Anyone taking a closer look at the MITRE ATT&CK framework will notice that there are a lot of wide-ranging aspects within cybersecurity – a whole list of challenges that are impossible for any one organization to solve without a helping hand. Secutec offers specialized assistance that draws inspiration from the different stages of an attack as they are described by MITRE.
One of these stages is ‘Reconnaissance’. This involves a hacker looking for every possible way to penetrate an organization’s network, without having access to leaked credentials or leaked user data. This is called ‘Attack Surface Management’ (ASM), the topic on which Secutec SOC Manager Thomas Jannes is shedding his light today. He explains how Secutec works in this domain, what the benefits are for customers and how it fits into the broader picture of Secutec SecureSIGHT.
What is Attack Surface Management?
At Secutec, we specialize in external ASM. This means we look for every possible way to crack systems from the outside, the same way a hacker would. We put ourselves in the shoes of a cybercriminal and try everything he would do to get into a network. We specifically focus on our client’s internet-facing systems.
We offer internal ASM, or ‘full vulnerability scanning’, as well in addition to SecureSIGHT. However, this internal scanning provides a very large amount of vulnerabilities, whereas SecureSIGHT offers a clear-cut focus on concrete short-term action items that should keep hackers out as effectively and efficiently as possible.
Finally, we also look at leaked credentials (logins and passwords). If a hacker has these in his possession, the game is already (largely) played. A hacker on the inside will be able to achieve his goal very quickly. After all, why would a car thief smash the window if he simply has the key.
How does ASM work?
When we get to work for a client, we fire up several tools. We start looking for all the organization’s systems that are accessible from the internet: (web) servers, firewalls, cloud services,… Everything we can detect, we bring together in a list and we start testing for vulnerabilities.
Simply put: we start this test with a simple ‘hello’. This is the first step in setting up a connection and then we take a look at what we get back. Often this is more than you might think. Web servers, for example, are usually very chatty. In the background, they immediately provide a lot of information that is not visible to the user, but which contains a wealth of information for the hacker. To turn this into an analogy; apparently web servers find it necessary to tell visitors where to hang up their coats or where to go to the restroom from the moment one says ‘hello’.
How does Secutec’s ASM solution work?
ASM is a module that is part of our in-house developed solution SecureSIGHT. This is a cyber intelligence service for which we work with a combination of commercial platforms and open-source intelligence (OSINT). Think of tools such as Shodan, a service known to many because you can find unsecured home cameras on it, for example. We use multiple sources to get the broadest possible view and inform our customers as efficiently as possible. We apply two general principles with SecureSIGHT; we make everything visible, and on an ongoing basis.
We strive for efficiency, which means automating our services as much as possible. That means we offer ASM as a Managed Service, continuously looking for open doors through which a hacker would potentially enter. If you only do that once, with a one-time snapshot, you get a representation of one very specific moment in time that could be completely obsolete weeks or even hours later.
What does Secutec do with the information it gathers?
First, we help customers to prioritize vulnerabilities. We don’t simply deliver a report or a list of ‘things to look at when you find the time’. We clearly indicate: you need to focus on this today, you can leave this until next week, and you tackle this vulnerability whenever you have a spare moment. In calls with customers I sometimes jokingly say ‘tell your technical colleagues that their weekend can’t start until this vulnerability is fixed’. When critical vulnerabilities surface, we inform the customer immediately via email. If we don’t get a quick response, we call the customer.
That’s the big difference from a traditional vulnerability scanner that works from within – internal Attack Surface Management. Such traditional solutions use your login credentials and full access to the corporate network when compiling a list of vulnerabilities. This is usually a terribly long list that does not define priorities for the administrator, while not every vulnerability can actually be (immediately) exploited.
That’s how our managed service works: we give you concrete, actionable data, so you and your colleagues can focus on what your job really is: supporting your business.
Why does this require a third party such as Secutec?
A first significant reason is that you don’t always have complete visibility into all your assets that are internet-facing. Very often we hear ‘Right, we forgot about those’. Web servers are often hosted outside of the company network; think for example of a webshop hosted by an external partner. We help you map the dangers so you can communicate the necessary action points to your partner with technically sound arguments.
Besides visibility, we offer ease of use. A disadvantage of using best-of-breed products is that each tool has its own portal that you have to monitor separately. Combining all of them does give you the best results, but putting all the information together is no mean feat. That is where Secutec helps: with SecureSIGHT we provide the glue that adds up the information in one platform and makes it immediately clear where you should point your attention first. We hand our customers the so-called ‘Single Pane of Glass’.
Additionally, one of the reports we provide is a monthly executive report: here we visualize the evolution of your organization’s security posture. This makes it immediately clear to the IT Manager, his colleagues and management whether the company is on the right track.
Key Components
- Discovery: ASM begins with a thorough discovery process to identify all assets, services, and vulnerabilities within an organization's infrastructure. This includes not only traditional network assets but also those outside the perimeter such as cloud services and mobile devices.
- Assessment: Once identified, each asset or component is assessed to evaluate its security posture. This involves identifying weaknesses, misconfigurations, and potential vulnerabilities that could be exploited by attackers.
- Prioritization: Risks are prioritized based on factors such as likelihood of exploitation, potential impact, and criticality to business operations. This allows organizations to focus their resources on addressing the most significant threats first.
- Remediation: ASM involves taking proactive measures to reduce the attack surface by addressing identified vulnerabilities and weaknesses. This may include applying patches, updating software, reconfiguring systems, or implementing additional security controls.
- Continuous Monitoring: ASM is not a one-time effort; it requires continuous monitoring of the attack surface to detect new assets, vulnerabilities, or changes that could impact security. This enables organizations to adapt their security measures in response to evolving threats and changes in their environment.
Benefits of Attack Surface Management
- Comprehensive Visibility: Gain a complete view of your organization's digital footprint, including internet-facing assets, cloud services, and third-party dependencies.
- Proactive Risk Management: Identify and prioritize vulnerabilities within your attack surface to proactively mitigate security risks and prevent potential breaches.
- Reduced Attack Surface: By systematically reducing your attack surface through vulnerability management and remediation, you can minimize your organization's exposure to cyber threats.
- Regulatory Compliance: Align with industry regulations and compliance standards by maintaining a secure and well-managed attack surface.
- Continuous Improvement: Our Attack Surface Management service is continuously updated and refined to adapt to evolving threats and emerging attack techniques, ensuring that your organization remains protected against the latest cybersecurity risks.