Vulnerability Scanners Are No Match for Modern Threats

In today’s asymmetrical warfare between cybercriminals and organizations, the cards are stacked against the good guys. While attackers only have to find one weak spot, security teams have to monitor and protect everything at all times, which in many instances dictates only one, virtually predestined, outcome of the battle.From Facebook to Yahoo, to Equifax, it is increasingly clear that these types of crippling cyberattacks have become the new normal. Although this “era of insecurity” began more than 10 years ago, it has become more and more extreme in recent years.

There are three main factors that exacerbate the current situation:

1. Organizations have digitized a significant portion of their processes and services, expanding and diversifying their attack surface both on-premises and in the cloud.

As organizations have to manage thousands of servers, applications, and data centers, it becomes exponentially more difficult to continuously monitor and debug everything in a timely fashion.

2. Current risk assessment solutions rely on user input to specify where they should look and commonly require complex integrations.

But requiring user input is a pitfall, as organizations are often unaware of various assets that are part of their IT ecosystem — such as closely related third-party assets, DevOps components, and old environments .  The result is that blind spots are frequently created, and become potential attractive targets, waiting to be exploited by attackers.

3. Offensive scanning and exploitation tools have become cheaper, more automated, and widely available to hackers.

Cybercrime has an extremely high ROI; criminals rarely get caught and current legal systems do not pose significant deterrence for these crimes. Moreover, given that the median monthly income in some countries is under $500 per month, it comes as no surprise that cybercrime is on the rise.

Equifax data breach

In the case of the Equifax data breach, which exposed the financial and personal data of 143 million people, criminals exploited a vulnerability in one of its web applications and siphoned sensitive customer data for more than two months without detection.

To change this trend of crippling cyberattacks, I believe one must first realize how attackers actually operate. Working for intelligence organizations and assisting them in establishing new infrastructure for offensive security, I’ve learned that, for attackers, the road to glory is the path of least resistance. Unlike penetration testers and security researchers, attackers do not seek medals or bonuses for solving complex challenges. This is true for both state-level actors and individual cybercriminals. Their sole objective is to act in a cost-effective, stealthy manner in their pursuit of information or money.

Clearly, organizations should always strive to eliminate potential threats as early as possible in the cyber kill chain, ideally, even before the reconnaissance and probing phases. To do that, organizations must invest significant resources in trying to understand how attackers see their attack surface and what is most exploitable, as opposed to simply scanning their known assets for security issues that, even if found, are often of minimal or no interest to attackers. This requires a mindset shift from tracking Common Vulnerabilities and Exposures (CVEs), which date back to the 1990s, and Common Vulnerability Scoring System (CVSS) scores that ignore the most relevant information for a security team: the attacker’s process and the path of least resistance.

A security team’s mission is to identify critical vulnerabilities and eliminate them in a timely manner. Legacy scanners and solutions completely ignore the data that highlights the attacker’s easiest points of entry and instead return a list of thousands of critical security issues that the security team cannot effectively manage and remediate.

A better approach than relying on legacy security solutions developed in the ’90s is to focus on attack vector discoverability, attractiveness and exploitability. Once you understand this, it becomes clear which issues should be remediated first. And this understanding of discoverability, attractiveness and exploitability can only be executed by an external actor or system that receives no prior input regarding the target IT ecosystem or cooperation from the organization.

Correspondingly, black-box penetration testing, in which white-hat hackers are paid by organizations to try and gain access to data, is indeed starting to regain popularity in security. Chief information security officers (CISOs) now speak more and more about the importance of external red teams. Bob Lord, the former CISO of Yahoo and director of security at Twitter, has been quoted as acknowledging that he learned the hard way how critical it is to understand what attackers do and how they do it. He even proposed the use of ex-cybercriminals to better understand how adversaries act.

While this type of awareness points in the right direction, executing on it poses a number of significant challenges. High-quality penetration testing is very expensive, and every change within the organization’s network (new applications, servers, configurations, etc.) requires a new penetration testing process, practically starting from zero. It’s not scalable at all.

Only a product efficiently incorporating a black-box approach in an automatic and scalable fashion can become a game changer in the inherently asymmetrical race between attackers and defenders, improving the odds in the latter’s favor.

Although an extreme case, Equifax is a classic example of how cybercrime operates and will continue to operate, unless organizations adopt a more offensive mindset. Organizations must ask themselves:

• Can they can assess their attack surface from the attacker’s perspective?
• What is being done to continuously identify and eliminate blind spots critically endangering the organization? 
• What can be done today to ensure they don’t become the next notable breach in the news?

The answers to those questions define what organizations need to do next to defend themselves against well-armed cyber attackers.