Security professionals have the daunting task of eliminating every critical internet-facing security issue before it’s discovered by the attackers. It’s like the most tedious game of whack-a-mole ever.
The CyCognito platform continuously applies nation-state scale reconnaissance to map organizations' attack surfaces. It regularly discovers new assets and identifies previously undetected attack vectors. Occasionally it also detects zero-day attack vectors -- risks not only new to the organizations we monitor, but also new to the vendors and teams that developed the software running on those assets.
Attackers value XSS vulnerabilities because they can be used to take control of the victim’s current web application session. An XSS vulnerability in a router’s admin interface means router administrators would be the most likely attack targets. Attackers would be able to perform actions that an admin could, view information that they could (including their keystrokes, their browser history, clipboard, etc.), modify information, and potentially steal and use admin authentication information to access the vulnerable router at will, or attempt to access other systems using those credentials (i.e., move laterally).
Read on to learn more about what enables our platform to find issues such as these: present for years, but undetected by both product vendors and other commercial security assessment solutions.
POLaR - Paths of Least Resistance
Would-be attackers use the scale, affordability, and availability of cloud computing to scan large portions of the internet looking for lucrative paths of least resistance — the most easily exploitable route — into organizations. To defend against this, security professionals have the daunting task of eliminating every critical internet-facing security issue before it’s discovered by the attackers. It’s like the most tedious game of whack-a-mole ever. But when attackers win, which is far too frequently, things get exciting in the worst way.
At CyCognito, we use a similar approach to the attacker’s tactics by discretely discovering a company's entire attack surface, which for enterprises might comprise hundreds of thousands of assets. We then automate issue detection on that large asset list without alerting cyber defenses. At this point, if it was attackers performing the reconnaissance, they would select the easiest, juiciest targets and deploy an attack campaign.
But if you are a CyCognito customer, our platform provides business context for each of your assets with remediation guidance for the most critical issues facing your defenses so you can eliminate critical risks before the attackers get a chance to attack them. The automated and continuous monitoring offered by our SaaS platform allows security teams to focus their remediation efforts on the attack vectors attackers would seek to exploit first, the paths of least resistance.
Zeroing in on Zero-Days
Sometimes such attack vectors are known critical vulnerabilities (i.e., CVEs) or configuration issues impacting reputation, availability, confidentiality or integrity. At other times these are issues in proprietary web applications and in some cases they may be zero-day vulnerabilities on commercial off-the-shelf (COTS) hardware, firmware, or software. By leveraging automation and scale, the CyCognito platform sometimes discovers zero-day vulnerabilities on COTS products (just as attackers can). And sometimes, as was the case with CVE-2020-3431, these can be products that have been sold and operational in the field for more than a decade.
Our research team discovered CVE-2020-3431 and the other three zero-day vulnerabilities mentioned earlier while working with our platform to enhance its reflected Cross-Site Scripting (XSS) vulnerability detection capabilities. While there are many tools available that scan for XSS on web applications, they are predominantly made to be used by human analysts, pentesters, and even the bad guys. And, as CyCognito researchers learned after applying these tools to internet-facing IPs, only about 20% of the results were true positives. In general, dynamic application security testing (DAST) scanner products have fairly low accuracy. An OWASP Benchmark test found DAST accuracy is about 18% for all vulnerability types.
Twenty percent accuracy might be good enough if you can afford to perform a lot of manual validation work for one or two applications, but it’s not acceptable for automated processing at scale. So, by using terabytes of website content collected from internet-exposed attack surfaces to train our XSS detection engine, we significantly improved our XSS detection accuracy by combining publicly available heuristic engines with proprietary fine-tuning.
Most publicly available application security scanner tools such as w3af and OWASP ZAP are used by researchers to identify POTENTIAL XSS rather than verify the issues they detect. So, to improve upon the accuracy available from tools such as those, the primary hurdle our researchers overcame was to reduce the tools’ overactive sensitivity and remove patterns which generate noise, while increasing the sensitivity to patterns indicating true XSS susceptibility so that scalable automation could be exercised against tens of millions of assets. By improving detection accuracy and reducing noise, CyCognito researchers were able to tune the CyCognito platform up to a fully automated 89% true positive XSS detection rate, a greater than 4x increase over manual techniques and DAST scanner performance levels. And when leveraged by the CyCognito platform, it allows it to perform accurate XSS checks in days on millions of assets that would literally take lifetimes for a person to do with a combination of low-accuracy tools and manual triage.
To give you an idea of the scale of the issues the CyCognito platform effortlessly manages and prioritizes, our average customer has more than 300,000 assets (these are IP addresses, domains, certificates, and web applications). Of these assets, the typical number of web applications is in the high thousands. Now armed with this new highly accurate detection capability, the platform is detecting several dozens of XSS-vulnerable assets per organization. Of these, in most cases fewer than three are of sufficient business importance to be attractive targets to attackers. To further automate the process of finding the most critical risks, the platform classifies assets according to their business context and prioritizes risks, which allows our customers to focus their remediation efforts and act quickly to mitigate the paths of least resistance before the attackers even know they exist.
More Zero-Days Ahead
Our customers are very pleased when our platform proactively identifies XSS vulnerabilities and other attack vectors before attackers exploit them. While both CyCognito and our customers expect that, it is a bit surprising when the platform discovers zero-day issues with networking products like routers, VPNs and the like -- especially devices that have been operational for years. But, with a first-of-its-kind platform, there are bound to be surprises, and we now fully expect to discover more such zero-days going forward.
Check back on our blog for more details on the other zero-day discoveries once those vendors address the issues uncovered. Meanwhile, please watch our 8-minute demo video, or request a custom demo.
CyCognito follows responsible disclosure processes in reporting zero-day discoveries to vendors such as Cisco to ensure issues can be addressed according to the vendor’s policies. Thus over the last few months, CyCognito has worked with Cisco on this issue, to confirm the vulnerability, provide technical evidence, evaluate the risk, and responsibly disclose the findings. Cisco notified their customers and, on June 17, 2020, made updated firmware available that resolved CVE-2020-3431.