1. What is Attack Surface Management?
2. How Attack Vectors and Attack Surfaces are Related
3. Drilling Down on External Attack Surface Management
4. The Rising Need for Attack Surface Monitoring
5. Using an Attack Surface Assessment as a Starting Point
6. The Adoption of Continuous Pentesting
7. 3 Tips to Improve Your Attack Surface Management Strategy
8. 3 Must-Have Features in Attack Surface Management Tools
9. Quick Guide to Researching Attack Surface Management Vendors
10. Streamline Risk Remediation with NetSPI’s Attack Surface Management

Attack surface expansion is a byproduct of doing business today, especially for enterprises that rely on the cloud. As businesses adapt and scale, the assets and platforms they use inevitably grow and change. This can result in attack surface exposures, both known and unknown, giving malicious actors many pathways to gain entry to networks.  

One key to adding offensive security to your strategy is to avoid the unmanaged sprawling of attack surfaces. Pentesting is a widely accepted method to discover vulnerabilities and prioritize remediation, but the value of a pentest can be amplified further with continuous pentesting. This is where Attack Surface Management (ASM) comes in.  

ASM complements pentesting because it brings an always-on approach to discovering attack surface exposures, validating the impact, and prioritizing updates. ASM shines a light on assets that were previously unknown and incorporates them into pentests as well. Companies are increasingly using Attack Surface Management to bridge the gap between vulnerability management tools and manual penetration testing.  

Whether your organization is starting to explore ASM, or you’ve established an offensive security strategy with a custom mix of tactics and technology, this guide to moving toward continuous pentesting with Attack Surface Management will equip security teams with an understanding of how to take vulnerability risk management practices to the next level.

What is Attack Surface Management?

Attack surface management (ASM) provides continuous discovery, inventory, testing, and prioritization of known and unknown assets and exposures on global external attack surfaces. In the last three years the industry has agreed on the term “attack surface management” as an all-encompassing description for tools used to discover an organization’s digital footprint.  

The best ASM tools today go beyond delivering a high volume of alerts to sort through, and instead reduce the workload of internal security teams by prioritizing risk response decisions. This not only maximizes the value of resources, but it also brings greater alignment between IT and security teams for a comprehensive offensive security strategy. 

Forrester defines ASM as, “the process of continuously discovering, identifying, inventorying, and assessing the exposures of an entity’s IT asset estate.”

Let’s clarify exposures and assets through examples:  

• Exposures include internet-facing ports, SSL certificates, and applications. Exposures may pose cybersecurity risk to your organization.  
• IT assets include IP addresses, domain names, subdomain names, software, cloud-based workloads, user accounts, and IoT devices.  

Attack surface management is a complex area that spans several cybersecurity domains, including:   

• Digital asset discovery and identification 
• Attack surface monitoring 
• Data leakage detection 
• Digital footprint management 
• Digital risk monitoring 
• External attack surface management

In Contrast, What ASM is Not

To better understand what attack surface management is, let’s exclude what external attack surface management is not:

What ASM is Not:	In Contrast, ASM:
A stand-alone, siloed service or technology	Integrates into security processes, DevSecOps, pentesting services, messaging systems, and ticketing systems to enrich other security services
A voluminous list of unverified vulnerabilities produced by scanner technology	Drives action with verified, prioritized alerts
A configuration management database	Pushes enriched data to improve IT security practices overall
A replacement for vulnerability management tools and manual penetration testing	Fills the security gap between vulnerability management tools and manual pentesting for continuous pentesting

How are Attack Vectors and Attack Surfaces Related?

Attack vectors are entry points into an organization’s network. All the attack vectors combined make up an attack surface. Two major types of attack surfaces are digital and physical. An enterprise attack surface typically includes a mix of both of these. Many other types of attack surfaces exist, but we’ll focus on managing external attack surfaces because they are the most lucrative area for threat actors to focus.

Sixty-nine percent of organizations admit they had experienced at least one cyberattack that started through the exploit of an unknown or unmanaged internet-facing asset, including software, cloud-based workloads, user accounts, and IoT devices.

^{– SC Magazine, 2021}

Definition of External Attack Surface

An external attack surface is comprised of all public-facing digital assets and exposures across an enterprise, such as cloud accounts, websites, IP addresses, domain names, servers, networks, applications, Internet of Things (IoT) and operational technology (OT) devices, credentials, and third-party services. The size of an organization’s external attack surface varies depending on the size of the business, and its technology stack. 

Companies that experience mergers and acquisitions are specifically susceptible to unmanaged external attack surfaces that may pose security gaps. The security of an organization is largely unknown until integration begins. Combining divergent systems without having a full understanding of the acquired company’s security posture results in an opportunity for attackers to gain entry to larger systems.  

ASM is gaining adoption as part of a larger offensive security strategy because breaches can be traced back to a baseline vulnerability in an unmanaged attack surface, as opposed to a sophisticated threat actor. External attack surface management equips teams with continuous monitoring of known and unknown assets for potential exposures.

Drilling Down on External Attack Surface Management

External attack surface management (EASM) provides an outside-in view across an organization’s attack surface to reveal assets and exposures. Focusing on external attack surfaces brings the greatest security value to organizations quickly because of the sprawling growth of external attack surfaces.  

