External Risk Insights: Mind the Gaps in the External Attack Surface

External Risk Insights Brief from CyCognito 

The attack surface is often larger than security teams realize. Internet exposed assets hide in plain sight, not only on primary corporate networks, but also on infrastructure belonging to subsidiaries that isn’t directly managed by corporate IT security teams. This is a common issue that isn’t going away soon.

At CyCognito, we believe that sharing what we learn in managing attack surfaces can help progress the security community as a whole. Data we observed is a normalized aggregate of the attack surfaces of our customers, primarily Fortune 500 global organizations. Through this External Risk Insights report, we track insightful trends over time and aim to share our findings with the community on a semi-annual basis.

External risks aren’t distributed equally

We found interesting, and even sometimes surprising, insight. Let’s consider a stat: the average organization has 104 subsidiaries and the core security team is unaware of 10 to 31 of them – that is, until they started using CyCognito. For context, we use subsidiaries to mean any entity owned by the parent company, which can be a business unit, brand, standalone company or something similar. Those unknown subsidiaries contain assets and issues that can cause major issues for the rest of the organization. 

Subsidiaries contained an average of 56% of the critical and high vulnerabilities affecting customer assets. Tracking these assets and issues is not a one-and-done process — once issues are found and traced back to the owners, they must be fixed and validated. For organizations with unknown and under-managed subsidiaries, this process is even more difficult for parent IT security teams, particularly when it comes to ensuring vulnerabilities are successfully remediated. Issues among the subsidiaries can affect the larger organization, but without a comprehensive mapping and monitoring system, security teams in the parent org have limited visibility into these issues.

Making a fix and checking it twice for attack surface analysis

A goal of many security teams is to reduce the average amount of time between a vulnerability being discovered and the moment that issue is fixed — called the mean time to remediation (MTTR) — across their organization. A critical, but sometimes overlooked step of that process is after a fix is applied, validating that it’s been fixed correctly.

CyCognito offers an in-platform remediation validation function that verifies if issues marked as remediated are actually fixed and in this report we looked to see how customers were using this feature. When users did revalidate, we found that the issue still existed 54% of the time. While some users could be simply testing the feature on issues they know haven’t been resolved, there are several other reasons that issues may go unresolved: 

• a fix was forgotten, so no one implemented it, and they need to be reminded
• a fix was started but left unfinished, perhaps due to a blocker in the system
• a general fix was applied, but did not fix this specific issue

This shows how easy it is for remediation efforts to fall short unless security teams are proactive about monitoring their success and measuring external risk in the organization. 

Key risk indicator – The hits keep coming in digital attack surface management

With the frenetic pace that new vulnerabilities are being discovered and publicized (on average, based on metrics from the CVE program, in 2022 a new CVE was published every twenty minutes), security teams can expect more major security incidents that affect multiple parts of organizations, are difficult to track down for external risk events, and require communication across the organization to ensure fixes are successful. 

Without a comprehensive and up to date map of the attack surface that shows where issues are and which teams should remediate them, security teams are fighting an uphill battle. 

CyCognito is an external attack surface management platform designed to empower operations and security teams of risk managers to identify, prioritize, and help remediate externally exposed IT risk. We were founded in 2017 by ex-intelligence agency reconnaissance experts that asked a simple question: “what if we could simulate an attacker’s reconnaissance plan starting only with the target company’s name?” Since then, we’ve helped organizations map their attack surfaces and prioritize and accelerate their remediation efforts. 

For more insights into external risk assessments that might affect your organization, check out our new External Risks Insights brief. If you’d like to chat with an expert about managing risk, you can schedule a demo at cycognito.com/demo/.