Threat actors are scanning your environment, even if you’re not

In a world where organizations’ digital footprint is constantly changing and attackers regularly capitalize on security failings in exposed IT assets, making the effort to minimize your external attack surface is a no-brainer.

The goal is simple: Make your organization a hard nut to crack and thus force attackers to look for easier targets.

To do that, you must be able to see the entirety of your organization’s external attack surface as threat actors see it, and close as many attack paths as possible.

Discovering the unknowns and reducing cyber risk

An organization’s attack surface encompasses all exposure points that an attacker could leverage to infiltrate systems or extract sensitive data.

External attack surface encompasses every IT asset and technology that an organization owns or uses and that is reachable via internet/IP address/domain/port:

• Company websites and domains
• Web and mobile applications
• APIs
• Cloud and email infrastructure
• Remote access points and portals
• Network devices and services
• Hosts
• SSL/TLS certificates
• DNS records
• File shares
• Code repositories
• Legacy systems and forgotten subdomains
• Test environments left online
• Orphaned accounts

But also: the company’s brand (exploited by phishers) and stolen corporate credentials or leaked data.

Figure 1: Outpost24 EASM discovers how assets are interconnected, distributed and hosted

It wasn’t always like this, but the ever-increasing digitization of companies; the advent of BYOD, remote work, the cloud and SaaS; and endless corporate mergers have have led to the proliferation of shadow IT, made the attack surface more extensive and complex, and made patch management difficult.

As a result, external attack surface management (EASM) has become practically mandatory for all modern organizations: you need to know which assets are exposed to external attacks and keep on top of vulnerabilities and cyber risks that might both hurt your organization’s bottom line as well as reputation.

Tackling every vulnerability as it springs up is close to impossible, but knowing which exposed asset might be attacked next and minimizing the possibility of that happening is achievable, with the right tool – a tool that’s easy to deploy, never stops scanning and reports risks in real-time: three things for which Outpost24’s EASM solution is known (and loved) for.

Perpetual situational awareness

Outpost24 – a European company with global headquarters in Sweden and an international clientele – seeks to help organizations manage their ever-growing attack surfaces.

Its external attack surface management (EASM) solution – also known as Sweepatic – is cloud-based, making the on-boarding process next to effortless: a customer only needs to enter their organization’s name, primary domains or external IP addresses, and the scanning can begin.

The platform searches for things like software vulnerabilities, weak, expiring or non-existent encryption, server and cloud environment misconfigurations, unsecured DNS implementations, open ports as well as needlessly exposed services, shadow IT resources, leaked credentials, phishing websites, dark web chatter, and more. Thanks to its passive, non-intrusive scanning methods, it can scan continuously without impacting asset performance or day-to-day activities.

Figure 2: View to quickly sort, tag and filter for the most important vulnerabilities

Martin Jartelius, CISO and Product Owner at Outpost24, says that the most common blind spots that the solution uncovers are exposed management interfaces of devices, exposed databases in the cloud, misconfigured S3 storage, or just a range of older infrastructure no longer in use but still connected to the organization’s domain. All of these can provide an entry point into internal networks, and some can be used to impersonate organizations in targeted phishing attacks.

But these blind spots are not indicative of poor leadership or IT security performance: “Most who see a comprehensive report of their attack surface for the first time are surprised that it is often substantially larger than they understood. Some react with discomfort and perceive their prior lack of insight as a failure, but that is not the case. Accepting the situation, assessing its impact and taking educated decisions is important rather than avoiding or postponing the problem. Ignorance may be bliss, but it is not something to aspire for,” he told Help Net Security.

“The Outpost24 EASM solution allows insight into clients, servers, infrastructure and applications, it merges the information with threat intelligence, as well as threat intelligence backed recommendations. It also reduces complexity by AI-assisted prioritization, summaries and other elements to increase efficiency as well as level of insight.”

Sweepatic uses threat intelligence compiled by the company’s Kraken Labs team for its Compromised Credentials and Dark Web modules, as well as for risk scoring. The platform is also bundled into other Outpost24’s offerings like CyberFlex, which combines attack surface management and penetration testing-as-a-service.

From vulnerability to proactive risk management

Attack surface management is still a maturing technology field, but having a solution bringing the information together in a platform gives a more refined and in-depth insight over time.

