Read the full article for highlights from Intruder VP of Product Andy Hornegold’s recent impact management talk. If you’d like to hear Andy’s first-hand account, watch the Intruder webinar on demand. To learn more about reducing the attack surfacecontact their team today.
Attack Surface Management vs. Impact Management
Attack surface management (ASM) is the ongoing process of detecting and identifying assets that attackers can see on the Internet, showing where security gaps exist, where they can be exploited to launch an attack, and where defenses are strong enough to repel an attack. If there is something on the Internet that can be exploited by an attacker, it usually falls under the control of the attack surface.
Exposure management goes further to include data assets, user credentials, and cloud account configuration. It can be summarized as a set of processes that enable organizations to continuously and consistently assess the visibility, availability and vulnerability of their digital assets.
A continuous threat management journey
Continuous management is key for a number of reasons. Your business, your attack surface and your threat landscape are not static, they are constantly changing and evolving. New vulnerabilities are discovered every hour, new exploits for old vulnerabilities are published publicly, and threat actors are constantly updating their methods. Additionally, new systems and services often come online, and if you use CI/CD processes, your applications are frequently updated, which can create exploitable security gaps.
Moving beyond CVE
More and more, vulnerability management is viewed through the narrow lens of vulnerabilities that have CVEs. The Intruder team disagreed with this approach and believes that if there is a weakness in your attack surface, it’s a vulnerability, whether or not a CVE is associated with it.
Therefore, unlike a narrow approach to vulnerability management, vulnerability management looks at the whole perspective – including misconfigurations and potential flaws that do not have an associated CVE. Take SQL injection for example. It doesn’t have a CVE, but it’s still a vulnerability in your application that could have serious consequences if exploited. Also, Windows Remote Desktop Internet Connection does not have an associated CVE, but it does create a risk that an attacker could try to exploit it. Ultimately, exposure management provides a general name for how we perceive and manage these threats.
Vulnerability Prioritization: The Need for Context
Currently, most vulnerability scanners provide a list of vulnerabilities, each as a single data point. For example, they might report, “System X has vulnerability Y; you have to go fix it.’ However, when working with a large number of vulnerabilities, this information alone is not enough.
Effective prioritization requires more context to ensure that your team’s limited resources are focused on the problems that will really matter. For example, it is critical to understand which assets support critical business functions, what vulnerabilities can be combined to affect critical business functions, and where an attacker could potentially infiltrate your network if those assets are exploited.
This approach transforms vulnerability management from isolated and isolated tasks into a cohesive strategy, providing the context needed to identify not only when the vulnerability must be patched, but also when.
Just as meditation helps filter out the daily bombardment of thoughts and distractions, Intruder’s approach to impact management aims to sift through the noise to focus on the issues that matter most.
Why impact management matters
Impact management is important because not everything that can be fixed needs to be fixed immediately. Without a strategic approach, you risk wasting valuable time addressing low-impact issues, such as an untrusted TLS certificate on your internal network, instead of addressing vulnerabilities that could compromise a mission-critical system.
You and your team can have a disproportionate or even greater impact on your organization’s risk profile, freeing up more time to focus on strategically important activities that more effectively secure your organization. This can be achieved by avoiding a knee-jerk reaction to each vulnerability (similar to a game of moths), which is what exposure management aims to achieve.
You can reduce the workload on your team by defining your environment, understanding which assets support critical business processes, creating dedicated teams responsible for fixing those assets, and setting thresholds or triggers that determine when issues need to be addressed.
The need for exposure management
There are many recent examples of attackers gaining complete control through seemingly innocuous entry points.
A developer at Microsoft discovered a deliberately placed backdoor in xz-utils, an important data compression utility for Linux and Unix-like operating systems. This vulnerability, discovered in versions 5.6.0 and 5.6.1, allowed an unknown threat actor to execute commands on systems that used these versions of xz-utils and had SSH exposed to the Internet. The timing of the discovery was incredibly good, it was discovered before cracked versions of xz-utils were able to reach many major Linux distributions such as Debian and Red Hat.
