One of the most significant changes that enterprise security teams have had to deal with in recent years is the massive shift that’s occurred in the external attack surface that needs to be managed and protected. Discovering, prioritizing and reducing risks associated with this growing and changing attack surface has become one of the most challenging aspects of enterprise security.
CyCognito’s SaaS-based platform supports attack surface management. We wanted to better understand how the company uses automation to simulate attacks to probe, test and analyze surface elements with the goal to reduce overall cyber risk.
TAG Cyber: What exactly is an attack surface?
The attack surface, formally speaking, is the sum total of all of the ways an organization is exposed to attackers. When most security professionals refer to their attack surface, they’re speaking digitally about all of their internet-exposed assets, like servers, endpoints, applications, cloud environments and the like. These are easily found on the internet and leveraged by attackers to gain initial access into an organization. Because of this, systems that are a part of the attack surface should always be known, monitored and tested for their security.
A key point to note about the attack surface is that it is always changing. Systems come online or get decommissioned. New attack paths are created or revealed with changes to configurations or vulnerabilities in software. We’ve seen across our customers that the typical attack surface changes by one to three percent every day. What this means is that after just a few days, there has been a significant change in the attack surface and attack paths into an organization. And if you don’t have a continuously updated view of it, it’s possible that you’re misjudging your exposure to risk.
TAG Cyber: Are your customers finding incidents originating with attack surface weaknesses?
Absolutely. The honest truth is that there will always be weaknesses on systems connected to the internet. Software vulnerabilities. Misconfigured or missing security tools. Unmonitored systems. Unintentional code issues. Unfortunately, each of these weaknesses presents a path of least resistance for an attacker to compromise a system and get into an organization. Another challenge is that the weaknesses are not just part of the infrastructure that is owned or managed by a specific entity. There are also weaknesses within embedded systems and technologies of third parties, which are often unseen and unknown. Pair with these weaknesses the constant change in a typical attack surface that comes from the dynamic nature of today’s infrastructure and it’s easy to see why this is—and will continue to be—a challenge that needs continuous monitoring and active testing to address.
TAG Cyber: How does the CyCognito platform work?
We built the CyCognito platform to intelligently automate the reconnaissance processes that attackers perform when trying to find ways to get access into an organization. By automating the process and refreshing it continuously, we give defenders the perspective they need to understand how attackers see their organizations and their weaknesses. This insight is critical when setting priorities and developing a remediation strategy and identifying what issues should be resolved first.
Our platform uses internet-wide scanning and machine learning to automatically identify, correlate and security-test the assets that belong to our customers. Once assets are inventoried and weaknesses are known, the platform intelligently prioritizes the weaknesses that present the greatest risk to the organization so that they can be patched first. This prioritization goes beyond just CVSS score, layering on the attractiveness of a vulnerability or weakness, determining how exploitable it is and if it’s already being exploited via the CISA known-exploited vulnerabilities, assessing how easy it is to discover along with other threat intelligence data that yields Risk Intelligence. This Risk Intelligence is key to appropriately and efficiently understanding, reporting and remediating the issues that face an organization.
TAG Cyber: Tell us more about continuous attack surface visibility and how this represents such a key component of the solution?
Continuous contextualized visibility is the key to confidently understanding your risk. And visibility is far more than just discovering your attack surface and what you own. It’s visibility into how you’re affected by a particular vulnerability. It’s visibility into how attackers are launching attacks in the wild. It’s visibility into unknown vulnerabilities and misconfigurations that your teams aren’t taking into account to accurately understand risk.
A good example of where this is absolutely critical is when a zero-day vulnerability is announced. Being able to quickly understand IF, HOW, and WHERE you are impacted is crucial to planning and executing your response. Without continuous, comprehensive visibility into everything you own, you may think that you’re covered, patched and protected when that simply isn’t the case. Continuous visibility also provides the ability to validate when issues and risks have been remediated. Timely discovery and awareness of issues is the first step to prioritize their remediation, but equally important is the last step–ensuring that you’ve correctly addressed the issues and that they’re no longer able to be exploited.
TAG Cyber: Do you have any predictions about emerging cyberthreats to business infrastructure?
The attack surface of modern organizations will only continue to grow. It’s the nature of the digital economy that we’re in. And this means that attacks on organizations will continue, too. Just as business technology has become more complex with cloud adoption, containerization, and the ability to work from anywhere, attackers will exploit these complexities at the same pace.
But I am optimistic that we can beat attackers with new, faster, more intelligent technologies that help provide greater ongoing visibility into the ways organizations are exposed. And smart context can assist security teams in prioritizing issues and resolving how to fix them in order to protect what is exposed to attackers.