It’s been a year in which the significant challenges of enterprise cybersecurity have been laid bare. Attacks that are unprecedented in scale, such as Kaseya and the Microsoft Exchange server hacks, have starkly revealed the vulnerable nature of company online attack surfaces, says Adam Hunt, CTO at the cyber threat intelligence firm RiskIQ.
Threat actors – often state backed – are becoming ever more sophisticated, unpicking the most intricate vulnerabilities with no scruple for the widespread damage caused through their actions. Organisational attack surfaces are growing and becoming more complex as digitalisation accelerates throughout the COVID era. It’s all good news for threat actors who are spoilt for choice as to which avenue they will breach an organisation.
It’s not simply a question of preventing one attack – attacks should be viewed as a constant storm through which a company must navigate. More often than not, security teams are struggling to keep pace. Cybersecurity is a game of cat and mouse, and companies find themselves reacting to a breaches after they have occurred rather than proactively defending their online attack surface.
Crucial to the fight is visibility. After all, how can a company protect its attack surface when it does not have a clear picture of the assets it owns that are exposed to the internet. It is important for cybersecurity professionals to recognise the key threat vectors and trends that define the modern attack surface.
Attributes
As the web increasingly intersects will all areas of business activity, it is essential that organisations address the shifting battle-lines that determine the cybersecurity landscape. Four particular areas of vulnerability include:
1.Moving to the cloud: although transition into the cloud can offer companies flexibility, stability and efficiency, protection of cloud assets is a far more complicated task than on-premise hosting. The attack surface expands significantly with the adoption of third-party services that are used by multiple companies. This means that a vulnerability in a cloud application provider can be used to target thousands of organisations, as was the case with the July 2021 Kaseya attack.
2.Working from home: following the pandemic necessitating the decentralisation of the workforce, working from home trends look set to continue into the post-pandemic world. Working from home adds unique cybersecurity challenges to the organisation attack surface. For example, employees’ personal devices joining the corporate network may be inadequately protected, while staff may also be more susceptible to social engineering phishing attacks, as expectations of legitimate email correspondence are still yet to crystalise
3.Shifting left: shifting left is the practice of finding and preventing defects early in the software implementation process. Many organisations now shift left to capitalise on the more rapid iteration and deployment of applications. However, while this may allow companies to employ technological innovations quicker, it also exposes organisations to mistakes and vulnerabilities that may not have been detected in preliminary testing
4.The proliferation of IoT and 5G: as organisations add complexity to their networks through expanding into 5G and the proliferation of IoT, it has to be understood that every device added to the network represents a new part of the organisational attack surface. These assets must be catalogued and monitored by security teams, or else threat actors will find a way to breach the corporate network through such windows.
Given that the company attack surface is expanding exponentially as transformative technologies are implemented – and amid the fevered pitch of cyberattacks – organisations must develop a strategy of how to protect themselves. The most important capacity in defending the organisation’s attack surface is that of holistic visibility.
The first step in achieving holistic visibility lies in taking an audit of every way in which an organisation intersects with the internet. Vitally, this should include the realm of shadow IT, where assets are created outside of standard processes and as a result are unknown to the security team. Shadow IT comes in the form of websites, web portals, mobile apps, and more. Over time, increasing numbers of these assets become lost to history and continue to exist outside of auditing, patch management, and vulnerability/pen testing cycles. Shadow IT represents a common vector through which cybercriminals target organisations, and it is through a comprehensive audit that companies can develop a digital footprint that includes such assets.
Likewise, the digital footprint should capture the full shape of a company’s online infrastructure. This includes how the company operates within the cloud and how this extends into third parties; what applications are being used by employees, and where might vulnerabilities within these applications lie; and what access points are made possible by the connection of IoT devices to the company network.
Once this digital footprint has been established, security teams can identify endpoints and exposed systems that afford threat actors the holes through which they can pick apart the corporate network. From here, IT teams circle the virtual wagons through consolidating or getting rid of legacy systems or redundant assets, patching company infrastructure, and creating an attack surface that is manageable.
Threat intelligence is no longer just an option
Once the entire expanse of an organisation’s attack surface is visualised by IT teams, they can begin thinking like cybercriminals – seeing where and how it will be most opportune to attack. This is where high quality threat intelligence can add tremendous value, allowing companies to understand the latest threats and pre-empt threat actors and new styles of attack before any hack is conducted. For any company wanting to responsibly operate in today’s highly connected and digitalised world, maintaining this level of threat intelligence is no longer just an option. Attacks are ever-present, and organisations have both a responsibility to their customers and their bottom line that they are not the next business to fall victim to a hack.
The firm is running a Cyber Threat Workshop on September 30. See also the firm’s blog.
