Through the eyes of an adversary: moving beyond the external attack surface
The importance of considering the internal attack surface
It is a well-known fact that the pandemic was a catalyst in our society’s digital transformation. In the last few years, we have come to rely on an ever-expanding pool of assets and services, requiring more cloud deployments, more digital channels. As a result, our attack surface is growing exponentially. Be it through misconfigurations, risky behaviors by internal and third-party stakeholders, or software vulnerabilities, the continued expansion and evolution of our networks exposes us to greater cybersecurity risk.
In response, many organisations have upped their vulnerability and exposure management game, seeking to identify these attack vectors, or unauthorised entry points, and shut them down. They secured their perimeters by constructing a fence around their home. They introduced alarm systems, locked their doors, and barricaded windows. But what if someone were to throw a ransomware hand grenade through an unsecured letterbox? What happens then? What is the blast radius?
Mark Watkinson is Head of Market Insights at Adarma.
What is the blast radius?
The cybercriminal underworld has become an economy of its own, with its own web of vendors, investors, suppliers and buyers. Among them, initial (IABs) have emerged. IABs act as middlemen who provide an initial foothold into organizations' environments. Only once they are in, do they begin to conduct reconnaissance work to understand the environment and what the vulnerabilities are, in order to move laterally through it undetected. Although organizations rightly placed attention on the external attack surface, this here is the oft-neglected internal attack surface.
While it is important to prevent a breach altogether, it is equally vital to take an approach that assumes the worst-case scenario. We need to assume the bad guys are already in our networks. This is an approach that requires us to move away from the question, “How can an attacker gain initial access?”, to “How can an attacker move to complete their objectives?”.
Assume-breach mentality is a mindset that guides security investments, design decisions, and operational security practices. Assume-breach limits the trust placed in applications, services, identities, and networks by treating them all—internal and external—as insecure and already compromised. An assume-breach mindset can help organizations develop a secure by design strategy and to determine the potential risk posed by malicious insiders.
Red or purple teaming is another means of assessing attack paths, though it is frequently reserved for larger, more mature organizations with the resources to do so. In these scenarios, the red team will also have an objective in mind and adopt the path of least resistance to get from A to B, the entry point through to the critical asset. Once achieved, the vulnerabilities they’ve found are addressed and they’ll consider the job done; except there are a myriad of ways that an attacker could move through a network, that are overlooked.
A new strategy
To overcome this oversight, a new strategy needs to be employed; one that monitors, identifies, measures and reduces the risks of a growing attack surface continuously. What we need is to include attack paths into the equation; that is, the route cybercriminals take when multiple attack vectors are chained together. In other words, a strategy of ‘attack path reduction’. This can be achieved through using sensors which pull information from various assets to find out what is happening on the network at any time. We use this to create a simulation of where an attacker could go from one vector to the next, whether through credential theft, access privileges etc. By keeping an open mind as opposed to having a specific goal of getting from A to B, we can better understand the numerous routes and techniques a cybercriminal might adopt. Moreover, it prevents attackers from creating persistence or an ability to return to your environment after being kicked out.
In doing so, we would also be enhancing the red team’s capabilities and make them more efficient. Instead of sending them on a wild goose chase, we can offer a map of all the attack paths as well as the security controls already in place. Then, leverage the skills of the red team to test those specific controls by seeing if they can manually bypass any of them. In other words, this is the perfect opportunity for synergy between humans and technology: the machines would do the work of assimilating data at scale to provide visibility, and the humans would step in to do what they do best, which is to think laterally.
All this to say, it is time to move beyond simply protecting our businesses from a potential breach but to assume they have already succeeded in doing so. We need to put ourselves in the shoes of an attacker, and reflect: do you know all the routes to your critical assets? Do you know what weaknesses in identities, assets and user behaviors enable these routes? Has a third party potentially introduced new attack paths? And do you have visibility on all of this? This is how we stay ahead of the bad guys and reduce their blast radius.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Mark Watkinson is Head of Market Insights at Adarma, and a cyber enthusiast, with 20 years experience in product marketing, product management, strategy, and leadership, helping cyber organisations scale and grow.