In theory, anyone can access your attack surface anywhere, anytime, making external attack surface the best area of focus. EASM officially became a market category in 2021 with its ability to shine a light on unknown attack surfaces. ASM vendors such as NetSPI added the capability to feed scan results into already established security workflows to prioritize assets and remediate vulnerable exposures.  

EASM is one aspect of defense in depth that feeds into a larger vulnerability management program. As the lines are blurred between EASM, cyber asset attack surface management (CAASM), and security risk rating services, the question is less about ‘Which strategy do we need?’ and more about ‘Which mix of security strategies are right for our business?’.

“EASM is an emerging product set that supports organizations in identifying risks coming from internet-facing assets and systems that they may be unaware of.”

^{– Gartner®, Emerging Technologies: Critical Insights for External Attack Surface Management}

The Rising Need for Attack Surface Monitoring

Staying on top of a changing external attack surface requires vigilance. Market drivers that led to the rise of attack surface management include rapid business expansion into the cloud, the pace at which applications are developed and deployed, continued mergers and acquisitions resulting in unknown, unmanaged attack surfaces, and increasing remote work models. 

These trends result in a high volume of new exposures on external networks. The IT team is responsible for managing all IT assets, regardless of whether they are known or unknown, while security must understand and communicate the business risk of every exposure. Attack surface monitoring helps IT and security teams inform risk response decisions and prioritize their workloads for vulnerability remediation.

“On average, attack surface management tools initially discover 30% more cloud assets than security and IT teams even know they have. Simply put, you can’t secure what you can’t see.”

^{– Forrester, Find and Cover Your Assets With Attack Surface Management}

Key Functions of Attack Surface Management

1. Prioritize vulnerabilities based on business risk  
2. Identify gaps in external attack surface visibility 
3. Discover known and unknown assets, systems, and shadow IT 
4. Assess merger and acquisition (M&A) and subsidiary risk globally 
5. Continuous observability and risk management 
6. Identification of external gaps in visibility 
7. Risk-based vulnerability prioritization

Using an Attack Surface Assessment as a Starting Point

Every ASM engagement starts with a baseline attack surface analysis to map the scope of an organization’s attack surface. This is done by providing an ASM vendor with known domains and IP addresses.  

Attack surface visualization is just the start. The next step is to understand the business risk of your exposures. Data analysis of an attack surface assesses whether an exposure is risky and whether an asset is vulnerable or behaving abnormally. Automated asset detection tools that are part of modern offensive security strategies today enable organizations to:  

• Track and trend data over time to measure the impact of the attack surface management program.  
• Identify a broad spectrum of information, such as domains, DNS records, IP addresses, ports, products, and certificates for every IT asset. 
• Group related assets together to create a risk view of the attack surface that enables prioritization. 
• Investigate global attack surface for outliers and all ports exposed to the internet. 

ASM platforms including NetSPI’s may have the ability to check other parts of the internet for related entities to identify unknown assets as well. When this analysis is paired with human evaluation, vulnerabilities are accurately prioritized to only deliver relevant alerts about what to address/fix on an organization’s attack surface.

The Adoption of Continuous Pentesting

ASM platforms are inherently continuous in their discovery of assets. When security teams pair ASM with external network penetration testing, they can narrow the focus of pentesting engagements to the highest priority exposures. Conducting regular pentesting is a valuable part of offensive security, but attack surfaces are expanding rapidly making continuous pentesting a more advanced approach. With the always-on nature of ASM, businesses can keep pace with today’s rate of change. 

Here’s how it works:  

• ASM continuously monitors exposures.  
• Manual analysis of these exposures by an attack surface operations team determines the level of risk they pose.  
• This information is relayed to a security team for remediation, and then passed along to pentester to validate the remediated exposure.  

The right mix of cybersecurity strategies depends on every organization’s unique needs, but pairing ASM with external network penetration testing for continuous pentesting is a modern method of bringing greater security to an environment.

Unknown Attack Surfaces: What You Don’t Know Can Hurt You

Do you really need to monitor unknown attack surfaces? In short, yes, because unknown attack surfaces have a greater potential for gaps. At NetSPI, our ASM discoveries often shed light on external attack surfaces that were previously unknown to an organization. Attack surface sprawl is a reality most security teams face today. Pairing a continuous attack surface monitoring platform with human analysis is a strong defense to stay protected. 

Unknown assets are a problem because:

Shadow IT 

Individuals can, and will, use software or hardware without IT awareness.

Misconfigurations 

Cloud security misconfigurations result in breaches.

Limited Coverage 

You can’t prioritize security testing or build defenses for unknown assets.

If Your Goal is Attack Surface Reduction… 

Attack surface management inherently results in attack surface reduction. It helps organizations identify unknown or problematic parts of their attack surface and shut them off to the outside world.  

Take this analogy for example: If your house only has one entrance, you can put 100 locks on it to enhance security. But if you have 100 doors to your house, each door can only get one lock. In this case, reducing the number of doors on a house, or the assets for attackers to gain entry, creates a more secure environment.

“One Fortune 100 prospect felt confident that their company was using nine different cloud providers, but the ASM vendor’s initial scan of the internet revealed that they had applications and data in 23.”

