It’s a cliché in security circles that defenders have to be right all the time, while attackers only need to get things right once. For IT security teams, the emphasis is on asset management, vulnerability scanning, patching and the prevention/remediation of attacks.
However, this approach will only cover the assets that you know about. In an ideal world, you would have a complete and accurate list of all assets, meaning any new devices or additions to the network would be fully managed right from the start.
Sadly, life is not ideal. Networks are more porous than we would like to admit. Individuals may bring their own devices and plug them into the network, with little to no thought on the security impact. Operational technology assets might live on separate networks, unseen by IT until someone asks for that network to be connected to the internet to make data available for analysis. These ‘unknown unknowns’ have to be found in other ways.
Mimicking an attacker’s eye view of your network will complement your existing traditional approach to security being viewed inside to outside and help you close those potential gaps.
Approach #1: External Penetration Testing
This approach has existed for many years and involves hiring a team to probe your network for potential vulnerabilities. They will employ the same tools, techniques and processes as a bad actor looking to gain access. The biggest bonus from this is that they are not your team – they won’t think the same way as you, and they will approach security with a different mindset.
Employing pentesting is a great approach, but it is not enough on its own. It provides a great snapshot of your current security level, but it only works during that exercise and does not offer continuous oversight. When individuals can bring in new devices at any time, or when departments can implement whole new digital infrastructures in the cloud, it’s not enough on its own.
Approach #2: Open-Source Intelligence
In recent years, more and more IT assets have been connected to company networks and then onto the internet. These assets may, if they are not properly secured, be visible on the internet. This data can then be scooped up and searched. A good example is SHODAN, which bills itself as a search engine for the Internet of Everything.
These data sources can be available to everyone as open-source intelligence (OSINT). Using OSINT sources, you can look for potential problem assets or issues in IT, operational technology and IoT devices. The challenge around OSINT data is correlating any public data to your internal asset lists to make it useful to your team.
For instance, you may want to get more information on your domains and subdomains. Maybe you own abc.com and a mail server is associated with that domain. However, can you see how that relates to another web server spun up on a different subdomain? Without this visibility into all the subdomains and connections between internal and external assets, it can be harder to get a fully accurate picture.
Approach #3: External Attack Surface Management
External attack surface management (EASM) is an approach that looks at the whole organization’s IT portfolio to detect any potential issues or threats over time. This includes all the different platforms that companies can use internally and in the cloud and looks to find any potential vulnerabilities due to poor configurations or insecure assets.
This approach aims to flag any assets that were not previously known about. This should look for potential problems such as unauthorized devices, unapproved or end-of-support software, open ports, or unsanctioned apps and domains. Like penetration testing, it provides an outside-in view of your network; however, EASM should provide insight both over time and automatically.
Getting insight into misconfigurations or vulnerabilities as early as possible is essential to fix them before any attacker can exploit them. Ideally, you can combine approaches to improve your visibility, ensuring continuous security. This can help you benefit from the human insight and expertise that testing can provide, but also automate processes to help your team respond more effectively and efficiently.