In the case of the Equifax data breach, which exposed the financial and personal data of 143 million people, criminals exploited a vulnerability in one of its web applications and siphoned sensitive customer data for more than two months without detection.
To change this trend of crippling cyberattacks, I believe one must first realize how attackers actually operate. Working for intelligence organizations and assisting them in establishing new infrastructure for offensive security, I’ve learned that, for attackers, the road to glory is the path of least resistance. Unlike penetration testers and security researchers, attackers do not seek medals or bonuses for solving complex challenges. This is true for both state-level actors and individual cybercriminals. Their sole objective is to act in a cost-effective, stealthy manner in their pursuit of information or money.
Clearly, organizations should always strive to eliminate potential threats as early as possible in the cyber kill chain, ideally, even before the reconnaissance and probing phases. To do that, organizations must invest significant resources in trying to understand how attackers see their attack surface and what is most exploitable, as opposed to simply scanning their known assets for security issues that, even if found, are often of minimal or no interest to attackers. This requires a mindset shift from tracking Common Vulnerabilities and Exposures (CVEs), which date back to the 1990s, and Common Vulnerability Scoring System (CVSS) scores that ignore the most relevant information for a security team: the attacker’s process and the path of least resistance.
A security team’s mission is to identify critical vulnerabilities and eliminate them in a timely manner. Legacy scanners and solutions completely ignore the data that highlights the attacker’s easiest points of entry and instead return a list of thousands of critical security issues that the security team cannot effectively manage and remediate.
A better approach than relying on legacy security solutions developed in the ’90s is to focus on attack vector discoverability, attractiveness and exploitability. Once you understand this, it becomes clear which issues should be remediated first. And this understanding of discoverability, attractiveness and exploitability can only be executed by an external actor or system that receives no prior input regarding the target IT ecosystem or cooperation from the organization.
Correspondingly, black-box penetration testing, in which white-hat hackers are paid by organizations to try and gain access to data, is indeed starting to regain popularity in security. Chief information security officers (CISOs) now speak more and more about the importance of external red teams. Bob Lord, the former CISO of Yahoo and director of security at Twitter, has been quoted as acknowledging that he learned the hard way how critical it is to understand what attackers do and how they do it. He even proposed the use of ex-cybercriminals to better understand how adversaries act.
While this type of awareness points in the right direction, executing on it poses a number of significant challenges. High-quality penetration testing is very expensive, and every change within the organization’s network (new applications, servers, configurations, etc.) requires a new penetration testing process, practically starting from zero. It’s not scalable at all.
Only a product efficiently incorporating a black-box approach in an automatic and scalable fashion can become a game changer in the inherently asymmetrical race between attackers and defenders, improving the odds in the latter’s favor.
Although an extreme case, Equifax is a classic example of how cybercrime operates and will continue to operate, unless organizations adopt a more offensive mindset. Organizations must ask themselves:
- Can they can assess their attack surface from the attacker’s perspective?
- What is being done to continuously identify and eliminate blind spots critically endangering the organization?
- What can be done today to ensure they don’t become the next notable breach in the news?
The answers to those questions define what organizations need to do next to defend themselves against well-armed cyber attackers.