How external attack surface management lets you see your org through an attacker’s eyes

Did you miss a session from MetaBeat 2022? Head over to the on-demand library for all of our featured sessions here.

>>Don’t miss our special issue: How Data Privacy Is Transforming Marketing.<<

It’s not an overstatement: The Log4j vulnerability shook the cybersecurity world. 

One of the most significant cyber incidents in recent memory, it was revealed in December 2021 when researchers identified a remote code execution exploit in the Apache Log4j library. 

Billions of devices were put at risk and millions of attacks have been attempted (and successful) — one oft-cited early finding was that there had been attempted exploits on more than 44% of corporate networks worldwide. 


Low-Code/No-Code Summit

Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.

Register Here

Experts say those numbers are undoubtedly far higher, and that we’ll never truly know the full extent of the impacts. 

But the shockwaves continue, and an emerging method to deflect them is external attack surface management (EASM), which is essentially looking at and approaching your organization the way an attacker would. 

EASM tools enable organizations to see, understand and manage all the ways an attacker might get into your organization.

To bolster this process, EASM company CyCognito today announced the next generation of its Exploit Intelligence (EI) tool. This new iteration of its platform is equipped with Sandbox Virtual Lab, which the company calls an industry-first integrated external attack surface sandbox testing environment. 

“EASM is no longer a ‘nice to have,’ it is now a ‘must have,’” said Phillip Wylie, hacker-in-residence at CyCognito. “We must be vigilant and be constantly monitoring and testing our environments. It can’t be an annual or biannual perfunctory vulnerability scan or pen test.”

Simulating an attack

An external attack surface is all of an organization’s IT assets — data, apps and networks (on-prem or in cloud), and subsidiary, third-party or partner environments and those closely related to the organization — as seen by attackers looking in from the outside. Managing that is the best way to ensure you stay secure, said Wylie. 

CyCognito’s updated EI tool provides information on how to validate a vulnerability and learn how an adversary would exploit it. This introduces some of the benefits of penetration (pen) testing into its EASM platform. 

“Pen testing is important because it assesses the security from a threat actor perspective,” said Wylie. “We use the same methods malicious hackers do to gain access to sensitive information. This out-of-the-box thinking is used by threat actors and takes into account scenarios that typical cybersecurity best practices often overlook.”

He pointed out that CyCognito does not perform a pen test; it’s more of a vulnerability assessment. This entails all the steps of a pen test, minus the exploitation (that is, hacking). EI provides steps to find vulnerable assets and learn if and how an adversary might compromise them, as well as what the potential impacts could be. 

Then, it allows security teams to simulate post-exploitation activities such as privileged escalation or data exfiltration. It also enables repeat asset testing to ensure proper patching.

“It allows security teams to take that theoretical attack data and gauge its impact on their own external attack surface and even simulate an attack,” said Wylie. “It does this without requiring the skills of a pen tester.”

Log4j: Still pervasive

The initial release of Sandbox Virtual Lab focuses on Log4j, but in coming months will support additional simulations around Log4Shell, ProxyShell, ProxyLogon and ZeroLogon threats. 

As Wylie explained, when Log4j hit, the CyCognito team was heads-down in helping customers patch. Subsequently, they realized that tools solving for future threats like Log4j required a testing environment to simulate how an adversary would exploit a specific asset. 

Log4j remains so significant and pervasive because so many applications use it in their tech stack, said Wylie.

Some software requires patches to be installed to resolve Log4j vulnerabilities, and sometimes that gets overlooked. Also, patches and upgrades can sometimes reintroduce vulnerabilities, he explained.  

Image source: CyCognito.

Recent CyCognito research found that 70% of organizations that had previously addressed Log4j in their attack surface are still struggling to patch Log4j vulnerable assets and prevent new instances of Log4j from resurfacing within their IT stack. 

Some organizations are even seeing their Log4j exposure increase: 21% with vulnerable assets experienced a triple-digital percentage growth in the number of exposed Log4j vulnerable assets in July compared to January. 

“So, it is not only important to continually update software, but to also be assessing applications to make sure they are not vulnerable,” said Wylie. 

EI leverages Cybersecurity and Infrastructure Security Agency (CISA), FBI and other threat intelligence sources (including adversary activity). 

The pairing of CyCognito’s discovery and mapping engine and EI provides knowledge that is actionable — as opposed to just data feeds — so that security teams can build, test and deploy fixes and prioritize mitigating highest-risk assets, said Wylie. EI integrates with SIEM/SOAR, ticketing tools and remediation workflows to provide evidence and mitigation guidance. 

Key features include: 

  • Remediation acceleration: Highest-risk exploitable assets in an external attack surface are quickly identified. This can reduce response and remediation timelines from months to days. 
  • Quick-impact assessment: A focused map paints a picture of all assets potentially at risk, including those already protected and those still vulnerable.
  • Identity ownership: The discovery engine determines asset ownership to quickly identify who is responsible for fixing vulnerable assets.

“CyCognito’s Exploit Intelligence fills a gap between threat intel and vulnerability management,” said CEO Rob Gurzeev. “The addition of Exploit Intelligence doesn’t just link vulnerabilities to specific assets, but answers the important question of why it is important to prioritize fixing specific assets immediately because of their attractiveness to active attackers.” 

Originally appeared on: TheSpuzz