Attack Surface Lesson #1 – Know Your Inventory

I recently joined expanse as CRO.  The first thing any decent CRO does? Talk to as many customers as possible to understand market trends and customer realities. In a recent call, one CISO explained that having a complete and accurate inventory or “system of record” is the foundation of any security program. “You can’t protect what you can’t see” comes to mind and in 2020, this has become a HUGE problem for technology and security teams.

Satya Nadela famously said in April of this year that we had experienced “2 years of digital transformation in 2 months”, well it has been 5 months since then and I would proclaim that in many cases we have seen 5 years of digital transformation happen in 5 months. As a result, organizations assets have rapidly moved externally, become fragmented and in many cases ephemeral.

A recent Gartner report summarizes the trend:

Most businesses have complex interconnections of servers, cloud instances, desktops, laptops, mobile devices, Internet of Things (IoT) and more. These assets are dynamic, seemingly borderless, and continuously moving and growing. As this footprint increases, so does the organization’s threat exposure. Maintaining asset inventory is fundamental to any robust cybersecurity program and being cognizant of this inventory is fundamental to a vulnerability management program.”1

(Source: The Essential Elements of Effective Vulnerability Management, October 2020)

Let’s explore the inventory problem more in depth. The enterprise shift from inside to out has been driven by a set of rapid digital transformation: 

  • Cloud: At first, cloud adoption was driven by cost savings.  However, with a pandemic the cloud now brings accessibility.  Whatever the driver, try walking into a physical data center.
  • Mobility: With working from home, many enterprise assets are not set up for security as home laptops run through insecure home wifis to expose corporate communications, data and more.
  • Website sprawl: Many organizations have websites deployed across many hosting providers–how do you see and maintain them all? Ensure they confirm to compliance and security standards?
  • Supply chains: With the continued nation state attacks against the supply chain and the resulting onset of CMMC and Section 889, the importance of supply chain security has garnered significant attention this past year. Whether its jointly owned or managed assets or infrastructure wholly managed by a third party, many enterprises suddenly have to understand a completely foreign universe.

As if things couldn’t get complex enough, now throw governance into the mix. Security teams need to develop governance standards and policies around assets they can’t see. Fun.

In security terms, this boils down to a CISO’s worst nightmare–an ephemeral attack surface.  Worse, the rate of flux for this attack surface is driven by cloud workloads being spun up and down, remote employees traversing networks with variable protection and shadow IT. Protection remains elusive. As CISOs tell me, the rapid rate of change means that even organizations with super mature vulnerability management programs can only identify around 80ish percent of their attack surface. This situation leaves security teams struggling to answer “Where are my assets?” and never mind even asking, “How do I secure my assets?”  The worst case scenario for the CISOs I speak to: a breach occurs, they go before the Board of Directors and have to say, “I didn’t know about that asset.”

One more thing to add into the mix: what are malicious actors doing? Take VPN as an example.  Threat actors actively scan for issues. In fact, there have been reports coming from the US government highlighting how nation-state threat actors exploit the VPN vector. Even ransomware gangs are exploiting vulnerable VPN infrastructure and RDP exposures to distribute their malware to exposed workstations. Our own research shows that attacks correlate with external exposures as well.

Here are some sample assets I’ve seen:

  • An internal development environment that was publicly accessible. It was backed by a self-signed certificate, signed by a remote developer at the company. 
  • A development database server publicly exposed in cloud IP space, outside of the corporate cloud. This development environment was running multiple services, including critical remote access protocols (RDP). 
  • Multiple RDP exposures in cloud and consumer dynamic IP space.
  • A firm allowed unauthenticated access and control to over hundreds of building subsystems, including security door locks, fire suppression systems, and power to multi-hundred ton physical power and cooling systems.
  • The administrative interface for an actively used records management system exposed on the public internet.

So what is the prescription? Today, most major compliance mandates require a basic step one: asset inventory.  In today’s fast moving environment, this starts with the recognition that you have to look for externally facing assets and that you can see, at best, 80% of what you actually have which requires building a complete external asset inventory including:

  • Devices including IoT and new working from home assets which often lack network security protection;
  • Cloud infrastructure that is being spun up at a rapid rate;
  • Third party and supply chain risk; and
  • Certificates.

Inventory management has been a deeply studied area in supply chain management which teaches some valuable lessons for cybersecurity.  As one noted supply chain expert put it,  “‘You can’t improve what you can’t measure’ exemplifies the backbone of a sound inventory management system.” Only with cybersecurity, the equivalent is: you can’t secure what you can’t see.

1 https://www.gartner.com/document/3991384 (gated–Gartner membership required)