Automating Offensive Security Processes to Discover and Defend the Attack Surface

The CyCognito journey began with a keen awareness that in the battle against cybercrime, attackers often have the upper hand. They need to find any weak spot, the “weakest zebra in the herd” so to speak, while security teams must defend every possible point of entry in an always changing attack surface. To compound the problem, most organizations have potential points of entry unseen by security teams, but easily discoverable by threat actors.

 

Key Problems Facing Security Teams Today

While the security tools that organizations rely on, and spend most of their budget on, haven’t fundamentally changed in the last 25 years, the enterprise IT they need to protect has. Exposure levels and the global threat context have changed significantly too. Consider that:

  • Organizations have expanded and broadly diversified their IT resources on-premises and in the cloud, making continuous monitoring and timely mitigation much more difficult.

  • Current solutions, designed when companies had only a few servers connected to the internet, rely on user input and configuration and leave unprotected the broad swath of newer assets that organizations use, but likely aren’t managing themselves, including third-party IT assets, cloud resources, and subsidiaries’ IT environments.

  • Threat actors are using offensive scanning and exploitation capabilities that are cheaper, more automated, and widely available.

  • Cybercrime can be an attractive occupation, especially in countries where the median monthly income is less than $500 per month.

Attackers have very specific goals – money or information – and they always look for the path of least resistance. They are drawn to the opportunities that legacy tools and manual procedures ignore: unmanaged and unknown assets.

With this context, my co-founder, Dima Potekhin, and I thought: “What if we could shift the paradigm, and instead of deploying agents or instructing a port scanner to scan a few known IP ranges, we could actually identify which ‘zebras’ are at risk and which open pathways are most tempting to bad actors?” We looked to simulate an attacker's whole offensive operation, starting from step one, where the attacker knows only a target company’s name and has “compromise” as an objective.

In 2017, we began to make this happen with the mission of protecting organizations from exploitation, using methods that were only being used by highly organized, well-funded nation-state actors.

 

A Better Approach – A Large-Scale, Highly Robust Reconnaissance Process for “Offensive Security”

From our national intelligence agency experience, we knew attackers easily succeeded when security teams had visibility gaps and were unable to map and manage their organization’s assets. That’s when sensitive business assets on internal networks, in the cloud, and on partner or subsidiary networks get exposed or forgotten.

Attacks on those exposed elements can quickly spiral into a nightmare situation because they often include pathways to payment mechanisms (exposing customer credit card data), DevOps components (exposing source code and keys), intellectual property, and third-party gateways (exposing access to other companies’ internal networks). Once those exposed assets are breached, they put business stability and important relationships at risk.

To allow security teams to understand what’s exposed, and the paths of least resistance, we committed ourselves to developing a platform that could deliver large-scale automation of the whole reconnaissance process, a process that can take an attacker weeks, if not months, to run per organization. Performing that reconnaissance quickly would neutralize 99% of potential attack vectors – or at least make them very costly and complex – and performing that at a massive scale, for thousands of organizations, would change the dynamics for attackers and for the security products market.

 

Finding the Unknown and Unmanaged Assets

To find and map unknown and unmanaged assets, we built one of the biggest botnets in operation today, which scans and gathers data from 3.5 billion servers and connected devices. Our platform gathers dozens of fingerprints per asset and builds a graph data model with this massive volume of data to create a unique and powerful attack surface map for an organization that includes the business classification or context of each asset. This gives security professionals a deeper understanding of an organization’s true risks and provides far more detail and insight than port scanners – which only gather two to three data points per asset, show a one-dimensional perspective using IP addresses, and do not understand business context.

In the graph data model our platform creates, every node and asset have the full context of other assets in the same environment, the assets connected to it, and the types of data those assets expose. Our attack surface graph provides entirely new levels of visibility and prioritization, enabling organizations to decrease the number of critical attack vectors that security teams need to focus on.

In this way, an organization’s entire ecosystem is revealed for the first time, including those assets that have long been exposed as attractive conduits for malicious exploitation. Stressed-out security teams suddenly have new control to identify, prioritize and eliminate the critical blind spots that legacy solutions have failed to see. As a result, attackers are denied the easy access that they seek. And then, they are likely to move on in search of easier “prey.” And Dima and I say, “Mission accomplished.”