When it comes to Cybersecurity, Situational Awareness is Key
It’s a challenging time to work in cybersecurity. 2020 saw a dramatic uptick in cyber threats as cybercriminals took full advantage of the pandemic, exploiting attack surface weaknesses that resulted from the rush to support working from home at scale and mounting sophisticated phishing campaigns to prey on a global population desperate for information. We also saw the first large scale supply chain attack with the SolarWinds breach affecting over 18,000 organisations worldwide.
Those hoping for a quieter 2021 have been sadly disappointed. There have been over a dozen zero-days in the past three months alone, affecting countless organisations across the world. And while many thought that the SolarWinds attack set the standard for the impact a vulnerability could have, we’re already dealing with a new attack that dwarfs it in scale, targeting a Microsoft Exchange Server remote code execution vulnerability. While it started with espionage actors Hafnium, ESET Research shows that at least 10 APT groups have exploited Microsoft Exchange vulnerability, with ransomware actors leveraging it as well. At the time the vulnerability was announced, RiskIQ identified 400,000 on-premise Exchange Servers that were exposed to the internet and vulnerable, and we’ve been working with Microsoft to track those Exchange Servers still in need of updating.
From both a geopolitical and criminal perspective, the internet has become a primary battleground, and security teams find that they ignore it at their peril. Continuing with the military analogies, situational awareness is vital. While most organisations have good situational awareness inside the corporate network, they are blind to much of what is going on across the vastness of the internet and whether it potentially affects them.
Never has the 2500-year-old quote by Chinese General Sun Tzu been more relevant: “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” When it comes to the internet, most organisation fall short on both counts.
“To know yourself” starts by having an accurate understanding of what you own that is exposed to the internet. This goes beyond just knowing the whereabouts of high-level assets such as your web sites, as they are made up of many different components; the underlying operating system, frameworks, third-party applications, plugins, trackers, and so on. Each component works to form a part of the website to deliver a user experience that people now expect. However, given that many of the building blocks used are so ubiquitous, malicious actors who successfully craft an exploit against one of these building blocks can re-use the same exploit across an abundance of websites. As high severity exploits are reported, the first question security teams need to answer is ‘is our organisation vulnerable’. By having an up to date view of your attack surface and its makeup, this analysis can take place quickly, as can remediation if needed.
“To know your enemy” requires access to internet reconnaissance in depth to understand the threat actors behind a given attack, their tactics, techniques and procedures, the assets they possess to carry out the attack and the specific attack vectors being used. Wider listening on the deep and dark web can also add additional context in understanding the adversary. Investigating an adversary takes time, even when the information is readily available. To deal with the sheer number of events that occur daily, automation is required to integrate internet visibility into core security applications used within security operations, using techniques such as reputation scoring and event enrichment to automate responses.
To summarise, when it comes to defending your organisation on the internet, visibility is vital. You can’t protect what you don’t know about, and you can’t proactively defend against targeted attacks if you have no visibility of the attacker and their infrastructure.
RiskIQ is the pioneer and leader in Internet Intelligence and Attack Surface Management. For the past 11 years, it’s been continuously collecting, analysing and curating internet data to help organisations address this challenge. Its approach is redefining security programmes and closing gaps in traditional perimeter defence.
1 December 2022
30 November 2022