Taking the Attacker View to Protect the Growing Attack Surface

The post-pandemic threat landscape is seeing a significant increase in attack techniques and exploitation of new attack vectors. Organizations are struggling to tackle the scale of data breaches’ financial, legal and brand value impacts. As a result, the preventive and response strategy of security teams is in dire need of revaluation. 

As per IBM’s Cost of a Data Breach Report 2022:

  • The average cost of a ransomware breach is $4.62m, slightly higher than the average data breach of $4.24m from the previous year. 
  • The average cost of a mega breach in 2021 was $401m for the largest breaches (50–65 million records), an increase from $392m in 2020.

As per Verizon’s 2022 Data Breach Investigations Report

  • Stolen credentials and vulnerabilities contribute to ~60% of entry points to attack kill chains.
  • System intrusion tops the attack pattern in breaches. 
  • 62% of breaches are supply chain intrusion incidents.

The above insights demonstrate that the cost of data breaches from supply chain system intrusions increased in 2021, and we expect similar patterns in the 2022 trend reports.

Incidents like the SolarWinds attack and Log4j vulnerability are among the high-profile supply chain attacks that triggered an executive order (EO) from the US Federal Government designed to protect organizations from similar threats in the future. 

The EO states: 

“The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack and adequate controls to prevent tampering by malicious actors. There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended. The security and integrity of ‘critical software’ – software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources) – is a particular concern.”

While we see some action taken by the impacted organizations in responding to supply chain risks, the rest of the world is still struggling to chalk out a viable security strategy. The following are the key challenges security and IT professionals face in tackling supply chain compromise scenarios. 

  1. Visibility: After the pandemic, the accelerated migration of assets to cloud environments and digital transformation strategies grew the attack surface for organizations. Multi-cloud infrastructure strategy also introduces complexity in comprehensive asset management tools and processes. This gives rise to the growth of shadow IT – an unknown list of assets and resources visible on the public internet but not discovered by the organization. 
  2. Misconfigurations: Manual errors and misconfigurations are the key contributors to authentication exploitations by attackers. A lack of awareness of the importance of zero trust security models also opens up vulnerabilities in the access control layer and lateral movement scenarios. Misconfiguration is a major problem in operational technology-driven organizations as part of their IoT asset management. 
  3. Automation gaps: Traditional vulnerability assessment and penetration testing (VAPT) processes are insufficient to enable organizations to discover dynamic vulnerabilities and zero-day exploitations. The effectiveness of these compliance measures is not matching the sophistication of the new attack methods and techniques. 

A new generation of asset discovery platforms, which fall under ‘attack surface management,’ are emerging to handle the above scenarios. The platforms are typically built with an outside-in perspective to discover all the assets of an organization that are connected to the internet (external and internal). This will help IT and security operations teams to identify all the known and unknown resources that are discoverable by the attacker through vulnerabilities and misconfigurations in the system. 

As a risk management leader, if I know how my organization looks from an attacker’s perspective, I can prioritize the right response strategies to reduce the impact of any potential incidents. Regardless of whether the assets belong to the organization or the third-party vendor in the supply chain, visibility solves half of the war for security operations center (SOC) professionals. Asset discovery platforms are gradually plugged into existing threat intelligence platforms and security orchestration automation and response (SOAR) workflows.  

This external attack surface discovery has also introduced a new process of deriving cybersecurity risk ratings for organizations based on their consolidated risk exposure and response capabilities. Gartner predicts that 60% of organizations will use cybersecurity risk as a significant determinant in conducting third-party transactions and business engagements. It also predicts at least 50% of C-level executives will have cybersecurity risk built into their employment contracts as part of their performance requirements.

Therefore, organizations should have an attacker view to defend against threats from the growing attack surface.  

What’s Hot on Infosecurity Magazine?