How Organizations Can Eliminate Security Blind Spots Before It’s Too Late
The Equifax breach, which exposed the financial and personal data of 143 million people, has been called the worst corporate data leak in history. Criminals exploited a vulnerability in one of its web applications, and siphoned sensitive customer data for more than two months without detection. It remains to be seen just how severe the impact of the breach will be.
Given the gravity of the situation, it is easy to point blame at Equifax for bungling the situation and failing to protect its customers. Certainly, there were ways the credit score company could have handled the situation better. However, in today’s asymmetrical warfare between cybercriminals and organizations, the cards were stacked against Equifax in preventing what happened. While the attackers have to find only one weak spot, the security teams have to monitor and protect everything at all times, which in many instances dictates only one, virtually predestined, outcome of the battle.
From Yahoo, to LinkedIn, to Verifone, it is increasingly clear that these types of crippling cyber attacks have become the new normal. Although this “era of insecurity” began more than 10 years ago, it has become more and more extreme in recent years, and there are three main factors that exacerbate the current situation:
First, organizations have digitized a significant portion of their processes and services, expanding and diversifying their attack surface both on-premise and in the cloud. As organizations have to manage thousands of servers, applications, and data centers, it becomes exponentially more difficult to continuously monitor and debug everything in a timely fashion.
Second, current solutions rely on users’ input and commonly require complex integrations. As organizations are often unaware of various assets on their networks — such as related third-party assets, DevOps components, and old environments — blind spots are created frequently, and become potential attractive targets, waiting to be exploited by attackers.
Third, offensive scanning and exploitation have become cheaper, more automated, and widely available to hackers. Cybercrime has an extremely high ROI, criminals rarely get caught and current legal systems do not pose significant deterrence for these crimes. Moreover, given the median monthly income in some countries is under $500 per month, it comes as no surprise that cybercrime is high on the rise.
To change this trend, I believe one must first realize how attackers actually operate. Working for intelligence organizations and assisting them in establishing new infrastructure for offensive security, I’ve learned that, for attackers, the road to glory is the path of least resistance. Unlike penetration testers and security researchers, attackers do not seek medals or bonuses for solving complex challenges. This is true for both state-level actors and individual cybercriminals. Their sole objective is to act in a cost-effective, stealthy manner in their pursuit of information or money.
Organizations should clearly always strive to eliminate the potential threat as early as possible in the cyber kill chain, and at best, even before the reconnaissance and probing phases. Organizations must thus invest significant resources in trying to understand how attackers see their attack surface and what they can actually exploit, as opposed to scanning the assets they already know, for security issues, that, even if found, are often of minimal or no interest to attackers. This, I believe, could be seen as a mindset shift from a discussion focused on CVE’s and vulnerabilities’ score, to one focusing on attack vectors discoverability, attractiveness and exploitability. And this can be executed only by an external actor or system that receives no prior input regarding the target network or cooperation from the organization.
Correspondingly, black box penetration testing, in which white hat hackers are paid by organizations to try and gain access to data, is indeed starting to regain popularity in security. CISOs now speak more and more about the importance of external red teams, and Bob Lord of Yahoo! even recently spoke about the use of ex-cybercriminals to better understand how adversaries act.
While such trend and way of thinking are pointing in the right direction, the type of service itself still involves various significant issues. High quality penetration testing is very expensive, and every change within the organization’s network (new applications, servers, configurations, etc.) requires a new penetration testing process, practically starting from zero. It’s also not scalable at all.
It follows then that only a product efficiently incorporating a black box approach in an automatic and scalable fashion could become a game changer in the inherently asymmetrical race between attackers and defenders, in the latter’s favor.
Although an extreme case, Equifax is a classic example of how cybercrime operates and will continue to operate, unless organizations adopt a more offensive mindset. Organizations must ask themselves if they can assess their attack surface from the attacker’s perspective, what is being done to continuously identify and eliminate blind spots critically endangering them, and, accordingly, what could be done today to ensure they don’t become the next Equifax.