Imagine you were responsible for the protection of a building. You’d probably start by analyzing its entire interior and exterior, mapping every square foot to determine what defenses you need to put in place and where.
Along with your locks and alarms, you’d want to install a network of surveillance cameras positioned to give you real-time visibility of the entire structure, i.e., anywhere a burglar could possibly show up. It’s a pretty clear-cut formula that, once implemented, ensures you’re ready to defend against intruders.
Securing a building is a metaphor used in corporate cybersecurity often, and for a good reason — it’s a straightforward way of characterizing network security controls. Your firewalls and proxies are your locks, and your scanners are your security cameras, letting you know everything that’s going on within your network. Traditionally, these things would leave you in good shape cybersecurity-wise. However, the world is rapidly changing, and so is the threat landscape targeting businesses.
Due to cloud server migration, hosting, and other digital media initiatives, a business’s digital presence no longer fits neatly behind its tightly secured perimeter. Their attack surface sprawls out across the open internet, outside the scope of firewalls and endpoint protection, as a collection of millions of digital assets laid bare for all to see, including hackers as they research their next threat campaigns.
This new reality for security teams means that the building metaphor must take a turn for the absurd to still represent what they need to protect. Now, imagine that building you’re guarding is not only growing larger every day, but also its rooms are changing, rotating, and re-orientating in real-time. The map you made of your building yesterday is no longer relevant today, and the map you make today will no longer be relevant tomorrow.
I know for a fact that this is a topic keeping many Fortune 500 CISO’s awake at night. I met with many over the last year and all of them raised this as a top concern, and a frequent source of unexpected attacks. Some data reveals why this concern cannot me eliminated through a manual or “traditional” perimeter-based approach
This metaphorical building is growing because the internet is growing, and not just the number of users; its actual size is continuously increasing. Over only two weeks, my company’s crawling network at RiskIQ observed 3,495,267 new domains (249,662 per day!) and 77,252,098 new hosts (5,518,007 per day) across the internet. For attackers, each of these represents a possible target or a piece of infrastructure they can use to take down a business.
The building is changing because the internet is changing every second. Domain ownerships change, DNS resolutions shift, certificates expire, and frameworks require patching, to name just a few examples.
For businesses, most of their attack surface is comprised of assets belonging to three categories. First are the legitimate assets, which belong to companies under the purview of their IT and security teams. Second are those spun up by partners or employees without the knowledge of the IT and security teams, which are known as Shadow IT. Third, is a rapidly growing category known as ‘rogue assets,’ which attackers create to mimic legitimate businesses to target their customers in the wild. These phishing sites, fake mobile apps, and command and control servers are nearly impossible to detect at scale with traditional tools.
Digital assets in any of these categories can lead to a compromise of the business, and organizations that don’t understand how they appear to attackers beyond their firewalls are at risk. Known assets require patching, Shadow IT can be forgotten about to everyone but hackers, and rogue assets are created in the internet’s ever-growing abyss and can hide there indefinitely.
Internet visitors that use or interact with these assets are in the crosshairs like never before by attackers who view their clicks, traffic, credentials, and computers as commodities to be harvested and traded. Unfortunately, unlike the security cameras watching over our tightly secured metaphorical building, most security teams have no visibility into the open internet to see where their organization’s brand is being abused.
For security teams, the sheer depth and breadth of what they need to defend may seem daunting. However, putting the massive scope of their organization’s attack surface into perspective isn’t impossible; it just requires them to look at their attack surface in a new way. Your organization isn’t a building; it’s a living, breathing digital entity that is going to change continuously. Embrace that.
This new attack surface can no longer be likened to a building, but mapping its area and having visibility across it is still crucial. Along with traditional firewalls and scanners to protect their network, security teams need the ability to scan the internet, visibility into internet data “outside the firewall,” and user-style interaction in order to interact with the entire internet as a user would.
Fortunately, despite this drastic increase in what security teams are now tasked with protecting, basic tenets of cybersecurity haven’t changed. With the right tools, security teams can apply the same rules that keep their internal networks safe to their entire attack surface.