Although there were no reported cases of exploitation, the potential risks were significant. A threat actor would gain access to these systems, giving them a starting point to break into other systems on any connected network to extract any sensitive data.
Security services will spend time and effort to find out if they have been exposed. With impact management, it would be easy to identify any affected versions in your environment and quickly determine that the impact was minimal since compromised versions of xz-utils are not that widespread.
Interestingly, the effort to embed the backdoor took four years, revealing a calculated and long-term scheme to hack open source software. This isn’t necessarily new, but it does highlight the fact that advanced persistent threats aren’t just focused on large enterprises; if threat actors can compromise an open source package like xz-utils and deliver it to mainstream distributions, then everyone is at risk.
Then there’s Palo Alto Networks. It issued an urgent call for companies to fix a critical zero-day vulnerability known as CVE-2024-3400 in its widely used PAN-OS software that runs on GlobalProtect firewall products. This flaw, discovered in newer versions of the software, allows attackers to gain complete control over a compromised firewall remotely without the need for authentication, posing a significant threat to the thousands of businesses that rely on these firewalls for security. Given its potential for simple remote exploitation, Palo Alto has assigned this vulnerability the highest severity rating. Using the attack surface management tools available to you, detection of vulnerable assets should be almost instantaneous, and with an infection control process in place, the remediation threshold should allow those responsible for remediation or mitigation to take action quickly.
These examples demonstrate how threats can be effectively stopped if organizations move from a reactive, rush-to-fix approach to proactive impact management where they continuously manage the attack surface.
Start your journey to effective impact management
Getting started with impact management starts with practical, manageable steps:
- Use what you already have: First, remember that you can use services you already use. For example, if you use a tool like Intruder, you already have a vulnerability management and attack surface provider that can trigger your infection management approach. Alternatively, the consultancy can conduct attack path mapping exercises and threat profiling workshops.
- Define the area: When determining the scope of what your exposure management process will cover, focus primarily on assets exposed to the Internet, as they are often the most vulnerable to attack. Intruder can help by providing you with an overview of your Internet systems that you can use as a starting point for your infection control process. You can also use Intruder targeting to segment systems into areas you define. During the scoping process, you also want to identify the individuals who are responsible for remediating the risk when a vulnerability is discovered; you can add these users to Intruder and give them the opportunity to fix and confirm that all issues have been resolved. If data is available, also remember to track the SaaS applications you use, as they may contain sensitive data and credentials.
- Discover and prioritize your assets: Use the tool to identify known and unknown assets and determine which are business critical and support the area you identified earlier. Intruder automatically discovers new cloud assets by integrating with your cloud accounts and runs automatic subdomain checks. You can also add context to your assets by using tags to identify how systems contribute to your business processes and the risk they pose to those processes if they were compromised.
- Identify weaknesses and prioritize: The focus then shifts to assessing which of these assets are most at risk of being hacked and which will be the most attractive targets for cyber attackers. With Intruder, you can find vulnerabilities in your infrastructure, applications, and APIs, and get a prioritized list of issues so you know what to act on first. Intruder also provides a continuous approach to vulnerability detection and prioritization, monitoring your network, showing you what’s detected, and triggering a scan if anything changes.
- to act: Then it’s time to act, whether it’s through remediation, mitigation, or risk acceptance. Intruder makes it easy to manage and audit your remediation efforts. Run patch scans, export issues to your ticketing systems, set up alerts in Slack and Teams, and more.
Bringing it all back home
After all, we all have limited time.
By minimizing distractions and allowing your team to focus on what really matters, impact management allows you to achieve the greatest impact with the least amount of time.
When your team focuses on the 25% of vulnerabilities that really matter, they have 75% more time to focus on the activities that are critical to keeping your business secure.
Intruder aims to empower organizations to focus on meaningful, impactful and ultimately secure their digital landscape in today’s dynamic world.
And if that means a more relaxed weekend and walking away from our desks with confidence knowing our assets are protected, then I think we’re on the right track. Perhaps it’s not so much about managing vulnerabilities or exposure as it is about managing our focus in the never-ending stream of cybersecurity threats.
