before fixing them.

Advice from the Top

The US Cybersecurity and Infrastructure Security Agency (CISA)’s advice is to improve cybersecurity posture to mitigate the threat of attacks on critical assets. That’s easier said than done, especially when money is tight. It’s also why visibility into those assets is an essential first step.

As the old adage goes: you can’t protect what you can’t see. Yet, comprehensive visibility is a challenge in today’s business landscape, where IT assets are often cloud-based, ephemeral and dynamic. That makes them much harder to track. It’s not just VMs and containers either.

Organizations must track all of their home working laptops connected to the corporate network. An explosion in these over the pandemic, coupled with greater cloud investments to help organizations adapt to a new digital-first world, have complicated security efforts. According to one vendor, nearly three-quarters (71%) of global CIOs say they find previously undiscovered endpoints on a weekly basis.

This is where threat intelligence can be a key ally. When focused on the corporate cyber-attack surface, it can help organizations discover the location of all critical assets and identify and prioritize the main risks to them. That, in turn, helps drive more rapid, targeted and cost-effective risk management.

Finding and Fixing

Start with remote access points. Organizations can control who and what connects to their infrastructure and spot the early warning signs of attack by understanding where these are. Threat intelligence should surface all these points and important information about them, such as whether there are any exposed ports, protocols and services. They may choose to restrict these or close the access points altogether to reduce the attack surface.

In fact, Shields Up advises all organizations to catalog and disable non-essential ports. Once again, threat intelligence can add vital context by highlighting which ports are used by business-critical databases.

Next, look at patching and configuration. It’s another security best practice designed to improve cyber-hygiene and reduce the attack surface. Yet, with CVEs published in record numbers for the past five years, few organizations are 100% protected today. Malicious actors are adept at scanning any internet-facing infrastructure to find unmanaged and vulnerable assets. One weak password or unpatched server could be the difference between staying safe and a crippling breach.

Risk is the best way to prioritize these patching and configuration efforts. Threat intelligence can help again by scanning all assets against a list of risk rules to identify which parts of the attack surface might need to be addressed first. Hostnames pointing to local networks, staging and development subdomains exposing sensitive information and hostnames with self-signed certificates all represent potential danger.

The process is particularly important for cloud assets, which are frequently misconfigured. Just weeks ago, a researcher found that over 90% of a random sample of misconfigured Russian databases had been compromised. Some had file names replaced; others were completely wiped. Given the dynamic, ephemeral nature of the cloud, complete and persistent visibility into assets is essential. Configuration errors must be flagged and continuously remediated to minimize the risk of exposure.

Back to Best Practice

The much-anticipated Russian onslaught may never happen. We’re all hoping for a speedy resolution of the war and an end to the bloodshed. However, as economic sanctions bite and the kinetic war drags on, the chances of this happening decrease daily. Even in the event that Western organizations are not targeted en masse, the best practices they can put in place as part of a Shields Up strategy will serve them well going forward.

It’s about getting back on the front foot by improving visibility into the attack surface and reducing risk exposure through a series of well-defined best practice steps. Whether it’s state-sponsored threat actors or a cybercrime gang that eventually comes knocking, a threat intelligence-based strategy like this will make your organization a harder target to crack

What’s hot on Infosecurity Magazine?