Originally published on Dark Reading.
According to a Cisco CISO Benchmark survey, 17% of organizations had 100,000 or more daily security alerts in 2020, and its trajectory has only increased.
Source: Cisco 2020 CISO Benchmark Survey
2021 only followed this trend with a record year of newly-discovered CVEs – 20,137 to be exact, topping the 2020 record of 18,325. More software and an increased digital footprint equals a record number of vulnerabilities. Aside from this being an indicator of the exposure growth in an organization’s attack surface, this unmanageable number makes the defender’s job even more difficult, and also leads to burnout among cybersecurity professionals.
It’s clear that vulnerable does not equal exploitable. In fact, the common ratio between vulnerable in theory and exploitable in practice is 1:100. So how can security teams focus on the true weakness in the vulnerability hay stack? The answer lies in the context of a vulnerability, its compensating controls, and the data it leads to.
In this article, we’ll provide steps security professionals can take today in order to identify the true risk their organization faces – how to pinpoint the exploitable vulnerabilities out of the lot.
Below are 4 steps to knowing your exploitable attack surface
- Take the Adversarial Perspective
The only way to filter through the sea of vulnerabilities is by attempting to exploit them. That’s what an adversary would do. This way, security teams get a concise attack vector pointing to the organization’s weakest link. From here the remediation requests handed to IT are focused, manageable, and based on business impact. And the rest of the vulnerabilities can wait for ongoing patch management tasks. Taking the attacker’s point of view will allow the organization to lead a proactive security program rather than reacting to incidents as they (inevitably) crop up.
- Cover the Full Scope of Potential Attacks
Adversaries take the path of least resistance to the critical assets. This means using the variety of techniques at their disposal to progress an attack, leveraging any vulnerability and its relevant correlations along the way. Accordingly, the validation methods used must match – they need to go beyond the static vulnerability scan or control attack simulation to include a full penetration test scope. This would cover attack emulation frameworks for security controls, vulnerability and credential strength attacks, network equipment testing, privileged access audits, lateral movement steps, and more.
- Automate, Automate, Automate
Security validation today must be as dynamic as the attack surface it’s securing. Periodical and manual tests are no longer sufficient to challenge the changes an organization undergoes. Security teams need to have an on-demand view of their assets and exposures, and the only way to get there is by automating testing. The growth in digitalization and cloud adoption, remote work, Ransomware threats and recently Log4Shell are just a few examples of how important continuous validation is for security teams to properly defend their organization.
- Align to MITRE ATT&CK and OWASP Top Ten
By aligning to industry standards, security teams ensure that their testing covers the latest adversary techniques. As most attacks succeed by leveraging the most common TTPs, challenging the attack surface against these frameworks provides comprehensive coverage of adversary techniques in the wild. In addition, it allows security executives to clearly report to management on validation of security control efficacy and enterprise readiness against potential threats.
Enter Automated Security Validation
Automated security validation is an advanced approach to testing the integrity of all cybersecurity layers, combining continuous coverage and risk prioritization for effective mitigation of security gaps.
This approach provides a true view of current security exposures by emulating real-life attacks, enabling an impact-based remediation plan rather than chasing thousands of vulnerabilities.
Security teams can know exactly where they stand and confidently strive towards maximum security readiness.
When evaluating security validation platforms make sure to check these boxes:
- Agentless, low touch implementation – to ensure minimum to no overhead.
- Automated, zero playbook, testing, providing a consistent process for security gap discovery and remediation.
- Safely attack the production network, leveraging ethical exploits to emulate the adversary without disrupting business operations.
- Validate the entire security stack with full scope of real world techniques aligned to industry frameworks.
- Expose security gaps in cloud workloads and emulate lateral expansion weaknesses from on-prem to the cloud to the remote workforce.
- Immediate reporting that provides a prioritized list of which vulnerabilities are critical to fix based on business impact.
The question that needs answering is whether you know your organisation’s true security risk at any given time. Do you know where the organisation’s weakest links are so they can be remediated or mitigated before an attacker leverages them towards an attack.
If you’re ready to validate your organisation against the latest threats including ransomware strains and Log4Shell vulnerabilities, request your free security health check today.
Why Gartner is Calling External Attack Surface Management (EASM) a Critical Functionality
External Attack Surface Management (EASM) tools are not new, but only this year has Gartner named this category as a top trend to keep an eye on in 2022. So, why does the top research & consulting firm think its time has come? The main reason is the relentless expansion of the digital footprint of...
The Good, Bad and Compromisable Aspects of Linux eBPF
2022 discoveries of new privilege escalation techniques Reading this blog will allow you to understand the eBPF mechanism and how a fairly small bug can lead to the compromise of the entire system. Executive summary Modern hacking techniques often use legitimate operating system tools for bad purposes. Such is the potential case with the common...
CVE-2022-22948: Sensitive Information Disclosure in VMware vCenter
New zero-day vulnerability joins a chain of recently discovered vulnerabilities capable of operating an end-to-end attack on ESXi. Organizations should evaluate risk and apply vCenter client patches immediately. Executive Summary Pentera Labs’ Senior Security Researcher, Yuval Lazar, discovered an Information Disclosure vulnerability impacting more than 500,000 appliances running default vCenter Server deployments. This finding is...