^{– Forrester, Find and Cover Your Assets With Attack Surface Management} 

3 Tips to Improve Your Attack Surface Management Strategy

Human intuition, creativity, and expertise are vital to secure your attack surface. The following three best practices will improve any organization’s attack surface management strategy, getting the most out of internal workloads and cybersecurity spending. 

Assess your attack surface consistently

Avoid giving adversaries time to find risky exposures before you do. Assess your attack surface, including new cloud assets, on a consistent basis.

Incorporate human expertise

Dig into scan results, find more attack vectors, add business context, and eliminate noise with expert triage.

Prioritize exposures based on risk

Stay focused on what matters most: real threats to your business, not a flood of unverified scanner data.

BLOG: How to Improve Your Attack Surface Management Strategy

Adjust your cyberattack surface management strategy to keep pace with change.

The Role of Attack Surface Management in a Vulnerability Management Strategy

Gartner^® recommends making attack surface management part of a vulnerability management strategy through a unified offensive security approach with integrated controls and processes.  

Attack surface management is not a replacement for vulnerability management tools nor manual penetration testing services, but rather it fills an existing gap between the two cybersecurity strategies and helps focus effort for manual pentesting.

Analysts recommend attack surface management implementation “as part of a broader, enterprise-wide vulnerability and threat management effort, where known and unknown risks, vulnerabilities and assets are handled as part of a concerted and integrated strategy,” according to Gartner^® Emerging Technologies: Critical Insights for External Attack Surface Management report.

WEBINAR: Mastering the Art of Attack Surface Management

Learn how to prevent cyberattacks through attack surface management.

3 Must-Have Features in Attack Surface Management Tools

Anyone who uses ASM tools wants a clean UX, cloud integrations, and the ability to export a full list of vulnerabilities — and most ASM tools do all of these to some degree. However, the quality of scan reports varies based on technology capabilities, leading us to identify three key features to look for when researching ASM tools: unknown asset discovery, human analysis, and prioritized notifications.

The differences between tools for attack surface management are nuanced. Conducting research into ASM tools in light of your business objectives is the best way to evaluate which solution will meet your needs. Read our full criteria for selecting an Attack Surface Management platform here.

Quick Guide to Researching Attack Surface Management Vendors

The cybersecurity industry has no shortage of attack surface management vendors, but they aren’t all created equal. The qualities needed in an ASM vendor are specific to your overarching security goals. These three factors for evaluating attack surface management companies will help security leaders differentiate providers and expedite decisions around vendor selection.  

These three qualities are just a starting point in your search. One of the best ways to conduct research into attack surface management vendors is to look internally. Gather anyone who would be impacted by security decisions and ask them to weigh in with what would make a cybersecurity partnership successful. Use the broader team’s input to guide questions and criteria when evaluating attack surface management companies.  

Or you can always turn to the Twitterverse to ask the masses like @AlyssaM_InfoSec.

I know I'll probably regret asking this, but…

Attack surface management? Worth it? Useless? What features/capabilities matter most? Better alternatives?

And finally, if you're using it, what product and why that choice?

— Alyssa Miller (@AlyssaM_InfoSec) October 11, 2022

Questions to Ask Attack Surface Management Vendors

To better understand the specific capabilities and differences between attack surface management companies and software, NetSPI recommends asking the following questions:  

1. How often are you running tests? 
2. How broad and fresh is the data?  
3. How quickly will a new asset appear in the ASM tool? 
4. How do you approach continuous pentesting?  
5. Do you support exposure remediation efforts? How? 
6. How do you manage the number of alerts? 
7. How will you help me understand what’s most important on my attack surface? 
8. Can I access all of my scan data if needed?  
9. What are the critical risk factors that will affect the business?
10. Who are the potential threat actors?  
11. Which vulnerabilities should I remediate first?  
12. Which exposures are attackers most likely to exploit?

Streamline Risk Remediation with NetSPI’s Attack Surface Management

NetSPI’s attack surface management service combines automated attack surface management technology platform and a global follow-the-sun expert penetration testing team in a proven scalable method. We help IT and security teams manage attack surface sprawl, identify unknown assets, uncover exposures, and prioritize remediation efforts. Attack surface management paired with manual external penetration testing is an advanced method for continuous pentesting.  

NetSPI helps organizations through:  

• Simple setup and onboarding 
• Comprehensive asset discovery 
• Always-on continuous pentesting  
• Manual triaging of exposures 
• Prioritized alerts 

Take our free ASM tool for a test drive here: https://asm.netspi.com/  

Additional Resources 

• Attack Surface Management Datasheet  
• Mastering the Art of Attack Surface Management 
• The Ins and Outs of External Attack Surface Management: What You Need to Know 
• Rein in Attack Surface Sprawl with Cyber Asset Attack Surface Management (CAASM)

The post How to Use Attack Surface Management for Continuous Pentesting appeared first on NetSPI.

According to research from Enterprise Strategy Group (ESG), more than half of businesses surveyed (52 percent) say that security operations are more difficult today than they were two years ago. The top reasons respondents indicated for increased challenges include an evolving threat landscape and a changing attack surface.  

Given the sophistication of threats today, a comprehensive attack surface management strategy can help proactively identify gaps and vulnerabilities while strengthening security controls.  

