In recent months, billions of people have become hyperaware of the importance of prioritization. With a global pandemic affecting everyone, prioritization has determined Covid-19 vaccination eligibility and in what order people receive their vaccine. The elements of who gets vaccinated and when are complex and definitions of “fair” can vary. But it’s the only way to address remediation of an utterly massive problem.
Prioritization is also critical for protecting an organization’s attack surface, and even if you do everything else right yet fail to prioritize, you'll still get breached. Hence, the third principle of attack surface protection: prioritize. A report by Enterprise Strategy Group that our company commissioned shows that, for a large enterprise, the mean number of assets in their attack surface is 100,000. Monitoring and protecting a giant attack surface like this is an enormous task, especially in today’s world where attack surfaces keep growing, changing and getting ever more complex.
As security testing options increase, the volume of discovered risks does as well, but outcomes aren't improving. Say your team has 10,000 security gaps to close but can reasonably address 100; where should it start? How should remediation proceed? Prioritizing helps answer these questions by analytically weighing risks based on material impact to the business. Let’s consider three fundamental points that will help you in this quest.
Think Like An Attacker
A useful strategy for prioritization is to ask, “What’s the path of least resistance into our IT ecosystem?” Attackers look for the gaps that are easily exploited and most lucrative. Consider Accellion's File Transfer Appliance or Microsoft Exchange zero-days discovered a few months ago. In these cases, attackers built automated tools to take advantage of unpatched systems. After patches were released, attackers dramatically ramped up exploit activity to leverage lag time for patch deployment. With automation, they were able to impact or threaten tens of thousands of organizations. Then, the race was on at those organizations to find the risks before attackers could prioritize the most lucrative targets.
Get Context – Classify Assets By Business Importance
Understanding the business context surrounding your risks will help your team play out potential attack paths, including those involving subsidiaries, suppliers and other connected business partners. Evaluating risks through the lens of business importance and attractiveness to attackers is one of the most vital yet neglected elements in security. It lets organizations know whether there's a legitimate threat to a material business process.
Determining business purpose and public exposure of assets related to an organization entails many factors. Typically, the legacy approach is a manual process that evaluates anywhere from five to 20 data sources, consuming many hours for every single IT asset. That pace is too slow given the size of an attack surface and an attacker’s head start on finding vulnerabilities and too expensive in terms of resources. Sophisticated attackers build robust infrastructure and automation to find vulnerabilities. To effectively defend against them, your team should leverage automation as much as possible. Look for context data in places an attacker could easily find, such as:
Device-related data like IP address data, subdomains, DNS records and company and product logos and names. This helps teams understand which organization or department owns the asset.
Public information like news stories, company websites, regulatory documents and industry databases. These will provide clues about business connections, subsidiaries, partner companies — even which assets are exposed.
Third-party services. Vendor-provided or open-source intelligence solutions can include data feeds and sources of information for context. Be aware that many third-party services are expensive and deliver results too late.
Technical links. Technical links between machines, such as hyperlinks, gateways, usage of third-party code and resources and other tech relationships can also reveal business importance and attractiveness.
Finally, don't ignore scalability. Efforts at classifying business context for prioritizing risks must scale to rapidly address an attack surface with hundreds of thousands of assets.
Rate Priority With A Scoring System
The practical goal of prioritization is coming up with a numeric score for analyzing, sorting and ranking risks. For example, a low score of “0” might be for a certificate about to expire on an abandoned, “empty” Apache server. A high score of “10” could stem from sensitive business documents stored on an unpatched file server where exploitation complexity is low and asset discoverability is high. The priority score rationalizes marching orders for remediation, starting with highest priority risks first. When prioritization works well, high-risk attack vectors can be clearly communicated between teams and to executive management. When this doesn't work, even the vulnerability management team can't explain why one risk is more prevalent and urgent than the other, and the conversation is purely technical versus business-risk oriented.
Five criteria can help with scoring. These include potential impact of an exploited asset — both technical and to the business. Business context identifies assets with greater interest to attackers. Exploitation complexity helps you know which vulnerabilities are easiest to exploit — and are ideal for enabling an attacker’s path of least resistance. Discoverability shows how easy it is to discover the vulnerable asset and the likelihood that a sophisticated attacker will figure out that the asset belongs to your organization. Finally, remediation effort reflects the estimated level of effort required to fix the risk. Weighting these criteria with a scoring system will help accelerate prioritization of risks to your enterprise.
I can't overemphasize the importance of prioritizing risks discovered across your enterprise attack surface. Most organizations are swamped by thousands, even tens of thousands of so-called “urgent” risks. No one has the resources to quickly remediate everything, so a rational, programmatic and automated approach to prioritize risks will help isolate those that truly need quick attention. My next article will turn to the principle of remediation — that vital process required for eliminating material risks to your business.