Font Size: A A A

Home > News > Interviews > Internet attack surface


Internet attack surface

In their quest to remain competitive, organisations are moving their customer and partner interactions online at an unprecedented speed. An unfortunate result of this is that their digital attack surface often grows to an unmanageable size – which inevitably increases the risk for data theft, operational disruption, brand erosion, and employee and customer compromise, writes Fabian Libeau, VP EMEA at RiskIQ, a digital threat software firm.

As digital assets across web, social, and mobile platforms become prime targets for cybercrime, organisations must find ways to not only defend data residing on their own networks and endpoints, but also the often-overlooked digital assets outside the firewall.

There is a growing discrepancy between the way in which security teams view their organisation’s digital assets, and the reality through which both customers and malicious cyber actors interact with them. Security teams must, therefore, come to terms with the fact that they are not only responsible for their own network, but also everything that targets their brand and assets on the open internet. In other words, there needs to be an understanding of what they look like from the outside-in. All in all, there are five aspects of this new, expanding attack surface that organisations need to know in order to better frame the challenges faced in keeping the internet a safe environment – all of which underline a need to broaden awareness of the potential risks involved and to foster a more informed approach to cyber defence.

1. The global internet attack surface is unexpectedly large (and growing)

In just two weeks, RiskIQ’s web-crawling infrastructure observed over three million new domains, or almost 250 thousand per day, and more than 77 million new domain hosts – each representing a possible target for threat actors. Websites are made up of many elements, such as the underlying operating system, frameworks, third-party applications, plug-ins, and trackers, that are all designed to deliver better user experience, reduce the time to market and derive maximum value from user interactions. This commonality of approach is widespread, which is good news for malicious actors, as a successful exploit written for a vulnerability or exposure on one site can be reused across a large number of sites.
An example of this is the widespread use by web developers of content management systems (CMS). While it simplifies the process of creating dynamic and easily maintainable sites, CMS’ ubiquity has made it a popular target for hackers, who can simply re-use the same tactics across sites running the same CMS.

2. Hackers know more about this new attack surface than security teams do

Most organisations do not have a complete view of their internet assets and it is not uncommon to find that they have 30 percent more assets than they are aware of – usually due to shadow IT, as well as mergers and acquisitions (M&A). Security teams are often left in the dark with regards to shadow IT activities that businesses engage in to get support in the development and deployment of new assets when the central IT team can’t respond quickly enough. This means that a significant amount of created assets cannot be brought into the scope of the organisation’s security programme and remain unmanaged over extended periods of time, forming the Achilles heel of the overall attack surface as they quickly age and become vulnerable to even the most common hacking tools. When organisations are acquired, their forgotten and hidden assets then inevitably come with them through the merger, further exacerbating the problem over time. These assets comprise a large and complex attack surface that needs to be understood and actively managed to reduce the low-hanging fruit available for cybercriminals to exploit.

3. Hackers can attack organisations without compromising any assets

Threat actors continue to use social engineering tactics, such as impersonation to exploit organisations’ brands for their own gain. Impersonating domains, subdomains, landing pages, websites, mobile apps, and social media profiles, many times in combination, is used as a tactic to trick consumers and employees into giving up credentials and other personal information or installing malware. Apart from their own assets, organisations must be on the lookout for impersonating or affiliating assets created to target their customers and employees. Early detection and takedown of infringing assets are one of the most effective ways of disrupting targeted campaigns.

4. There is a sprawling network of fake app stores

It should come as no surprise that there are more mobile apps than ever; RiskIQ observed more than 1.5 million new apps in the first quarter of 2018 alone. There is, however, a general perception that there are only a small number of mobile app stores. In reality, there are a large number of secondary and affiliate stores, primarily serving the Android market, which provide an opportunity for malicious actors to compromise legitimate apps and launch fake apps while hiding in the vastness of the app store ecosystem.
Organisations must do more to monitor the app store ecosystem for stores hosting their apps without permission and for apps impersonating their brand(s). Users should stick to the primary app stores where possible and be vigilant in researching apps they wish to download. They should question whether the developer looks legitimate, whether the user reviews indicate anything concerning and whether the permissions being asked for seem excessive for the functionality the app needs to provide its service.

5. Cryptocurrency mining is on the rise

Many are not properly aware of the fact that cybercriminals are currently augmenting their activities beyond using traditional methods, such as spyware, ransomware and other forms of malware, by stealing computer resources rather information – especially through crypto mining. In the first half of the year, RiskIQ observed an average of 495 new hosts running cryptocurrency miners each week, with some remaining active for over 160 days, suggesting that organisations are failing to detect them. Few can have failed to notice the exponential growth in the value of cryptocurrencies over the past years. A challenge brought on by the rapid uptake of crypto currencies is that requires extreme levels of computing powers, which can often be prohibitively expensive. Malicious actors are getting around these costs through siphoning computer resources from unwitting users across the internet by hosting crypto mining scripts on the websites of highly visited sites which then execute in the browsers of visitors to those sites.

It’s time to look beyond the organisational perimeter

Ultimately, the traditional defence-in-depth approach that has been informing the security strategies for most organisations needs to be, if not abandoned, at least updated to sufficiently cover both internal and the external attack surface. In today’s world of digital engagement ever more corporate digital assets are exposed on the open internet along with the users that engage with them. It should come as no surprise that most malicious actors have observed this, and are seeing these new interactions as ripe opportunities for digital fraud. It is, therefore, time for security teams active across all sectors to fully acknowledge this and ensure that security strategies are adopted to this new reality.


Related News