Let’s start by breaking down what an attack surface is. 

What is an Attack Surface? 

An attack surface is an accumulation of all the different points of entry on the internet that a threat actor could exploit to access your external-facing assets, such as hardware, software, and cloud assets. 

An enterprise attack surface may include digital attack surfaces, such as:  

1. Application attack surface 
2. Internet of Things (IoT) attack surface 
3. Kubernetes attack surface 
4. Network attack surface 
5. Software attack surface 
6. Cloud attack surface 

Other types of enterprise attack surfaces include human attack surfaces and physical attack surfaces. 
 
In our connected environment, a company’s total number of attack surfaces and overall digital footprint continues to expand, which puts external-facing assets at risk for exposures and vulnerabilities. 
 
Cloud storage adoption and hybrid work environments that rely on cloud solutions are some of the top reasons for expanded attack surfaces. Another factor is that an uptick in mergers and acquisitions can lead to acquiring assets that may be unknown, resulting in unmanaged attack surfaces. 

How Are Attack Vectors and Attack Surfaces Related?  

Attack vectors and attack surfaces are related because attack surfaces comprise all of the attack vectors, which include any method a threat actor can use to gain unauthorized access to an environment. Examples of attack vectors include ransomware, malware, phishing, internal threats, misconfiguration, and compromised credentials, among many others – vectors can also exist as a combination of these examples listed.  

As attack vectors become more complex, security teams need to identify and implement new, more effective solutions to secure attack surfaces and stay ahead of sophisticated threat actors.  

Monitoring and protecting against evolving attack vectors becomes more critical as an attack surface grows. For the purpose of this article, we’re focusing on how to effectively manage external attack surfaces since this is a common challenge many businesses face. The external attack surface remains a priority for remediation because it presents a higher risk due to its exposure to the internet. 

What is Attack Surface Management? 

Many businesses struggle to keep up with their ever-evolving attack surface. The good news is that ASM vendors equip internal teams with data-driven decisions to methodically tackle remediation efforts. 
 
Attack surface management provides continuous observability and risk assessment of your organization’s entire attack surface. When coupled effectively with continuous penetration testing, attack surface management helps companies improve their attack surface visibility, asset inventory, and understanding of their critical exposures. 

More specifically, external attack surface management (EASM) is the process of identifying and managing your organization’s attack surface, specifically from the outside-in view. The goal is to identify external assets that attackers could potentially leverage and discover exposures before malicious actors do.

Attack Surface Management Use-Cases 

Through the attack surface, adversaries can exploit exposures to identify vulnerabilities that will give them access to your organization. If threat actors are successful, then outcomes will vary depending on the attack surface and other factors—but they will undoubtedly be negative.  

Common outcomes include: 

1. Deployment of malware on your network for the purposes of ransomware, or worse, killware. 
2. Extraction of employee data such as social security numbers, healthcare data, and personal contact information. 

Effective asset management and change control processes are challenging, and even the most well-intentioned companies often see this as an area for improvement. The right attack surface management solution should include a combination of three core pillars: human expertise, continuous penetration testing, and prioritized exposures based on risk. 
 
Common reasons to invest in attack surface management include: 

1. Continuous observability and risk management 
2. Identification of external gaps in visibility 
3. Discovery of known and unknown assets and Shadow IT 
4. Risk-based vulnerability prioritization 
5. Assessment of M&A and subsidiary risk 

Manage Growing Attack Surfaces with NetSPI 

NetSPI’s Attack Surface Management (ASM) platform helps security teams quickly discover and address vulnerabilities across growing attack surfaces before adversaries do.   
 
Four of the top five leading global cloud providers trust NetSPI for continuous threat and exposure management, leveraging our team, technology, and comprehensive methodology to detect known, unknown, and potentially vulnerable public-facing assets. 

Learn more about NetSPI’s attack surface management solutions or request a demo. Also check out our free Attack Surface Management Tool to search more than 800 million public records for potential attack surface exposures. 

The post Protect Your Growing Attack Surface in a Modern Environment appeared first on NetSPI.

“On average, attack surface management tools initially discover 30% more cloud assets than security and IT teams even know they have,” according to Forrester’s Find And Cover Your Assets With Attack Surface Management report. Although some tools discovered several hundred percent more assets than they originally knew about. 

Top use cases for attack surface management technologies are asset discovery and inventory, supply chain and third-party risk management, M&A due diligence, and compliance management. NetSPI’s Attack Surface Management (ASM) development team recognized these common use cases and saw the need to categorize and sort information faster, easier, and in a more intelligent way.  

The IT and SOC teams we work with are not simply looking for more data – they are looking for more meaningful and actionable data, and our recent developments have been targeted towards that.  

As a result, we are proud to introduce two new features into NetSPI’s ASM solution: the Portfolio Dashboard and Perceptual Hashing.

The Portfolio Dashboard

The Portfolio Dashboard is, simply put, a dashboard. This dashboard allows your company a global risk view of your attack surface, specifically showing your corporate network along with all portfolio or client networks. We’ve seen the most benefit from this feature in companies going through M&A processes, private equity firms, cyber insurance companies, parent companies, and conglomerates, along with many others. 

