www.recordedfuture.com Open in urlscan Pro
172.64.144.145  Public Scan

Form analysis
0 forms found in the DOM

Text Content

This website stores cookies on your computer. These cookies are used to improve
your website experience and provide more personalized services to you, both on
this website and through other media. To find out more about the cookies we use,
see our Privacy Policy.

Accept
 * Careers
 * Contact Us
 * Login
 * ENJPKO
   
   EN
   

 * Platform
 * Solutions
 * Products
 * Services
 * Research
 * Resources
 * Company

Get a demo

Book a demo



Blog


THE ART OF DEFENDING YOUR ATTACK SURFACE

Posted: 15th November 2023
By: Sam Langrock


Digital transformation initiatives across all verticals and organizations have
caused an increase in the complexity and volume of internet-facing assets. This
change brings up the question of how can security teams build processes around
assets that they can’t see, or don’t even know exist?

We sat down with Matt Bittick, the head of the Attack Surface Risk Management
program at Cummins, to discuss strategies and methodologies for protecting your
expanding digital attack surface, and how utilizing Recorded Future can help
with prioritization and risk reduction.

(Recorded Future) Before using Recorded Future, how were you attempting to
secure your attack surface?

(Matt) Painstakingly. Using open source tooling is kind of the easiest way. We
try to get from the business what they know in our inventory management systems.
Spoiler alert, it’s not much, and then we work from there. A lot of Nmap, Kali
Linux, built-in tools as well. Reconning, and just trying to build out what that
inventory could even be and find everything. It was very labor intensive.

For many organizations, it takes over 80 hours to perform their attack surface
discovery. Is that something you were finding as well?

Yeah, that’s exactly right, we found on average we’re spending about 80 hours.
The old adage in the intelligence community is when intelligence is neither
timely or actionable, it’s just news and it’s old news at that. So spending that
long to find something in a space that’s dynamic, like your attack surface,
that’s not ideal.


--------------------------------------------------------------------------------

ENJOYING WHAT YOU’RE READING SO FAR? WATCH THE FULL FIRESIDE CHAT VIDEO!

--------------------------------------------------------------------------------


After implementing Recorded Future Attack Surface Intelligence, how has that
helped improve your visibility and efficiency?

Immensely. We talked about the efficiency piece and about all the labor that
would go in just for inventory and mapping. It’s significant, right? So cutting
that out, and now it's all ready for me in the morning. I can come in, I know
what the attack surface is, cause it's already been done. I don't have to spend
all day plugging away in a command line interface just to find some assets.

One big difference that we found compared to when I started when we were doing
this manually, and now I'm pretty confident in my ability to conduct
reconnaissance on an organization, but we still found that there was a delta of
about 20% of the attack surface that I wasn't finding on any given day.

There's multiple reasons for it, but I'm also confident that any person whose
career is malicious exploitation of somebody's organization for cybercrime,
they're probably better at it than me. So we want to have the best image that
can be produced, and I find that incredibly valuable from the product.

What do you need to have a successful Attack Surface Risk Management program?

You know it's a really great question, and I think visibility, asset inventory,
and the mapping is the start of your journey. We believe that you need
workflows, you need processes, and you need ways of handling that. So to be
successful, you need to not only know what your problems are, but also how to
deal with them.

We have two main problem statements when we're looking at this attack service
problem:

 * What is our attack surface?
 * And then how do we secure it?

There's also a couple of different actions you take, whether it's remediation or
reduction. We love reduction. If it can't be on the Internet. Great. Let's get
it off there.

How would you describe the importance of protecting your digital attack surface,
and the role that Recorded Future plays in that protection?

I think there's kind of a three-pronged approach when you're showing the
importance of an attack surface program to your CISO. First, I always try to
paint a picture for the CISO. The organization is their castle, right? And
they're sitting there defending it. I think the best way to even pitch the idea
of attack surface to a CISO is to show what it is and come prepared with the
measurement of this is how much of your castle is just open. Is there a big old
hole in the wall? If 50% of the castle's penetrable or just has an open door,
there's not much point to the castle.

The second piece is then showing how you're going to take action on that, and
the processes you’re building and the way it’s going to be done. I think that's
where Recorded Future comes in, both in showing the original attack surface, but
also in the value it brings. For me, what I think is really key is the fact that
Recorded Future Attack Surface Intelligence is more than integrated, it’s a part
of our cyber threat intelligence platform so we can take that risk assessment to
the next level.

