April 19, 2020

Assessing the External Attack Surface

Published by: TAG CYBER, Katie Teitler, April 17, 2020
One of the biggest challenges in all of cybersecurity is dealing with the reality that defenders need to protect the entirety of their technology ecosystems while attackers need just one entry point to effect a breach. When one small vulnerability can compromise the whole, security leaders must assess their cybersecurity programs at both a strategic level:

How do I design systems so that I can reduce as much risk as possible without building a fortress that is unusable by employees, partners, customers, etc.?

and a technical level:

What assets do I have? How are they accessed? How can they be accessed? What tools do I have implemented to protect my most critical assets? Do those tools provide full visibility to my ecosystem or just a slice of it? How can I use data from those tools to prioritize and remediate vulnerabilities?

Unfortunately, it’s hard for security teams to build a holistic security strategy informed by technical capabilities because the security tools ecosystem is built on piecemeal products: Email security, application security, identity and access management, network access controls, data security, and so on. Fortunately, though, we’ve reached a point in our evolution as an industry where many technologies easily integrate via an API. There are still many narrowly-focused tools for security teams to manage, however, with each capability looking at only part of the system.

The broad view
Three years ago, Rob Gurzeev and Dima Potekhin, both with backgrounds in offensive security, decided they wanted to build a technology from an attacker’s point of view—something that looked more broadly at a company’s vulnerabilities and exposures. Now the CEO and CTO of CyCognito respectively, Gurzeev and Potekhin have, with the help of 60+ employees, developed a SaaS platform that enterprises can use to identify and assess external exposures in their IT ecosystems.

With nothing to install and nothing for companies to configure, the CyCognito platform maps customers’ internet-facing attack surfaces and potential attack vectors. Using a botnet to discover all internet-connected assets, the technology scans for a company’s assets, fingerprints them, then maps relationships between them. Specifically, CyCognito is looking at attributes like IP ranges, web applications, code fragments, TLS configurations, and deployed software that has a direct connection to the internet. The goal is an assessment of an organization’s attack surface from an attacker’s point of view—before s/he reaches the internal network—to find the most likely paths to exploitation. A.K.A., the path of least resistance.

After the assessment phase, the CyCognito platform prioritizes vulnerabilities based on the criticality of the asset and the extent of damage it would cause the organization were it to be exploited. Here, business context matters; the platform not only identifies the asset in question, but also the departmental owner (for instance, “sales” owns the CRM database). The platform dashboard can also classify assets by functionality (e.g., development tools, disaster recovery-related assets), the number of assets in a category, the number of issues associated with each asset, and the severity of the issue. According to Raphael Reich, VP of Product Marketing at CyCognito, the severity rating goes beyond CVE or CVSS scores. “Using CVE and CVSS without the business context of an asset and an attacker viewpoint can lead to missing the attack vectors that are most critical to your business.”

Continuous coverage
Thus, the technology is designed to “focus on attack vector discoverability, attractiveness, and exploitability” from an external perspective. The CyCognito platform is automated and can perform ongoing assessments, or admins can choose to run an ad-hoc validation assessment whenever new technology is deployed or a change is made.

Based on an initial conversation, CyCognito appears to be a good choice for organizations that want to assess external exposures to learn how an attacker might take a first step toward compromise. The platform discovers assets in on-premises, cloud, and hybrid environments and allows companies to continuously monitor for externally exposed risks as a complement to internal network testing.