Organizations using ASM can now search and filter for a specific threat or technology within their entire portfolio. This enables them to clearly display the specific assets that have potential vulnerabilities and provide actionable information in seconds. 

A well-known example where NetSPI’s ASM Portfolio Dashboard would have proven valuable is Log4Shell. Log4Shell is a remote code execution vulnerability in Apache Log4j that allowed attackers to place malware on a targeted system, leading to the potential of a completely compromised network, theft of sensitive information, and more. 

Not good! 

In this example, non-portfolio companies were struggling to identify all affected assets within their network. Portfolio companies and cyber-insurance companies needed to not only identify assets within their own network, but they also needed to identify affected assets in their clients’ networks – searching every known potentially vulnerable asset to better understand their risk, while still missing every unknown asset. 

Again, not good! 

If the Log4j crisis happened today however, companies could leverage NetPI’s ASM portfolio dashboard to quickly and easily search for any affected device across their global attack surface. The potentially vulnerable assets would be displayed in a simple dashboard (as seen in the screenshot above) and allow IT and security teams to react accordingly, letting them efficiently target the most vulnerable areas, potentially saving the company and their customers from catastrophic damage.  

This is just one example of how the portfolio dashboard can benefit companies today. Although many organizations have remediated Log4Shell today, this feature can help in much the same way with other threats or technologies that may arise tomorrow, next week, or in the future. 

Perceptual Hashing

NetSPI’s current ASM offering routinely takes screenshots of all websites on your global attack surface. And we’re excited to share that the platform now includes Perceptual Hashing.  

Perceptual Hashing, sometimes referred to as Perceptual Image Hashing or Perceptual Sorting, analyzes these screenshots and categorizes them based on similar looks, styles, layouts, and images. These groups of screenshots are then reviewed by NetSPI’s ASM Operations Team to identify trends in your network or find outliers of websites running on your perimeter, and then notify your team. 

There are other types of hashing, such as average hashing, cryptographic hashing, geometric hashing, etc., however perceptual hashing is the most effective in cybersecurity because it is designed to recognize and group similar items even if minor modifications are made to the images such as compression, brightness, etc. As a result, images that are similar will be grouped together, however outliers will be detected and grouped separately.  

The intention is that if there is a vulnerability found on one of your public facing websites, Perceptual Hashing will allow you to search for similar webpages so you can review and take action. With NetSPI’s ASM continuous penetration testing capabilities and real-time reporting, teams will know if there are any publicly exposed management interfaces almost instantly and can respond accordingly. 

One of NetSPI’s ASM clients, a Fortune 500 technology company, recently used Perceptual Hashing to efficiently identify a vulnerability across various servers. The ASM Operations Team discovered a publicly exposed management interface in a proprietary web application during a routine scan, which left them vulnerable to external unauthenticated users accessing administrative functionality. The ASM team was able to take this finding and search the entirety of their other websites with the equivalent perceptual hash, identifying multiple other vulnerable servers. Once all were searched and the vulnerabilities were discovered, the team was able to report back to the company and guide them to remediate accordingly. 

Other cases where NetSPI’s Perceptual Hashing feature can be used are: 

• Servers using specific landing pages or technologies 
• Publicly exposed interface management 
• Digital rights management 
• Data deduplication 
• Image searching 

These are just two examples of recent innovations added to NetSPI’s Attack Surface Management solution. Although Perceptual Hashing is my current favorite feature, there are many innovations in the works right now to continue delivering the highest quality security for customers with our technology driven, human delivered methodology. 

Other noteworthy updates to our ASM solution include: 

• New intelligent search help – when users click on the search inputs, they are presented with helpful suggestions to deliver the best results. 
• Users in the Domain, IP Address, and Port table views can now copy selected assets and port URLs to the clipboard. 
• Users can add an attribution statement when adding assets. 
• Domain and IP address exports have been updated to include ports and associated assets. 
• Domains, Ports, and IP Addresses now have all associated screenshots available to view. 
• When viewing the full details page for a Domain, you can now use the “Generate Report” button to get a summary report specifically for that domain. 
• The main dashboard now shows you trends of all vulnerabilities on your attack surface over time, separated by severity. 
• On the ASNs page, the ‘Scan for ASNs’ button now validates and updates existing ASN associations in addition to inserting newly identified ASNs. 
• The Port Gallery has been converted to an Explore page with left-hand facet searches. 
• SAML SSO now supports users from multiple domains. 
• Ability to automatically transform invalid CIDR ranges when adding assets. 
• New port intelligence, including status code, content type, content length, site title, JARM, and HTTP reachability. 

Additional updates can be found on the Attack Surface Management changelog: https://asm.netspi.com/guide/changelog/. 

To learn more about NetSPI’s Attack Surface Management, contact your rep or connect with us here. 

This blog post is a part of our offensive security product update series. Stay tuned for additional innovations within Resolve (PTaaS), ASM (Attack Surface Management), and AttackSim (Breach and Attack Simulation).

The post NetSPI Attack Surface Management Updates: Portfolio Dashboard & Perceptual Hashing appeared first on NetSPI.

Leveraging risk scores for remediation prioritization and quantifying risk allows companies to prioritize budgets and resource allocation and focus on the security activities that could have the greatest impact to their business. And the idea of incorporating risk scoring intelligence to make the shift to a risk-based vulnerability management program is evolving. 

