Defending against external cyber threats continues to be a challenge for the majority of organisations. 68 per cent of UK respondents interviewed for a recent IDG Connect research report, “The State of Enterprise Digital Defence”, expressed no to moderate confidence in their ability to manage external threats and 70 per cent have no to modest confidence in reducing their digital attack surface. These are worrying statistics, as according to the Verizon 2017 Data Breach Investigations Report, three quarters of all digital threats faced by organisations originate outside the corporate network. This leaves organisations underprepared to mitigate against cyber adversaries. The challenges of discovering, investigating, assessing risks, and mitigation and prevention require urgent attention.
The external threat challenge is a daunting one. The internet is vast and so are the array of digital threats that lurk inside it. However, not all threats pose the same level of risk to an organisation. Some are minor annoyances, while others represent a clear danger. Things become even more challenging if a business has little control over its external facing assets. The battle facing organisations on a day-to-day basis is identifying which current threats pose the most risk to their organisation given their specific vulnerabilities. So how do you go about homing in on the ones that matter to you?
Most digital threat management practitioners find themselves faced with a choice. Either cast a wide net in terms of threat intelligence and risk, unleashing a flood of alerts, or take a narrowly focused approach that reduces alerts to a manageable level. However this approach will come at the expense of seeing the bigger picture and potentially being blindsided.
The answer is not to learn to live with something in the middle but to start by better understanding what you’re trying to protect. What are its constituent parts and their inherent vulnerabilities? What potential tactics might an adversary take to advance along the kill-chain to gain entry into your corporate network?
In the case of external threats, the first level of ‘what’ are we trying to protect should be your public facing digital assets, those that are discoverable by both Internet users and hackers. But these are only growing and becoming increasingly difficult to keep track of. Digital transformation initiatives designed to enrich products, deepen customer relationships and boost brand ecosystems are resulting in a rapidly expanding digital presence, and from a hacker’s point of view, an expanding attack surface to exploit.
While organisations should be keeping a close eye on their digital presence, most find they are losing site of much of it. This loss of visibility is often the result of the growth of Shadow IT across the organisation. The term Shadow IT refers to development and deployment initiatives undertaken by groups within the business without the knowledge or approval of central development, security, and compliance teams. This often occurs when the speed of business demands outpace the ability of IT to respond. While done for sound business reasons, digital assets created by shadow IT pose a potential risk to the business as they are not subject to the same level of governance, security testing and life cycle management that assets created through official channels are.
Automating discovery and assessment
Unknown digital assets can also be inherited as the result of mergers and acquisitions and suffer the same risks as shadow IT. Over time these unknown and unmanaged assets become the soft underbelly that all too often malicious actors exploit to gain access to organisations and steal sensitive information.
In an effort to quantify the risks organisations have in their digital web presence, we recently conducted research into the top 30 organisations in the UK - the FT30. Using our global Internet reconnaissance infrastructure, we found a total of 99,467 live websites associated with the FT30, an average of 3,315 websites per organisation. We analysed the collection of infrastructure components and assets that make up these websites to identify the various types of issues. Per organisation we found an average of 171 at-risk servers, 68 at-risk frameworks, 35 expired certificates, 250 untrusted certificates, and 150 web pages that are collecting user data insecurely and in violation with regulations such as GDPR.
In each case, these risk categories were associated with a relatively small percentage of the overall web estate. However it only takes the discovery of one exposure to provide an opportunity for an attacker. And the more you have, the more likely that one will be uncovered. While it isn’t practical to eliminate all security risks, it is important to understand the full scope of the risks you have.
In a large organisation, gaining visibility over an ever-expanding web presence isn’t something that can be undertaken and maintained using traditional methods such as establishing a centralised web asset register. It is unrealistic to expect individuals from across the business, many in departments that sit outside of IT such as marketing, to keep the information up to date. Time and time again, when we undertake an asset discovery exercise for an organisation we find on average 30 per cent more public facing assets than they know about. That’s a significant number of assets that fall outside of the scope of their security and compliance programmes.
However, by using curated Internet intelligence, it is possible to automate the discovery and assessment process. This will allow you to gain a continuously updated asset register of what you own and its security and compliance posture. Curated intelligence can be used to connect the dots between your specific digital footprint and the activities of threat actors. It provides personalised context, insight, and indicator details to offer a holistic view into exposures, adversaries and attack infrastructure details. Armed with this information you are better able to understand, anticipate, minimise and remediate digital threats and attacks.
This ‘outside in’ intelligence can add valuable context to many different internal security tools and teams including Security Operations, Penetration and Vulnerability Testing, and Incident Response to Governance, Risk and Compliance (GRC). At RiskIQ, our Digital Footprint solution is used by many of the world’s largest organisations to monitor their digital presence and improve the effectiveness of their external threat management efforts.
Fabian Libeau, VP EMEA RiskIQ
Image Credit: Freepik.com