Security professionals have some of the most difficult jobs in the world. Every day, headlines and reports detail another company added to the list of external cyberattack victims. As a result of this trend, the Securities and Exchange Commission (SEC) has proposed new cybersecurity rules around public organizations’ reporting and auditing requirements. Said differently, security imperfection is about to be on further public display.
In our current state of cyber activity, no single vendor or company can fight this battle alone. We've witnessed a staggering 164% surge in cyber threats targeting brands. Adversaries are now penetrating specific services or applications within these assets, exposing operational details and dependencies that were previously hidden. For instance, an outdated third-party application could provide covert access to core systems, significantly complicating the task of securing each interaction. As companies adopt emerging technologies to streamline their operations, threat actors are quick to exploit these advancements for more sophisticated attacks. This means that the risk is not just increasing but accelerating exponentially.
It's time to acknowledge that no single entity, be it a company or a government, can ensure perfect security in the cyber realm. It will take all of the brilliant minds and technology at our disposal to continually reduce risk. As outlined in the National Cybersecurity Implementation Plan, to successfully disrupt threat actors, security vendors must have the support of a larger partner network like the federal government to share critical intelligence to help prevent or minimize cyberattacks. When government and industry work together, not only are companies better safeguarded, but so is the economy and our way of life. This recursive approach by attackers, systematically moving from one vendor to the next, escalates the security risks by mapping multiple layers of vendors and nth party providers.
Changing Threat Actor Tactics Pose New Risks
While we know cyber attackers are relentless, there has been a recent change in adversary characteristics. The bad guys are changing their blueprints. Recent cyberattacks have targeted security products, including attacks against Palo Alto Networks, Citrix and Ivanti.
It may not seem like a noticeable difference to those further distanced from the industry. However, it indicates that even the most security-conscious organizations that have invested significantly in security solutions can also be exploited. These aren’t anomalies. This is a signal that sophisticated attackers are using any and every opportunity to steal data, get rich, and cripple companies – including targeting the tools we trust the most to keep us safe. Attackers employ tools to exploit any weak link in the chain to access protected data or systems.
This puts companies in quite a conundrum. Does having security measures in place put companies at increased risk? Not inherently. But we must address the elephant in the room: security products are a part of your ‘attackable’ surface, a target for attackers, and having a vendor who claims they are “secure” isn't enough. Just as no company is immune from cybercrime, no single tool is a Vibranium shield. If trust is the heart of security, proof is the brain. Strong security is non-negotiable for modern organizations, but simply checking the box by purchasing a security solution can create a blind spot.
This can be especially risky when nation-state actors come into play, as we believe with the recent attacks on Citrix and Ivanti. The threat actors’ persistence in exploiting vulnerabilities in such robust tools requires significant resources and patience, and these actors quietly maintained their presence in compromised systems for months. Other companies using those tools believed they were secure, possibly because they had a security tool in place. Recognizing and securing the extended network, including nth party providers, becomes critical in avoiding another catastrophic event like SolarWinds.
Understanding Your Full External Attack Surface Can Help
Tools like OWASP Amass are crucial for uncovering a company’s digital exposure, including relationships with nth party providers. This tool performs asset enumeration to identify external assets and their connections, map a network's infrastructure, and identify vulnerable external services managed by third parties. Such exploration often reveals operational details and dependencies that are not immediately apparent.
Adversaries use a recursive approach, moving systematically from one vendor to the next, thus constructing a detailed picture of a company's attackable surface. This method exposes hidden and vulnerable network segments, escalating security risks. Recognizing and securing extended networks, including nth party providers, is crucial as attackers can exploit weaknesses. This underscores the need for a comprehensive cybersecurity strategy that diligently monitors all network touchpoints.
The stealthy nature of these threats often aims for undetected operations, anticipating significant future attacks potentially backed by nation-state actors. Modern cyberattacks require a collective defense approach, not just reliance on individual tools. Acknowledging the limitations of our own cybersecurity measures and uniting forces across organizations are essential steps toward building a more resilient solution.