Through the collaboration of NetSPI’s development, engineering, and product teams, we’ve uncovered an accurate, data-driven methodology to calculate both aggregate and vulnerability risk scores using the data available from our penetration testing and vulnerability management platform, Resolve. Let’s dig deeper.

What is risk scoring? 

In its most abstract form, risk is “the effect of uncertainty on objects involving exposure to danger.” At its foundation, cyber security risk is ultimately a function of (threat x vulnerability). While the definitions are helpful, it is important to look at your security program with a new lens and assess how your organization quantifies its risk – and is it even important to do so? Simply, the answer is yes. Quantifying and measuring cybersecurity risk is one of the most important components to a successful risk-based vulnerability management program.

The evolution of risk-based vulnerability management

Vulnerability incident resolution used to be reactive. Companies would wait for something to be exploited, then fix it. As IT systems became more integral to business operations, the need to be proactive in cyber defense became evident. Many tools have been developed that can hastily provide a list of vulnerabilities, but companies were quickly overwhelmed and overloaded with the number of identified vulnerabilities without direction or priority assigned for remediation. 

The introduction of Governance, Risk, and Compliance (GRC) software that could correlate all vulnerabilities aligned to business controls and identify the “true risks” to the company allowed some prioritization of risk. This management activity was done through technology in a system without human touch, lacking real world controls and exceptions. This caused the technologies to be complicated, difficult to implement, and require extensive customization. The latest vulnerability management market entrants are touting their ability to utilize AI to try and predict an exploit before it ever happens. But organizations are spending a lot of money on this technology, and it’s hard to predict. The usage of AI and other automated tools opaquely calculates the likelihood of a vulnerability exploit and offers limited customization to the companies using the technology. 

Today, the gold standard is a risk-based vulnerability management program. One where we prioritize vulnerability remediation efforts based on the true risk it presents to your specific organization, as opposed to a program that focuses purely on compliance “check the box” activities or a program that is so overwhelmed it remediates vulnerabilities ad-hoc as they show up, as opposed to appropriately prioritizing them.

For more insights, watch our webinar: The Evolution of Risk-Based Vulnerability Management.

How to use your risk score metrics to help find, prioritize, and fix vulnerabilities

Risk scoring allows companies to manage their evolving attack surface unlike they were able to before. The first step is to develop a customized risk lifecycle that will be the foundation on which risk data is generated. This includes identifying both the external and internal threats and vulnerabilities, as well as the assets that could be attacked. The decision then must be made on the best course of treatment, with options including mitigating, transferring, or accepting the risk. 

Here are the seven factors that impact how risk scores are determined in our Resolve platform:

• Impact – If this vulnerability was to be exploited, how severe would it’s impact be? 
• Likelihood – How likely is it that an attacker can and will attack this space? 
• Environmental Modifiers – Think broadly about the asset and the environment in which the vulnerability is located.
• Temporal Modifiers – Focuses on exploit code maturity, confidence, and remediation requirements. Temporal modifiers bring your risk score to life.
• Industry Comparisons – How does your risk compare to other organizations or peers in your sector? 
• Threat Actors – Are threat actors actively exploiting vulnerabilities present in your environment? 
• Remediation Risk – Using the remediation SLAs available through PTaaS, all vulnerabilities are automatically assigned customizable due dates. Use remediation risk to determine your aggregates that require attention from a compliance perspective.

Vulnerability risk scoring is particularly beneficial in terms of remediation prioritization as it is calculated when you look at (vulnerability risk x the cost of resolution). If the vulnerability is deemed high severity, but the impact on your business is low (if exploited), the risk score would be on the lower side, and it may not be worth spending the money to fix it. And vice versa.

When it comes time to put your risk score to use, here are a few remediation considerations to keep in mind:

• Prioritize – Prioritization is the most difficult part. Companies today can effectively identify vulnerabilities through penetration testing services, but how do they figure out which ones to fix first? What are the true risks to the business? This will vary depending on your business. 
• Evaluate – Organizations must understand the efficacy of their risk mitigating controls. Manual pentesting and vulnerability scans still need to be done to validate your efforts are working as intended. 
• Utilize the Data – Once you have a risk score, use it to validate and drive decisions around resource allocation, remediation prioritization, spend validation, track risk over time, industry benchmarking, and more.
• Effectiveness – Are you on track to remediate your vulnerabilities before any threat materializes? Are your vulnerability and aggregate risk scores improving over time?

We see it every day. Companies are facing an immense number of vulnerabilities that humans have to manually sift through to assess and prioritize. Having a risk-based vulnerability management program in place allows organizations to identify, prioritize and remediate risks within their organization, saving time, headaches, and – perhaps most importantly – dollars in the end. 

The post The Secret to a Successful Risk-Based Vulnerability Management Program: Risk Scoring appeared first on NetSPI.

During our penetration testing engagements, we frequently hear from clients that it is difficult to manage the large volume of vulnerabilities we discover. While on the one hand, this is what we are hired to do, for our clients, it poses some challenges. Now, with Penetration Testing as a Service (PTaaS) we’ve made it easier than ever to consume, understand, and manage the large number of results we deliver to our clients with our penetration tests. And with PTaaS+, we’ve extended those benefits by directly integrating with your ticketing systems and allowing you to perform the full remediation lifecycle inside of Resolve, our threat and vulnerability management platform.

