How attack surface management can establish a strong first line of defense against exploitation of public-facing applications.

There have always been and always will be unknown risks with organizations’ external assets, but with today’s sizeable remote workforce and their cloud, distributed and SaaS-based environments, it is essential to have a firm understanding of the how many unknown and unmanaged assets organizations have. The IBM Security X-Force Threat Intelligence Index 2023 revealed that 26% of initial attack vectors involved the exploitation of public-facing applications (second only to phishing). Additionally, the report found that of all incidents remediated, the second highest action on objective for attackers was ransomware at 17%. 

Shadow IT—hardware or software deployed on the network without official administrative approval and/or oversight—poses a significant risk because these unmanaged, unknown assets are far more likely to contain vulnerabilities or be misconfigured, increasing the likelihood they will be targeted by an attacker. With shadow IT and web-based exploitation accounting for a growing share of ransomware attacks and one-third of all breaches, hardening and reducing an organization’s attack surface has become an essential tactic. One of the biggest challenges can be knowing where to start.

Get started with an attack surface management solution

As a critical first step, it is important to understand the size of your visibility gap. To do this, organizations need to conduct a gap analysis, comparing their list of known assets to those found by an attack surface management (ASM) solution and assessing the severity of the risk posed by shadow IT.

The focus here is not on the percentage of total assets found; no outside party will find all of your assets. Instead, organizations should focus more on the relative number of unknown assets discovered and the severity of the issues they contain. When done on an ongoing basis, this gap analysis can become a critical KPI that vulnerability management teams track and work to reduce over time. Identifying these assets will help uncover and minimize blind spots, misconfigurations and process failures with attack surface monitoring, vulnerability intelligence and risk management capabilities.

While conducting a gap analysis in the past was a time-consuming and expensive effort, a leading ASM solution like IBM Security Randori has made identifying gaps much faster and easier. Randori’s capabilities take more of an attacker’s perspective by using automated black-box discovery along with out-of-the-box integrations with leading asset management solutions, such as Axonius and Panaseer.

Conduct black-box reconnaissance

Some key steps used in black-box reconnaissance to conduct a gap analysis include the following:

  • Adversaries most often start with no internal knowledge of target systems and are usually limited to publicly available information. All assessment of vulnerabilities, configurations and setup are all done from outside the network. This approach is usually seeded with an email or domain from the organization and tasked with fleshing out the rest.
  • There are numerous resources on open-source intelligence (OSINT) collection that prescribe step-by-step instructions for conducting hostname enumeration, kicking off network scans or how to leverage certificate transparency logs.
  • Critical sources must include network registration, WHOIS lookups, hostname enumeration, certificate log investigation, direct scanning and interrogation of public threat-intelligence sources.
  • Artifacts gathered should include network and domain registration information, HTTP headers and banners, screenshots, SSL and TLS certificates, DNS records and enumerated software version and configuration (where possible).

Remember, the goal of any technical discovery is the identification of software, so any additional artifacts that will help identify, enumerate or access additional services are useful. In a future blog post, we’ll cover additional steps that are critical to prioritize and reduce attack surface exposures using an attacker’s perspective.

Learn more

To see how your organization can benefit from the IBM Security Randori platform by helping identify shadow IT, sign up for a free Attack Surface Review or visit our page.

Read the full IBM Security X-Force Threat Intelligence Index 2023 and check out the Security Intelligence article, “Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023.”


More from Security

Spear phishing vs. phishing: what’s the difference?

5 min read - The simple answer: spear phishing is a special type of phishing attack. Phishing is any cyberattack that uses malicious email messages, text messages, or voice calls to trick people into sharing sensitive data (e.g., credit card numbers or social security numbers), downloading malware, visiting malicious websites, sending money to the wrong people, or otherwise themselves, their associates or their employers. Phishing is the most common cybercrime attack vector, or method; 300,479 phishing attacks were reported to the FBI in 2022.…

IBM Tech Now: September 18, 2023

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 84 On this episode, we're covering the following topics: The IBM Security X-Force Cloud Threat Landscape Report The introduction of IBM Intelligent Remediation Stay plugged in You can check out the IBM Blog Announcements…

Data breach prevention: 5 ways attack surface management helps mitigate the risks of costly data breaches

5 min read - Organizations are wrestling with a pressing concern: the speed at which they respond to and contain data breaches falls short of the escalating security threats they face. An effective attack surface management (ASM) solution can change this. According to the Cost of a Data Breach 2023 Report by IBM, the average cost of a data breach reached a record high of USD 4.45 million this year. What’s more, it took 277 days to identify and contain a data breach. With…

What is the vulnerability management process?

5 min read - Modern enterprise networks are vast systems of remote and on-premises endpoints, locally installed software, cloud apps, and third-party services. Every one of these assets plays a vital role in business operations—and any of them could contain vulnerabilities that threat actors can use to sow chaos. Organizations rely on the vulnerability management process to head off these cyberthreats before they strike. The vulnerability management process is a continuous process for discovering, prioritizing, and resolving security vulnerabilities across an organization's IT infrastructure. Security vulnerabilities defined…