“You can’t protect what you don’t know exists”
As an industry, we’ve heard it all before – the attacker breached the organisation via an asset that was supposed to have been turned off, or worse yet, an asset that nobody knew existed.
But, what does this actually mean? How can an organisation have assets and systems that they don’t know about?
Well, maintaining attack surface visibility has become incredibly hard, but remains a foundational basis for any real cybersecurity programme. However, things have changed and the days of relying on a centralised spreadsheet to track assets within your external attack surface are long gone.
In this post, we’ll explore how maintaining attack surface visibility has drastically changed, why it is so hard, and how this impacts your cybersecurity posture.
The old way of tracking external attack surfaces is gone
Knowing what an organisation had exposed to the internet, and therefore had to protect, has historically been the job of an aspirational, monolithic CMDB that ultimately became a spreadsheet that leveraged colours tracking IP addresses, IP ranges, domains and subdomains.
Back in 2010, when a team commissioned a new system, they would fire an email to the inventory owner to update the spreadsheet.
But, we are not in 2010. We are in 2023. The world has changed considerably, and the IT systems that organisations leverage have changed massively.
No longer does each office keep a 16U rack under their stairs – they leverage centralised services, cloud environments, SaaS platforms and more to maintain typical business operations. They have centralised IT functions and support that maintain this infrastructure, with perhaps individual teams maintaining systems that they solely need – and thus all the IT process around it.
This is where things go horribly wrong.
But why is it so hard to now do correctly?
Well, the modern attack surface has exploded in size and complexity
As organisations have expanded, they’ve gone through M&A activity, and their usage of external and internal technology has balooned – so too have their attack surfaces. With the adoption of cloud services, third-party vendors, and the proliferation of shadow IT, the modern attack surface has exploded in size and complexity.
To put this plainly, we used to think about attack surfaces being limited to the following:
- IP addresses
- IP Ranges
- Domains
- Subdomains
But now, attackers know that you’re more likely to expose data in a plethora of other places, and organisations outsource significantly more technology:
- Source code repositories
- SaaS platforms
- Cloud storage buckets (Amazon S3, Azure Blob, Alibaba Object Storage, etc)
- Mobile applications (Android PlayStore, Apple App
- Container repositories (Docker Hub, JFrog)
- Cloud environments
- CDN platforms
Shadow IT makes maintaining attack surface visibility even more challenging
At the same time, we see organisations struggling with internal security processes, forcing businesses down a path of shadow IT in an attempt to deliver on their own objectives.
Shadow IT – the deployment of unauthorised systems within an organisation – ranges from as seemingly-trivial as Gary in the warehouse plugging a new WAN router in, to as obviously terrifying as Jenny from Engineering committing code to a public source code repository in her own GitHub account.
Terrifyingly, weaknesses in these assets or inadvertently exposed data can unravel years of work into securing an organisation – and as the majority of breaches in 2022 and 2023 have shown, attackers are well aware.
Build visibility like an attacker
This is where watchTowr’s Adversary Sight engine, which powers visibility in the watchTowr Platform, kicks in. We’ve spent years being the attacker, and our Adversary Sight engine embodies real-world attacker tactics and techniques to continuously discover systems, assets and technology that your organisation has exposed to the Internet to ensure that a comprehensive picture is maintained.
Without this visibility – attackers are looking for vulnerabilities in systems an organisation may not even know exists, and are exploiting the latest VPN appliance vulnerability in an appliance you don’t even know you have exposed.
As an industry, we know that maintaining attack surface visibility is crucial for effective cybersecurity in the modern era. The days of relying on a simple inventory spreadsheet are long gone. However, until now, it has never been trivial for organisations to maintain comprehensive visibility.
We love talking about how our technology – the watchTowr Platform – empowers organisations with live visibility of their external attack surface, to power continuous security testing.