What are you supposed to do when NetSPI isn’t the only source of vulnerability discovery for your organization? It’s extremely important to correlate and deduplicate vulnerabilities from all your data sources, not only to reduce noise but to save frustration from your engineering teams by reducing duplicates and false positives, and providing consistent, up-to-date guidance.

PTaaS Pro solves this problem by providing Resolve’s full suite of Threat and Vulnerability Management capabilities to our penetration testing clients. PTaaS Pro is an extremely valuable tool for security programs of all sizes, and provides many benefits, including:

Manage Internal and Third-Party Vulnerabilities

PTaaS Pro gives you the ability to manage all your organization’s vulnerabilities, not just those that NetSPI discovers. Yes, that even means vulnerabilities discovered by our competition. Resolve can integrate with over 30 vulnerability scanners, your CMDBs, and all your internal ticketing systems to have a consolidated warehouse for all vulnerabilities.

Reduce In-house Penetration Testing Times by up to 30 Percent

Resolve is a powerful tool for internal penetration testing teams, allowing them to coordinate project management for tests, standardize and enforce processes through checklists, correlate and deduplicate their automated and manual findings, and generate reports with the click of a button. One of the reasons NetSPI performs the highest quality penetration testing in the industry is because Resolve removes the hassle from testing, allowing your team to focus on finding vulnerabilities.

We’re More Than a Vendor – We’re You’re Partner

When launching PTaaS Pro with your organization, NetSPI connects you with our team of industry experts, including former CISOs, vulnerability managers, and security experts. Together we work to integrate Resolve and NetSPI into your security processes. Every step of the way you’ll have access to first-hand experience and guidance on how to optimize and improve your security program.

PTaas Pro is now offered as part of AppSec as a Service. Learn more about AppSec as a Service.

The post Introducing PTaaS Pro: The Smart Solution to Penetrating Testing and Vulnerability Management appeared first on NetSPI.

NetSPI is focused on creating the next generation of security testing. Our Penetration Testing as a Service (PTaaS) delivers higher quality vulnerabilities, in less time than any other provider and we are now expanding these benefits into your remediation lifecycle.

This month we’re expanding your options with our PTaaS+ plan, which focuses on vulnerability management and remediation. With our base PTaaS plan, we deliver vulnerabilities the same day they are found, now with PTaaS+ you and your team are empowered to act upon and begin remediating them immediately, decreasing your time-to-remediation by up to 1 month for high severity issues. A couple of key features contribute to this new functionality:

Ticketing Integrations

On average, we report over 50 vulnerabilities on a regular web application test, that number jumps above 700 when we perform external network testing. When receiving so many vulnerabilities, making sense of it all can be a full-time job before you even get to remediating them. With PTaaS+, we offer free integration with Jira or Service Now to easily get the vulnerabilities into your tools and into the remediator’s hands on day zero.

Remediation Assignments & SLAs

After receiving a large number of vulnerabilities, the first step is assigning a due date for remediation based on vulnerability severity. PTaaS+ allows each severity to be assigned a timeframe in which it must be remediated from the delivery date. NetSPI’s standard recommendation is:

• Critical – 30 days
• High – 60 days
• Medium – 90 days
• Low – 365 days

However, these can be customized to fit your organization’s policies. Additionally, with PTaaS+, you can assign vulnerabilities to specific users, letting you track and delegate vulnerabilities throughout the remediation lifecycle.

Vulnerability Customization

After delivering vulnerabilities, one common point of discussion is NetSPI’s severity rating vs. an organization’s internal vulnerability rating. Every organization rates vulnerabilities differently and to help with that, PTaaS+ allows you to provide an assigned severity to all vulnerabilities, from which your remediation due dates can be calculated. Both NetSPI’s and your severities will be maintained for auditing and future reporting.

Data Analytics

After you have a handle on your remediation processes, you can start looking for trends to ensure fewer vulnerabilities next year. PTaaS+ grants you access to NetSPI’s Data Lab which allows you to analyze and trend vulnerabilities across all your assessments with NetSPI. Popular data lab queries include:

• Riskiest asset in your environment
• Most common vulnerabilities across your company
• Top OWASP categories

The PTaaS+ features listed within this blog post are now offered with any NetSPI service that leverages PTaaS. This excludes ticketing integrations, which are available for an additional cost. Contact us to learn more.

The post Introducing PTaaS+: Decreasing Your Organization’s Time to Remediation appeared first on NetSPI.

At RSA in February, NetSPI launched Penetration Testing as a Service (PTaaS). PTaaS is our unique delivery model that provides our Threat and Vulnerability Management (TVM) platform, Resolve to our customers on every engagement. PTaaS is designed to provide best-in-class TVM solutions, by default, for every test. Starting with the first engagement, all vulnerabilities are correlated, deduplicated, and delivered directly through Resolve. As the testing grows, the entire suite of product functionality can be added so all of an organization’s internal and third-party testing programs can be viewable in Resolve.

In this two-part blog, we will first review existing features that come standard with a penetration test through PTaaS. Then, in the second blog in May, we’ll discuss additional and upcoming functionality that exists to scale Resolve across even the largest organizations.

