GABEY INFORMATION

ATTACK SURFACE

Unit 42

26 March 2024 Protecting from cyber threats
PinLinkedInYummly

By Prasanna Abeysekera

As organisations navigate the ever-evolving landscape of network security, they are confronted with protecting their intricate network architectures. The emergence of zero trust, cloud computing, and remote workers has added complexity to this challenge. The risk of compromise is higher due to the expansion of infrastructure and assets that are easily accessible to the public. A thorough understanding of what requires safeguarding is crucial for navigating this landscape. The Unit 42 Attack Surface Threat Report provides valuable insights from extensive data analysis conducted by Cortex Xpanse, Palo Alto Networks' attack surface management tool.

The Unit 42 Attack Surface Threat Report is a detailed analysis of the constantly changing nature of modern IT environments.

The report reveals some crucial insights from its 2023 edition:

  • More than 20% of externally accessible cloud services change every month. This dynamic movement challenges security controls and can lead to accidental misconfigurations and the spread of shadow IT.
  • Within mere hours of their disclosure, three out of the 30 vulnerabilities studied were successfully exploited by attackers who quickly took advantage of any vulnerabilities exposed by a CVE.
  • The report analysed 15 remote code execution (RCE) vulnerabilities that ransomware operators are actively using. Threat actors target three of these critical RCE vulnerabilities within hours of disclosure.
  • The report underlines the significance of continuous visibility and automated remediation capabilities to manage the ever-changing attack surface.
  • It provides valuable information to help organisations understand their unique attack surface and how it compares to the global landscape.
  • The report's recommendations and findings are prioritised based on the most likely threats organisations are expected to face.

Primary recommendations

Here are the leading suggestions extracted from the Unit 42 Attack Surface Threat Report:

It is essential for organisations to continuously monitor their attack surface as it changes frequently, with over 20% of externally accessible cloud services changing every month on average. This helps track accidental misconfigurations and the spread of shadow IT within the organisation.

Consistent patching programs are essential to reducing the attack surface. Attackers typically begin exploiting vulnerabilities within hours of their announcement, so it's crucial to continuously find and fix potential vulnerabilities.

Automated remediation capabilities are also crucial to quickly finding and fixing critical attack surface exposures before attackers can exploit them. This is especially important given that threat actors have been known to target critical vulnerabilities within hours of their disclosure.

These recommendations stress the importance of continuous visibility, consistent patching programs, and automated remediation capabilities to manage the ever-changing attack surface. They provide actionable intelligence to help organisations understand their unique attack surface and how it compares to the global landscape.

Attack surface management

The Unit 42 Attack Surface Threat Report provides several real-world examples of attack surface management.
Here are a few key examples:

  • Cloud infrastructure management is crucial for organisations, as about 20% of their cloud attack surface changes every month. This change introduces nearly half of their new high or critical cloud exposures. Continuous visibility and monitoring of these changes are important to prevent accidental misconfigurations and the spread of shadow IT.
  • Remote access management is equally important. Over 85% of organisations have access to the Remote Desktop Protocol (RDP) internet for at least 25% of the month, making them vulnerable to ransomware attacks or unauthorised login attempts.
  • Vulnerability management is also a crucial aspect of security, as many security breaches occur due to misconfigured services, firewalls, or known vulnerabilities. Legacy vulnerability management processes often need to identify many of these issues.
  • It's crucial to quickly understand your risk exposure for patch prioritisation and mitigation of unmatchable end-of-life services in critical vulnerabilities. Response to emerging threats should be timely and efficient to prevent any damage.
  • Lastly, monitoring remote access services is necessary to eliminate the risk of unauthorised logins. Specific attack scenarios include moving laterally (Lateral movement) across an internal subnet to exfiltrate data from a critical datastore, compromising virtual private network (VPN) infrastructure to access and infect source code repositories in supply chain attacks, and using a compromised IP security camera to record employees physically entering login credentials.

Effective ways to manage attack surfaces

Here are some essential tips for managing attack surfaces:

  • Firstly, it's crucial to understand which of your digital assets are exposed, where attackers are likely to target your network, and what measures are necessary to protect them. Increasing your attack surface visibility and building a comprehensive representation of attack vulnerabilities is critical.
  • Regularly updating and patching your systems is also essential to reduce the number of vulnerabilities attackers can exploit.
  • Implementing intrusion detection solutions, conducting regular risk assessments, and establishing clear and effective policies are also important.
  • Regularly monitoring and testing your systems can help identify and address vulnerabilities.
  • Since email is a common attack vector, securing your email system is crucial.
  • Be aware of your organisation's industry or legal compliance requirements.
  • Regular audits help identify vulnerabilities and ensure security measures work as intended.

In summary, managing attack surfaces minimises the number of vulnerabilities and gives threat actors fewer opportunities to compromise your organisation's network and devices.

Assessing attack surface

Assessing your organisation's attack surface is a systematic process that involves the following steps:

  • Identify every potential point of vulnerability within your organisation's network. This includes finding "unknown, internet-facing assets" that your organisation might be unaware of.
  • Understand the various entry points, such as software interfaces, network services, or cloud services.
  • Once all assets are discovered, vulnerability scanning is performed to determine which assets are at risk and which are at the most.
  • Evaluate the potential impact of a successful attack.
  • Address identified vulnerabilities and risks.
  • Keep track of your executives' online postings, how your brand is being used on the internet, and the content and nature of tweets in your company's name.
  • Use attack surface management software to continuously monitor the infrastructure for new and emerging vulnerabilities and misconfigurations.
  • Leverage end-to-end penetration testing tools for social media and other external assets.

Your attack surface constantly expands with every new online interface. Staying on top of it requires regular assessment using the right tools.

Suggest a Correction/Comment

Legal Disclaimer