CyCognito research staff analyzed data aggregated from hundreds of organizations to identify the top-level shadow risk trends that businesses with modern IT ecosystems face. The results reveal that organizations have a significant number of security blind spots, and those are often a by-product of interconnectivity with partners, cloud service providers and an organization’s own subsidiaries, as well as the fact that legacy security assessment solutions do not identify these blind spots.
The CyCognito platform marries sophisticated attacker reconnaissance techniques with large-scale data analysis. When applied to an individual organization, the results have proven indispensable for platform subscribers to better defend themselves. When the data collected by the platform is viewed in aggregate, it reveals a number of trends that cut across industries and organization sizes. In this blog, we reflect on: key trends identified, trend implications and how we gathered this data.
The CyCognito research shows that:
What do these facts and trends mean for the average organization? The serious implications of these data points may be readily obvious to security professionals, but let’s briefly review:
While it’s stunning that even organizations with well-funded cybersecurity teams are blind to as many as 75% of their attacker-exposed assets, it’s not entirely surprising given the explosion in the enterprise IT ecosystem. Today, business viability means agility and interconnectivity with new environments spun up with a moment’s notice, partners integrated into the supply chain and acquired companies. That often comes at the expense of security visibility or controls. To compound the problem, most security solutions are designed for a 20th century network, not the distributed IT ecosystem of the 21st century, and do not help organizations discover the full extent of their attack surface assets.
In the average organization’s IT ecosystem, there are connections to over 115 networks, most which are not managed by the organization. Enterprises are awakening to exposures from third-party vendors and the risk associated with the shared security model of cloud environments, but legacy tools don’t provide visibility to the assets that expose them outside their IT management sphere.
This lack of discovery is because legacy security assessment approaches are designed to help you test the asset environments you already know about: with legacy vulnerability scanners you select the IP ranges to scan. Thus you are working within your known IT universe, and the process by its nature is not going to discover the true unknowns. A bias toward known environments is there for penetration tests as well, though pen testers can be told to look broadly for assets. Nonetheless, with penetration testing, a lack of full visibility is further compounded by the fact that the testing is done on a very narrow slice of the enterprise IT ecosystem, typically just 1% or 2%.
Attacker-reconnaissance has grown increasingly sophisticated. Offensive scanning and exploitation tools have become cheaper, more automated, and widely available to threat actors, which gives them unprecedented visibility to unattended points of entry into their target organizations. An organization’s best response is to view their attacker-exposed assets in the same way that an attacker does, but on an even bigger and faster scale. Organizations have to eliminate all points of entry, while an attacker needs only one path in. But if organizations focus on attack vector discoverability, attractiveness and exploitability, it becomes clear which issues should be remediated first.
Many of these misconfigurations occur in networking gear located in third-party networks that are outside the control or visibility of the organization, but they must be assessed by the organization as if they were their own. The implications are significant because these devices are meant to be network and security gatekeepers and have the capability of granting broad access to attackers and others who should not have access. These assets are typically located at the intersection of the organization’s network and third-party networks, and are overlooked by legacy security assessment solutions.
Software development organizations include technically savvy staff who are capable of setting up complex agile development environments and automated DevOps pipelines. Still, these developers and DevOps pros are seldom security experts, and modern SaaS development platforms operate on a shared responsibility model where users are expected to configure security. When misconfigurations and/or network architecture flaws are introduced, these types of assets are exposed, intellectual property theft can occur, and sophisticated attackers can look for software vulnerabilities they can later exploit or even introduce their own to be used as back-door channels.
The CyCognito platform gathers data using a nation-state-scale botnet that continuously analyzes every internet-exposed IT asset – approximately 3.5 billion in total – and fingerprints them by looking at things as diverse as their visual elements (e.g., logos and icons), keywords and code fragments, and what software is deployed on the assets, among other identifiers. The platform uses a graph data model to represent the relationships between assets and classify the business purpose of assets.
The data and trends reflected in this blog post are based on the analysis of CyCognito platform data aggregated across hundreds of organizations with IT assets around the globe.
Alex Zaslavsky, a former Senior Product Manager at CyCognito, has more than 15 years of infosec experience working on data analytics, system development, architecture and technical product management, in addition to being a veteran of the 8200 unit.
Download the report now to stay ahead of emerging threats and strengthen your organization’s security posture for 2024.
Download the report to learn about the historical trends behind the emergence of exposure management, how to develop a strategic plan and assemble a team to smoothly transition frameworks, and example tech stacks to consider for your organization.
Get a free scan of your attack surface and gain valuable insight into your organization's risk posture by allowing CyCognito to discover, contextualize, and test externally exposed assets on a portion of your parent company or a single subsidiary.
Discover insights on application security, exposure management and other key topics below.
The definitive guide to attack surface management. Learn everything you need to know to reduce your cyber security risk with attack surface management.
Exposure management is a set of processes which allow organizations to assess the visibility, accessibility, and risk factors of their digital assets.
Vulnerability assessment is the process of identifying, quantifying, and prioritizing vulnerabilities in a system.
Explore CyCognito modules ASM, AST and EI in the resources below.
Scalable, continuous, and comprehensive testing for all external assets, all the time.
CyCognito Automated Security Testing dynamically applies payload-based testing techniques across your entire external attack surface.
CyCognito Exploit Intelligence uses threat intelligence about attackers’ behavior and exploitability for enhanced prioritization.