How to assess which target assets to investigate.

As we shared in our last blog, “Prevent App Exploitation and Ransomware by Minimizing Your Attack Surface,” the rapid adoption of hybrid cloud models and the permanent support of a remote workforce has made it virtually impossible to maintain a perfect inventory of external assets that are all properly patched. The world simply moves and changes too fast.

Defenders have always operated in a reactive fashion; for example, the anti-virus was first developed due to the creation of malware. The gap between adversaries and defenders continues to widen. According to the IBM Security X-Force Threat Intelligence Index 2023, deployment of backdoors was the most common action on objective, occurring in 21% of all reported incidents. This was followed by ransomware at 17% and business email compromise (BEC) at 6%.

To drive program efficiencies, organizations are flipping their perspective by narrowing their focus to elements of their attack surface that are most tempting to an adversary. This shift in perspective dramatically improves the efficiency of your team, while reducing the highest overall risk first.

The benefits of an attack surface management solution with an attacker’s design

Security teams need an attack surface management (ASM) solution that can quickly evaluate and rank each discoverable instance of software through the use of multiple factors, including enumerability, weakness, criticality, applicability, post-exploitation potential and research potential. Unable to do it all, a leading ASM solution must also offer bi-directional integrations that can work seamlessly with your vulnerability management solution and many other important security tools.

Using an ASM solution that operates like an attacker, vulnerability managers can take the necessary steps to reduce visibility gaps, improve prioritization and increase the ROI of their programs. While assessing your attack surface from an adversarial perspective is a critical first step, it’s only half the equation and must be viewed as only one part in a broader assessment of risk.

Report on external risk, not vulnerabilities

Risk is defined most basically as likelihood multiplied by impact. A powerful ASM solution like IBM Security Randori—with its patent pending Target Temptation modeling technology—can provide an adversarial assessment of the likelihood an asset is to be attacked, but with context into what the impact would be if that asset was attacked. While many in security would like to think that every attack is a problem that needs to be addressed, like shoplifting, the reality is often somewhere in between. While someone exploiting your VPN is likely an unacceptable business risk, a crypto miner on an isolated AWS node left over from an engineering experiment last year may be acceptable:

The latest X-Force Threat Intelligence Index found that just 26% of all reported vulnerabilities tracked in 2022 had a known and viable exploit, so reporting the raw number of vulnerabilities is of little practical value. You should be far more interested in the number of assets with either vulnerabilities or misconfigurations that truly pose a risk to your business and how those numbers either increase or decrease over time. This is key in both absolute and relative terms to an organization’s attack surface as the number of external-facing assets continues to grow.

By changing the conversation, vulnerability management teams can position themselves to have more strategic conversations with business stakeholders around what is and is not acceptable and better demonstrate the value of their work. Shifting the conversation can often have the added benefit of reenergizing teams with a new sense of optimism, as they no longer feel they must react to every new vulnerability and can proactively assess and hunt down risk.

Key external risk metrics worth reporting include the following:

1. Number of high-risk external assets (top targets).
2. Percent of attack surface categorized as high risk.
3. Average time to remediation for high-risk assets.
4. Number of new unknown external assets discovered per week.

When done on an ongoing basis, tracking and reporting on external risk can become a critical KPI that vulnerability management teams can use to demonstrate both immediate and long-term value over time. By following these steps using an ASM with bi-directional integrations that can prioritize exposures based on likelihood of targeting, teams can begin to deprioritize high-severity vulnerabilities that are of little adversarial value and prioritize those that present an adversary a lower friction path to initial access.

Investigating high-priority target assets

If we look beyond common vulnerabilities and exposures, we may notice that a target seems highly tempting for attackers to access. Naturally, we want to understand what’s driving this severity.

What you’re seeing below is based on Randori Recon’s patent-pending Target Temptation model. Considering exploitability (a.k.a., weakness), applicability and enumerability, the model is designed to calculate how tempting a target will be to an adversary. This prioritization algorithm helps level up your security program:

Based on the target identified, the IBM Security Randori platform also provides categorical guidance that goes beyond vulnerabilities to enable organizations to assess their cyber resiliency and design a more secure program. This categorical guidance details the appropriate steps your organization can implement to help improve its resiliency.

Get started with the IBM Security Randori platform

As a unified offensive security platform, IBM Security Randori is designed to drive resiliency through high-fidelity discovery and actionable context in a low-friction manner.

If you would like to learn more about how your organization can benefit from the IBM Security Randori platform, please sign up for a free Attack Surface Review or visit our web page.

Read the full IBM Security X-Force Threat Intelligence Index 2023 and check out Security Intelligence’s piece, “Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023.”