In its simplest form, cyber risk is a measurement of your cyber exposure: the probability of a breach, adjusted for the potential loss and damage associated with such a breach. The probability of a successful breach is based on the combined capabilities of your people, technology, and processes; compounded by the skill, tactics, techniques, and technology of your opponent. When defining potential loss and damage, each organization has to define, for their own business, what the potential impact might be. For example, one organization may be tasked with acquiring and obtaining highly privileged data, while another only holds publicly available data. This variable – the impact of a breach or disruption must be quantified in order to properly and completely define cyber risk.
An organization can manage risk more effectively by knowing its cyber strengths and cyber weaknesses and knowing the enemy’s tactics, techniques and procedures (TTPs) and when they are fully aware of the overall impact a breach or disruption can cause.
The intelligence that adversaries gather prior to initiating an attack (known as reconnaissance or recon) has an impact on the probability of an attack succeeding and its overall outcome before the attack even takes place. Recon can provide attackers with information that serves to their advantage, but it can also become a deterrent. For example, if the information gathered by an adversary during the recon phase does not reveal significant weaknesses and it paints a picture of a meticulous IT operation with strong defenses, it may put them off; preventing the attack from taking place.
In digital attacks, the adversaries are many and usually unknown, they are often well financed and can be patient, since they only need to succeed once. What we do know are their tactics and techniques; by looking at your organization from the outside, through adversarial eyes, you can assess cyber risk levels in three steps:
- Information gathering – know what an adversary can learn about you.
- Weakness identification – know your perceived weaknesses from the perspective of the adversary.
- Test weaknesses to assess what is at risk, and if they can be exploited.
By taking this approach, security teams start on the path of knowing their enemy better; protections can be optimized, and risk mitigation efforts can be prioritized. Large and multi-disciplined security teams may be able to perform full recon and in-depth testing. The challenge has always been to scale this approach for companies with small security teams and make it accessible and achievable for them.
Information Gathering and Weakness Identification
“There is a wealth of information on the network. In fact, so much information, that you could spend your entire life browsing.” That was written in 1991, in RFC 1290, in a totally different context to this paper – but true then and true now.
There are many types of information that can be collected on a target during the recon phase. These include technical information on the web and IT infrastructure and applications that are exposed to the Internet; but also, information about the organization and its people. This second category of information is often overlooked but is critical to any adversary attempting to bypass security controls. Reporting chains, contact information, business processes and authorization procedures, and other non-technical controls are a gold-mine of information that can be used during a digital attack. Both types of information can serve an adversary. While organizational information is valuable for targeted fraud and spear-phishing, we will focus on the types of information that can potentially expose a weakness for an adversary to breach the organization, these include:
- Information about web and mobile Internet facing applications; the types of input they accept, the data they have access to, and any certificates they use.
- Information about an organizations network and information technology. These include SaaS applications, hosting and IT services, web infrastructure, and 3rd party connections (such as to business and technology partners).
- Credentials such as tokens, hashes, previously compromised accounts, and weak or previously compromised passwords.
The data collected during recon provides four perspectives for a security team to address:
1. IT Hygiene
IT hygiene is the high-level view of the attack surface. Use of up-to-date software and infrastructure; timely certificate updates; and shutting down unused web domains, sub-domains, and applications are some common attributes of high IT hygiene. Large enterprises will have many sub domains, applications, and sites – and not all of them may be maintained and up to date, or even protected by more recent security controls. These are indicators of potential weaknesses and will attract adversaries to investigate further.
2. The Attack Surface
The attack surface is a fragmented landscape which can contain many unknowns to the security team. Domains owned by the organization, hosted on third party, uncontrolled platforms, and managed by different business groups or teams are one aspect. Shadow IT services, testing or staging deployments on-prem or in cloud environments, and unsanctioned SaaS based services are another. Knowing what is exposed to the outside world is key to improving IT hygiene and identifying potential entry points for an adversary to take advantage of.
3. Technical Weaknesses
Technical weaknesses include all the underlying misconfigurations, application and web infrastructure vulnerabilities, and known vulnerable systems that can be found after fingerprinting the target domains and sub-domains of the organization and third parties. Leaked credentials, tokens, and weak or compromised passwords and password hashes also represent potential weaknesses. Testing can determine if these weaknesses are exploitable by an adversary; and associate a risk level to help prioritize remediation efforts.
4. Indicators of Malicious Intent
Indicators of malicious intent can also provide actionable intelligence. These include recently created phishing domains that use name-blending and typo-squatting techniques to mimic the target domain. Once identified these can be addressed with web providers or through legal means. Other indications – such as an increase in dark-web mentions – should prompt increased vigilance and drive more educational activity for employee security awareness.
Recon findings may surprise many organizations; and the amount of information can be overwhelming. What companies should expect is a list of validated and prioritized issues that require attention based on quantifiable risk.
Breach and attack simulation (BAS) platforms perform continuous security validation by launching a broad spectrum of attack simulations to discover security gaps and guide security teams to remediate them. Recon integration with security testing and validation programs provides a complete end-to-end simulation of the threats organizations face and uncovers potential points of entry, to better test infrastructure and assess risk more completely.
Automated recon together with continuous security validation have the additional benefit of assessing risk after every change that may inadvertently introduce a new security gap, whether they are routine administrative changes or in response to an event. Combined they make end-to-end security validation accessible and achievable even for security teams with limited resources. Together they connect the dots of the full kill-chain, enabling security teams to know their enemy better and become better defenders.
To learn more about the effectiveness of your security controls, test Cymulate for yourself with a 14-day free trial.