External attack surface management starts with a continuous detection of exposed assets – in Sweepatic’s case, that also includes advanced port scanning to detect all (and not just the most common) ports at risk of exploitation – then moves on to automated security analysis and then risk-based reporting.

Sweepatic uses contextual risk scoring to prioritize risks: it looks at exposed assets, but also at the context of the exposure.

“The scoring systems is similar to school grades: A to F, from least risk to most risk. If we see, for example, two vulnerabilities with the same CVSS score, but our threat intelligence tells us that one is under active exploitation and the other is not, the former will get a lower grade than the one not currently leveraged by attackers. But we are, of course, also providing the CVSS score and if anyone wants to filter the findings based on it, they can do that,” Jartelius explained.

They are also aggregating findings into seven categories and scoring those, so companies can go into the dashboard and see quite quickly that, for example, they have an “E” in the “Encryption” category and that they should work on improving that.

“We are also benchmarking industries. Based on the results of all our other customers, we can highlight when an organization has a lower score than their industry’s average, so they know they must work on raising it. And if threat actors are actively targeting specific sectors (as indicated by out threat intelligence), they might want to do it sooner rather than later to avoid being the lowest hanging fruit.”

Figure 3: The grading system and the development of the attack surface over time

Customers that use the standalone SaaS version harness their in-house security experts to go through the findings, weed out the false positives, and figure out which issues should be tackled first based on their risk tolerance level. Managed service customers can get help with that and can get advice on how to improve their external attack surface security hygiene.

The platform can be integrated seamlessly via different connectors with the existing cybersecurity tech stack – ticketing systems, SOAR and SIEM solutions, vulnerability management tools, etc. – and provides action plans for the mitigation of prioritized threats.

A practical tool

While it can come in handy to various departments, Outpost24 EASM is generally used by the IT security department.

“A system administrator might not use our tools regularly, but a cybersecurity architect or a CISO might use it to see whether the strategies and measures that they are recommending – and the organization is implementing – are having an impact. Due to the continuous scanning, they can see whether measures are working or not,” Jartelius noted.

“By setting up solutions to continuously find, assess, prioritize and assign responsibility for resolution through the chain via integrating the powerful discovery of our EASM technology with the accuracy of our vulnerability management solutions, organizations can remain in control of their exposure, assess it for flaws, isolate solutions to those problems and assign the resolution work to stakeholders within the organizations. This is not a single step of automation, but integral automation steps within the different solutions, allowing a more granular control.”

Figure 4: Overview over all the websites that are (or might be) connected to your organization

Key benefits of implementing Outpost24 EASM

The sectors that currently make the most out of EASM are sectors heavily exposed to either cybercriminals or amidst digital transitions.

“According to Outpost24’s regional benchmarks, healthcare organizations are currently focused on discovering exposed assets (especially compromised credentials) and fixing critical vulnerabilities, and financial organizations – who mostly already have things locked down due to regulation – are using our EASM platform to ensure that everything is correctly configured and no information that could be used by attackers gets leaked,” says Patrick Lehnis, Marketing Manager for Outpost24.

While the key benefit of using Outpost24 EASM is increased visibility of and reduction of the risks lurking in the external attack surface, the platform is also driving organizations to implement a proactive cybersecurity strategy.

“Something that we see quite often is that EASM helps customers pinpoint specific problems – e.g., lackluster patch management – in their internal IT processes and are implementing measures to improve it,” Lehnis noted.

“Yet another measurable benefit is the decrease in the time it takes for them to react to time-sensitive cyber risks like zero-day attacks. In the past, organizations might not have known all the afflicted assets and had to waste precious time finding them and deciding when to patch them and how. Now they go into our EASM platform, they set a filter that identifies every vulnerable firmware/software/component, and are ready to start patching in minutes, all the while being confident that they are not missing anything.”

Why does it matter?

While exposed assets and vulnerabilities don’t necessarily put critical information at risk, they show that an organization is neglecting the security basics. They are signs indicating that an organization might be worth attacking and contribute to a poorer online experience for customers.

A company’s external attack surface can expand pretty quickly if nobody is paying attention, so there’s value in having an EASM tool like Sweepatic from Outpost24 to automatically find and track these issues.