When you’re looking at two different vulnerabilities that are possibly both
critical per the CVSS score, which one's more important? Well, probably the one
that the APT who's interested in your type of organization or industry and it's
a part of their TTPs, or it's being actively used in your threat landscape. We
really want to go after that first. When you can show how in a resource
constrained environment where you need to rack and stack your priorities, I
think that’s key. I’m sure there’s nobody in the audience who feels like they
have enough resources.

The third piece is to show the value that it brings to your organization. As you
bring these processes online, map that attack surface, then measure it,
understand how big it is and measure the problems that exist within it. And then
you can present the value in the reduction of your overall attack surface.
That's why we refer to my role as a risk reduction role, because we're showing
how maybe our attack surface is expanding, but our risk profile is constricting.
And that's really where you start to show the value of an attack surface tool
and an attack surface program.

I'll also say this, I don't think you have to do all 3 of those things in one
presentation. That evolves over time, it certainly did for us. When I first came
we had the problem of “Hey, we have an attack surface. We don't know what it is.
We don't know what to do about it.” So it took a whole lot of build up to reach
those points. And I think that as long as you're keeping those touch points with
your CISO and helping them understand what the risk is and what could happen if
we don’t do anything about it.

Why do exposed admin panels present a big risk along your attack surface?

With exposed admin panels, it’s kind of an interesting conversation, but it’s a
direct interface into that software platform. You may see varying types of
Apache, Drupal, sometimes even admin panels for firewalls. The reason that’s a
problem is, there's always the potential for out of the box configurations not
being changed. So if you have default credentials, what was the point for
deploying a firewall? That’s always a key risk, but assuming you have a little
more mature processes and somebody didn’t mess up, things happen. Sometimes even
the most expert person can make a mistake, maybe they didn’t have enough coffee
that day.

Additionally, there’s brute forcing potential. Why open something up that really
doesn’t have a need to be external to begin with. We have VPNs, we have remote
administration. You can come into your internal environment from your own home
nowadays and navigate your admin panel that way, instead of just having these
logins available for brute forcing. That’s a huge issue that you could just
mitigate by saying “Hey, let’s just take this off. Let’s just move this inside.”

When we look at successfully protecting the attack surface, what does that look
like? Is there an end state?

That's almost the first question I got asked by my CISO when we started looking
at this problem. And the answer is that the attack surface is way too dynamic
for it to ever be an end-state objective. I personally believe that there's
goals for management to get to an acceptable level. In the risk space, you'll
never have zero risk. There's always going to be residual risk. And even if you
do hit zero, it's not going to stay there.

Unfortunately, well fortunately for the world, the cloud exists. Cloud is a
fantastic business tool. But Cloud is on and off, you know. It's incredibly
dynamic and things shift so often and the ability for the company to be so
elastic in expanding its attack surface at such a rapid rate is critical. So to
reach an end state, that goalpost is never going to be sitting still. You're
always going to be chasing the next thing and driving that wave of risk down,
but we do believe that you can have it within a certain margin that's acceptable
for both the cybersecurity organization and the business to operate with.

WANT TO LEARN MORE ABOUT HOW MATT AND HIS TEAM AT CUMMINS PROTECT THEIR
ORGANIZATION’S ATTACK SURFACE?

Watch the full recorded webinar



RELATED BLOG

Blog

SHELL NO! ADVERSARY WEB SHELL TRENDS AND MITIGATIONS (PART 1)

Posted: 30th Jun 2016
Blog

VETERANS DAY: CELEBRATING STORIES OF SERVICE AND SUCCESS

Posted: 9th Nov 2023
Blog

ANALYZING THE PATCH TIMELINE FOR ZERO-DAY EXPLOITS

Posted: 18th Feb 2014


ABOUT US

 * Intelligence Cloud
 * Services & Support
 * Why Recorded Future
 * Research
 * Resources
 * Company

HELPFUL LINKS

 * Careers
 * Contact Us
 * Get a Demo
 * The Intelligence Graph

--------------------------------------------------------------------------------

JOIN US ONLINE

 * 
 * 
 * 
 * 
 * 

READY TO JOIN?

Contact us today

Copyright © 2023 Recorded Future, Inc.
 * Security FAQ
 * Cookies
 * Privacy Policy
 * Terms & Conditions