How to assess which target assets to investigate.

As we shared in our last blog, “Prevent App Exploitation and Ransomware by Minimizing Your Attack Surface,” the rapid adoption of hybrid cloud models and the permanent support of a remote workforce has made it virtually impossible to maintain a perfect inventory of external assets that are all properly patched. The world simply moves and changes too fast.

Defenders have always operated in a reactive fashion; for example, the anti-virus was first developed due to the creation of malware. The gap between adversaries and defenders continues to widen. According to the IBM Security X-Force Threat Intelligence Index 2023, deployment of backdoors was the most common action on objective, occurring in 21% of all reported incidents. This was followed by ransomware at 17% and business email compromise (BEC) at 6%.

To drive program efficiencies, organizations are flipping their perspective by narrowing their focus to elements of their attack surface that are most tempting to an adversary. This shift in perspective dramatically improves the efficiency of your team, while reducing the highest overall risk first.

The benefits of an attack surface management solution with an attacker’s design

Security teams need an attack surface management (ASM) solution that can quickly evaluate and rank each discoverable instance of software through the use of multiple factors, including enumerability, weakness, criticality, applicability, post-exploitation potential and research potential. Unable to do it all, a leading ASM solution must also offer bi-directional integrations that can work seamlessly with your vulnerability management solution and many other important security tools.

Using an ASM solution that operates like an attacker, vulnerability managers can take the necessary steps to reduce visibility gaps, improve prioritization and increase the ROI of their programs. While assessing your attack surface from an adversarial perspective is a critical first step, it’s only half the equation and must be viewed as only one part in a broader assessment of risk.

Report on external risk, not vulnerabilities

Risk is defined most basically as likelihood multiplied by impact. A powerful ASM solution like IBM Security Randori—with its patent pending Target Temptation modeling technology—can provide an adversarial assessment of the likelihood an asset is to be attacked, but with context into what the impact would be if that asset was attacked. While many in security would like to think that every attack is a problem that needs to be addressed, like shoplifting, the reality is often somewhere in between. While someone exploiting your VPN is likely an unacceptable business risk, a crypto miner on an isolated AWS node left over from an engineering experiment last year may be acceptable:

The latest X-Force Threat Intelligence Index found that just 26% of all reported vulnerabilities tracked in 2022 had a known and viable exploit, so reporting the raw number of vulnerabilities is of little practical value. You should be far more interested in the number of assets with either vulnerabilities or misconfigurations that truly pose a risk to your business and how those numbers either increase or decrease over time. This is key in both absolute and relative terms to an organization’s attack surface as the number of external-facing assets continues to grow.

By changing the conversation, vulnerability management teams can position themselves to have more strategic conversations with business stakeholders around what is and is not acceptable and better demonstrate the value of their work. Shifting the conversation can often have the added benefit of reenergizing teams with a new sense of optimism, as they no longer feel they must react to every new vulnerability and can proactively assess and hunt down risk.

Key external risk metrics worth reporting include the following:

  1. Number of high-risk external assets (top targets).
  2. Percent of attack surface categorized as high risk.
  3. Average time to remediation for high-risk assets.
  4. Number of new unknown external assets discovered per week.

When done on an ongoing basis, tracking and reporting on external risk can become a critical KPI that vulnerability management teams can use to demonstrate both immediate and long-term value over time. By following these steps using an ASM with bi-directional integrations that can prioritize exposures based on likelihood of targeting, teams can begin to deprioritize high-severity vulnerabilities that are of little adversarial value and prioritize those that present an adversary a lower friction path to initial access.

Investigating high-priority target assets

If we look beyond common vulnerabilities and exposures, we may notice that a target seems highly tempting for attackers to access. Naturally, we want to understand what’s driving this severity.

What you’re seeing below is based on Randori Recon’s patent-pending Target Temptation model. Considering exploitability (a.k.a., weakness), applicability and enumerability, the model is designed to calculate how tempting a target will be to an adversary. This prioritization algorithm helps level up your security program:

Based on the target identified, the IBM Security Randori platform also provides categorical guidance that goes beyond vulnerabilities to enable organizations to assess their cyber resiliency and design a more secure program. This categorical guidance details the appropriate steps your organization can implement to help improve its resiliency.

Get started with the IBM Security Randori platform

As a unified offensive security platform, IBM Security Randori is designed to drive resiliency through high-fidelity discovery and actionable context in a low-friction manner.

If you would like to learn more about how your organization can benefit from the IBM Security Randori platform, please sign up for a free Attack Surface Review or visit our web page.

Read the full IBM Security X-Force Threat Intelligence Index 2023 and check out Security Intelligence’s piece, “Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023.”


More from Security

Closing the breach window, from data to action

6 min read - Accelerate threat detection and response (TDR) using AI-powered centralized log management and security observability It is not news to most that cyberattacks have become easier to launch and harder to stop as attackers have gotten smarter and faster. For those defending against cyberthreats, things continue to get more complicated. The list of challenges is long: cloud attack surface sprawl, complex application environments, information overload from disparate tools, noise from false positives and low-risk events, just to name a few. The…

Spear phishing vs. phishing: what’s the difference?

5 min read - The simple answer: spear phishing is a special type of phishing attack. Phishing is any cyberattack that uses malicious email messages, text messages, or voice calls to trick people into sharing sensitive data (e.g., credit card numbers or social security numbers), downloading malware, visiting malicious websites, sending money to the wrong people, or otherwise themselves, their associates or their employers. Phishing is the most common cybercrime attack vector, or method; 300,479 phishing attacks were reported to the FBI in 2022.…

IBM Tech Now: September 18, 2023

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 84 On this episode, we're covering the following topics: The IBM Security X-Force Cloud Threat Landscape Report The introduction of IBM Intelligent Remediation Stay plugged in You can check out the IBM Blog Announcements…

Data breach prevention: 5 ways attack surface management helps mitigate the risks of costly data breaches

5 min read - Organizations are wrestling with a pressing concern: the speed at which they respond to and contain data breaches falls short of the escalating security threats they face. An effective attack surface management (ASM) solution can change this. According to the Cost of a Data Breach 2023 Report by IBM, the average cost of a data breach reached a record high of USD 4.45 million this year. What’s more, it took 277 days to identify and contain a data breach. With…