Discovery: Don’t Let the Wrong Definition Impact Your Risk Exposure

For external attack surface management (EASM) technologies, the word “discovery” has as many shades of gray as there are crayons in a crayon box. 

An accurate external asset inventory is a top priority for organizations reducing risk. Performed well, discovery provides visibility into a business’s entire IT ecosystem of interconnected external assets. Performed poorly and discovery leads to a ripple effect of uncertainty, risk gaps, and wasted effort.

Since defined in 2021 by Gartner, EASM has experienced rapid growth, as much as 31% between 2021 and 2022, leaving many competing technologies claiming a piece of the asset discovery pie. Each vendor has their own definition, but not all lead to the same results.

What is CyCognito’s definition of Discovery?

At its most fundamental, “discovery” refers to the uncovering of the entire list of externally exposed digital assets (IP addresses and web applications, for example) owned by an organization.

It then gets murky for many technologies. Spotting a single new asset in a known IP address range is discovery, but it also isn’t the use case that is needed (and expected) by IT security teams. 

Nor is it CyCognito’s definition. What about assets within currently unknown IP address ranges, the ones tied to different divisions within your organization? What about assets within subsidiaries? What about discovering business context and evidence? Cloud assets? Everything is part of the definition and must be included.

The right definition of discovery includes three elements: organizational discovery (to understand where to look), asset discovery (to do the finding), and context discovery (to uncover meaningful details). To summarize:

Discovery ≠ Asset Discovery

Discovery = Organization Discovery + Asset Discovery + Context Discovery

With discovery, automation is critically important. The owner of an asset discovery tool doesn’t necessarily know or have access to the correct inputs to search for assets within all corners of your IT ecosystem. And since the external attack surface is continuously changing (on average 10.3% per month, from CyCognito State of External Exposure research), this issue never goes away.

Let’s look at each element in more detail.

First: organizational reconnaissance

An automated, organic search workflow that starts with organizational reconnaissance builds the highest accuracy external asset inventory and richest context fidelity.

An EASM must have a way of viewing an organization from the eyes of someone unfamiliar with it AND who has the goal to break into it. This is how an attacker finds the forgotten, unmanaged systems that lead to a breach and what your EASM must also do to beat cybercriminals at their own game.

Organizational reconnaissance isn’t easy to automate, but doing so is imperative if it is to be performed consistently and continuously. Like an attacker, the system needs to be able to read periodicals, SEC filings, Wikipedia, Crunchbase, press releases, Google search results, and much more to understand the scope of an organizational business structure. Did your Germany division just merge with a small supplier and now own all its assets? Attackers know this may be a way into the parent company and will capitalize on it. Often the only way you would know about it is by reading a press release, which is not something IT Security teams commonly have time to do.

CyCognito starts with a “zero knowledge” approach. Using machine learning (ML) and natural language processing (NLP) technologies CyCognito scrapes web pages, reads PDFs, and more, building a continuously updated graph data model that represents your organization’s attack surface. Figure 1 illustrates this attack surface discovery approach that leaves no stone unturned and requires no effort from your IT security teams.

Figure 1. Organizational reconnaissance with CyCognito

Want to see more about the decision? Every discovery choice includes what CyCognito calls a “hypothesis,” which is a level of confidence in the chosen relationship and includes the supporting evidence for the claim.

Second: asset discovery

Nearly all EASM products on the market today require seed information to begin, forcing the IT security team to manually enter IP ranges and domain names for the product to scan. It goes without saying that the list of domains and IP ranges must be continuously assessed and adjusted to ensure accuracy. Miss an IP range from a division you didn’t know existed? It just takes one unmanaged asset with an exposure to provide a foothold into your network.

CyCognito’s asset discovery engine is natively integrated with its organizational reconnaissance engine. Once the organization is mapped, CyCognito then uses what it calls propagated discovery – each asset is used as a seed to discover new adjacent assets. These new adjacent assets are used to find more assets, and so on. In this way, CyCognito finds even the most obscure assets without human input or effort.

Cloud assets are as important. The CyCognito cloud connector provides the most responsive view of often difficult-to-track ephemeral assets that reside in cloud service provider (CSP) infrastructure.

And third: context discovery

Without context, the discovery process is incomplete. CyCognito discovery includes understanding what an asset is, where it exists in the network, its primary purpose, and more. 

CyCognito automatically uncovers meaningful, accurate context that IT Security teams can do something with. This context is used to make prioritization decisions and build accurate test payloads. Examples of context include:

• Unique metadata: Business context, attractiveness to attackers, discoverability, PII collection, related applications
• Assets: Domains, sub-domains, servers, devices, web applications, products, services, certificates, exposed internal business applications, DevOps instances
• Technical context: Evidence of state, location in the network, DNS resolve evidence
• Organizational structure: Organizations, subsidiaries, business units

Automated context discovery is essential to maintain pace with change. Having to loop back to find context manually is unscalable for anything but perhaps the smallest external attack surface.

Let’s look at a Discovery example

CyCognito discovery ends with assets but begins with the organizational business structure. Organizations must be treated as unknown, just like assets, and be continuously re-evaluated in order to adjust to change.

Figure 1 illustrates an automatically built organizational chart, in this case for a fictitious Acme Corporation. Fully dynamic, users quickly see each division and understand issue count, asset count, and risk score. 

Figure 2. Business Structure for Acme Organization

Acme Homes has a security score of “D”, let’s see why. Clicking leads us to the assets owned by the Acme Homes business, as shown in Figure 2. These may be assets housed on partner or third-party sites, workloads running in public cloud environments, abandoned or deprecated websites, file shares, IoT devices, and services enabled by shadow IT. 

Figure 3. List of Assets owned by Acme Homes, a division of Acme Organization

Let’s click on an asset to understand more. Figure 3 presents the asset view, which includes all context, test information, issue lists, and a risk overview.

Immediately we can see the asset has forty severe issues out of 285 total. Seven issues are marked critical. Asset attractiveness is high due to the number of issues and asset type, but thankfully the discoverability is low. It has one running web application with a security grade of “D” (from the related assets tab, not shown).

Figure 4. A View into Security Context for an Acme Homes Asset

There are multiple paths to CyCognito discovery information depending on the user’s roles and goals. For organizations with mature automation workflows, CyCognito discovery information is available through REST API.

Every organization needs to have confidence in what they are seeing before assigning staff to remediate. For this reason, evidence is collected for every discovery data point and made readily available. This is especially important for geographically distributed teams and multiple business units.

Find out more about CyCognito’s Discovery and Contextualization services

Carried out manually, discovery and all of its sub-tasks are time-consuming and prone to error. The larger and more complex the organizational structure, the more necessary an automated and comprehensive discovery process becomes. 

CyCognito is a cloud-native software-as-a-service that was built to meet the external risk requirements of the largest and most complex organizations. If you are not a CyCognito customer and want to find out more about how we can help you ensure you have the most up-to-date external asset inventory, please contact us. 

A detailed technical datasheet on Discovery and Contextualization is also available for download here.