How attack surface management can establish a strong first line of defense against exploitation of public-facing applications.

There have always been and always will be unknown risks with organizations’ external assets, but with today’s sizeable remote workforce and their cloud, distributed and SaaS-based environments, it is essential to have a firm understanding of the how many unknown and unmanaged assets organizations have. The IBM Security X-Force Threat Intelligence Index 2023 revealed that 26% of initial attack vectors involved the exploitation of public-facing applications (second only to phishing). Additionally, the report found that of all incidents remediated, the second highest action on objective for attackers was ransomware at 17%. 

Shadow IT—hardware or software deployed on the network without official administrative approval and/or oversight—poses a significant risk because these unmanaged, unknown assets are far more likely to contain vulnerabilities or be misconfigured, increasing the likelihood they will be targeted by an attacker. With shadow IT and web-based exploitation accounting for a growing share of ransomware attacks and one-third of all breaches, hardening and reducing an organization’s attack surface has become an essential tactic. One of the biggest challenges can be knowing where to start.

Get started with an attack surface management solution

As a critical first step, it is important to understand the size of your visibility gap. To do this, organizations need to conduct a gap analysis, comparing their list of known assets to those found by an attack surface management (ASM) solution and assessing the severity of the risk posed by shadow IT.

The focus here is not on the percentage of total assets found; no outside party will find all of your assets. Instead, organizations should focus more on the relative number of unknown assets discovered and the severity of the issues they contain. When done on an ongoing basis, this gap analysis can become a critical KPI that vulnerability management teams track and work to reduce over time. Identifying these assets will help uncover and minimize blind spots, misconfigurations and process failures with attack surface monitoring, vulnerability intelligence and risk management capabilities.

While conducting a gap analysis in the past was a time-consuming and expensive effort, a leading ASM solution like IBM Security Randori has made identifying gaps much faster and easier. Randori’s capabilities take more of an attacker’s perspective by using automated black-box discovery along with out-of-the-box integrations with leading asset management solutions, such as Axonius and Panaseer.

Conduct black-box reconnaissance

Some key steps used in black-box reconnaissance to conduct a gap analysis include the following:

• Adversaries most often start with no internal knowledge of target systems and are usually limited to publicly available information. All assessment of vulnerabilities, configurations and setup are all done from outside the network. This approach is usually seeded with an email or domain from the organization and tasked with fleshing out the rest.
• There are numerous resources on open-source intelligence (OSINT) collection that prescribe step-by-step instructions for conducting hostname enumeration, kicking off network scans or how to leverage certificate transparency logs.
• Critical sources must include network registration, WHOIS lookups, hostname enumeration, certificate log investigation, direct scanning and interrogation of public threat-intelligence sources.
• Artifacts gathered should include network and domain registration information, HTTP headers and banners, screenshots, SSL and TLS certificates, DNS records and enumerated software version and configuration (where possible).

Remember, the goal of any technical discovery is the identification of software, so any additional artifacts that will help identify, enumerate or access additional services are useful. In a future blog post, we’ll cover additional steps that are critical to prioritize and reduce attack surface exposures using an attacker’s perspective.

Learn more

To see how your organization can benefit from the IBM Security Randori platform by helping identify shadow IT, sign up for a free Attack Surface Review or visit our page.

Read the full IBM Security X-Force Threat Intelligence Index 2023 and check out the Security Intelligence article, “Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023.”