The Platform

Enable your security and operations teams to proactively identify, prioritize, and remediate exposures to stay ahead of attackers.

Watch a Demo
GigaOm Radar for Attack Surface Management

The expansion of an organization's attack surface continues to present a critical business challenge. Download the GigaOm Radar for Attack Surface Management to get an overview of the available ASM solutions, identify leading offerings, and evaluate the best solution for you.  

Use Cases

The CyCognito platform helps you identify all of the attacker-exposed assets in your IT ecosystem for a complete view of your attack surface.

State of External Exposure Management

Download CyCognito’s State of External Exposure Management Report to learn key recommendations that your Security teams can implement to improve their exposure management strategy and minimize risk. 

Our Customers

External attack surface management is advancing cybersecurity into a new era. Learn how security experts across all industries benefit from using CyCognito’s platform.

The Total Economic Impact™ of The CyCognito Platform

Read The Total Economic Impact™ of The CyCognito Platform — a Forrester study. Cost Savings And Business Benefits Enabled By The CyCognito Platform. 

About CyCognito

We believe all organizations should be able to protect themselves from even the most sophisticated attackers.

Contact us
Resources

The knowledge you need to manage and protect your attack surface.

What's New Blog
Research

Colonial Pipeline, “If Only You Knew the Power of the Dark Side…”

Jim-Wachhaus
By Jim Wachhaus
Director of Technical Product Marketing
May 12, 2021

The shutdown of Colonial Pipeline, a major fuel pipeline in the United States, by ransomware is yet another cyberattack that highlights an important weakness in our global supply chain. Look at SolarwindsMicrosoft Exchange, and Accellion as other recent examples.

On May 8, 2021, the initial investigation indicated that the ransomware gang, DarkSide, was responsible for the Colonial Pipeline cyberattack. The group has been operating their ransomware – called “DarkSide ransomware” and delivered as-a-service – against US and European companies for at least half a year. Attackers using DarkSide’s ransomware variant generally gain initial access by exploiting remote services like Citrix, Remote Desktop Web (RDWeb), or remote desktop protocol (RDP) from an external attack surface. Once they gain a foothold, they dig in deeper via lateral movement, exfiltrating data, and then encrypt everything with ransomware to extort money from their victims.

Our research at CyCognito finds that about 1 in 65,000 assets in a typical Fortune 500 company will contain an unprotected remote desktop service. That may seem like good odds, but at-scale this means most major corporations are hosting between two to twenty or more easily exploited systems, right now!

Figure 1. In this example, a Learning Management System with weak credentials was exposed to attackers. Further inspection revealed evidence of ransomware activity, specifically files used to prepare for the attack, including a ransom note. The organization was able to quickly address the issue because the CyCognito platform found and tested the asset and prioritized the issue as critical. 
For context, this company has ~110,000 assets.

While any one of those easily exploitable servers may not on its own be business-critical, if it becomes a “backdoor” for a ransomware attack, the consequences can be dire. Of course, the context for the availability of this issue is the need for remote access during this global pandemic. IT is managing assets remotely and of course they are doing it well, but what if a VP of Marketing in Morocco operating at a subsidiary of a French company decides that they need an RDP service to access systems inside the firewall? You might end up in a situation where Bluekeep can be used to hack an unpatched or misconfigured system “managed” by Shadow IT.

Figure 2. These are screenshots from the CyCognito platform for an asset with an exposed RDP service susceptible to BlueKeep. The platform automatically discovers assets like this and tests them for security, discoverability, issues, and attractiveness to attackers.

And there is an entire attacker economy that makes locating paths of least resistance such as those just a matter of time. To find these systems, attackers use reconnaissance to find attractive targets into a network. Then they can simply purchase access credentials from the dark web or rent botnets to interrogate systems with brute force attacks. And after extracting data, they can then purchase ransomware-as-a-service from the likes of DarkSide to get money directly from their victims. The whole business of ransomware is a lucrative one, and it’s easy to see that an ROI in excess of 1,400% will draw in other criminals looking for targets who supply critical infrastructure and services. The ONLY protection is a proactive defense with continuous, complete attack surface protection, and it must be made clear that ANY asset that is exposed is a potential target and entry point for a much wider, more devastating, and expensive breach.

“Monday, May 10, 12:25 p.m.

Colonial Pipeline continues to dedicate vast resources to restoring pipeline operations quickly and safely. Segments of our pipeline are being brought back online in a stepwise fashion, in compliance with relevant federal regulations and in close consultation with the Department of Energy, which is leading and coordinating the Federal Government’s response.

Restoring our network to normal operations is a process that requires the diligent remediation of our systems, and this takes time. In response to the cybersecurity attack on our system, we proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations, and affected some of our IT systems. To restore service, we must work to ensure that each of these systems can be brought back online safely.”

Figure 3 – Part of Colonial Pipeline’s Press Release About the Disruption

All major organizations such as Colonial Pipeline are increasingly under threat of ransomware. As a result, the US Federal government is taking steps to shore up defenses for critical infrastructure. As organizations focus on digital transformation they find themselves open to these attacks because of pathways in their IT ecosystem of which they are typically unaware. This includes not only their own IT assets, such as servers, applications and infrastructure, but IT assets that belong to, or are managed by their third party vendors, partners or subsidiaries, which are highly interconnected with the company. These shadow assets and attack vectors create shadow risk, which arises when organizations have not fully mapped their attack surface.

When attackers find these exposed and unsecured assets, they leverage them to execute ransomware attacks. Ransomware provides an easy income for cybercriminals targeting successful corporations, who typically are completely taken by surprise when they learn just how many unsecured IT assets their ecosystem partners and subsidiaries have, and what an easy target for exfiltration and ransomware those assets present.

The only real defense is to think like an attacker. To get ahead of groups like DarkSide it is essential to find the weakest links and fix them before the cybercriminals can take advantage. This is why the CyCognito platform uses an attacker’s methods like reconnaissance and botnets to discover your entire attack surface and security-test all of the assets in it so that you know where attackers are most likely to breach your organization. With that, you can shore up defenses and eliminate the paths of least resistance that attackers target first.


Topics





Recent Posts








Top Tags



CyCognito Research Report

State of External Exposure Management

State of External Exposure Management

Download CyCognito’s State of External Exposure Management Report to learn key recommendations that your Security teams can implement to improve their exposure management strategy and minimize risk.

Dummies Book

External Exposure & Attack Surface Management For Dummies

External Exposure & Attack Surface Management For Dummies

As your attack surface has grown to cloud infrastructures and across subsidiaries, attackers are looking for and finding unknown and unmanaged assets to serve as their entry points.

Interactive Demo

Ready to Rule Your Risk?

Request a personalized walkthrough of the CyCognito platform to see how we can help your company identify all its internet-exposed assets, focus on which are most vulnerable to attacks, and accelerate your time to remediating critical risks.