Program Management

The entry point into Resolve is the Program Management Dashboard, which helps orchestrate all testing activities that are ongoing and have been completed in the platform. At the top, you will see new vulnerabilities trending over time and by hovering over them, you can see the efficacy of each testing method. This helps identify what was found through manual penetration testing versus our proprietary multi-scanner orchestration and correlation tool, Scan Monster, versus a traditional single network scanner.

On this same Program Management Dashboard screen, you can see the Services Overview, which aggregates all projects in Resolve into a matrix via Project Type and timeframe. For example, the top left card in this overview represents all Web Application Penetration Tests performed in Q1 2020. Additional detail such as scoping and vulnerability information can also be found on this card.

Projects

By clicking into one of these cards in the Services Overview, you will be taken to the Projects grid, where each project’s details can be viewed. Selecting a project will bring up all information related to that project at-a-glance, where you can view information including recent activity and comments, users assigned to the project, and project scope and definition. All communication for the project flows through this page. The project entities are also available here, along with important information like the findings discovered during the engagement and the assets that were included in the test. An asset typically relates to a unique IP address or URL.

Findings

The Findings tab will display all vulnerabilities discovered during the engagement. These findings can be searched, sorted, and filtered directly in this grid, as well as globally. Selecting a row will bring up a wealth of information about that finding.

The finding details present everything a developer would need to know to understand this type of vulnerability, including the overall severity, description, business impact, and remediation instructions for that issue, as well as what CVEs and OWASP categories are associated with that vulnerability.

Selecting the instances tab will bring up all the unique locations this vulnerability was discovered on this asset.

Instances

Inside an instance will be all the information needed to identify the specific vulnerability, including the affected URL and port and what parameters were used in the attack, along with step-by-step verification instructions. These instructions detail how to reproduce the vulnerability so developers can quickly understand and remediate it.

Concluding Thoughts

All these features are available at both the project and global levels. Users can filter, search, and globally prioritize all vulnerabilities and assets that exist in Resolve. NetSPI has performed our penetration testing services in Resolve for over a decade and currently host 50+ million vulnerabilities for our clients – a number which is rapidly increasing.

Be sure to check back in late May for our part two in this series where we’ll discuss additional and new functionality that exists to scale Resolve across even the largest organizations.

To learn more about PTaaS, see the below resources:

• Data Sheet: Penetration Testing as a Service
• Webinar: Scaling Your Security Program with Penetration Testing as a Service
• Blog: Keeping Pace with Evolving Attack Surfaces: Penetration Testing as a Service

The post Penetration Testing as a Service – Scaling to 50 Million Vulnerabilities appeared first on NetSPI.

And the findings of the Conference Board are similar. According to the survey, cybersecurity was the top concern for CEOs in 2019. What’s more, according to the study, cybersecurity budgets are increasing, with more than 70% of responding CEOs globally planning to increase their cybersecurity budgets this year. Interestingly, cybersecurity strategy remains elusive: almost 40% of responding CEOs globally say their organizations lack a clear strategy to deal with the financial and reputational impact of a cyberattack or data breach.

Often, we see that an inadequate security test can leave a company with a false sense of security. Couple that with the fact that in 2019 the average cost of a data breach to a company was $3.9 million, and a greater business challenge emerges. The bottom line is that organizations are always-on, so their security should be too. It’s more critical than ever that organizations implement a more proactive strategy to better understand their security weaknesses and vulnerabilities.

Penetration testing, delivered in a consumable fashion, and executed monthly or quarterly, rather than annually, can help. At NetSPI we call it Penetration Testing as a Service or PTaaS. Here’s all you need to know before investing in PTaaS, to achieve a successful vulnerability testing and management program.

An Introduction to PTaaS

PTaaS is the delivery model of combined manual and automated pentesting producing real-time, actionable results, allowing security teams to remediate vulnerabilities faster, better understand their security posture, and perform more comprehensive testing throughout the year.

A successful PTaaS program delivers security testing comprised of an expert manual pentesting team enhanced by automation. It puts customers in control of their pentests and their data, enabling them to simplify the scoping of new engagements, view their testing results in real time, orchestrate quicker remediation, and have the ability to perform always-on continuous testing.

The Case for PTaaS

According to PwC, cyber threats are a drag on growth, and tolerances for breaches and trust in technology are plummeting. To combat these trends, organizations need to shore up resilience. “Step one is to use technology to get real-time views into your most critical processes and assets, and then set up for continuous resilience,” it states.

Organizations with a mature security program understand that point-in-time testing is not the best option for continuously securing their applications and networks. New code and configurations are released every day; a continuous security program delivers results to customers around the clock, enabling them to manage their vulnerabilities easier and more efficiently.

PTaaS should be viewed as an essential IT department activity for identifying exploitable security vulnerabilities present across all networks in computing devices, such as desktop operating systems, web applications, mobile apps, and more. It proactively hardens an environment by identifying security weaknesses and software vulnerabilities, and then prioritizing them by severity of outcome should they be exploited, as factored against the likeliness of the attack. [Want to read more about penetration testing, a commonly misunderstood security discipline? Grab a cup of coffee and enjoy.

Learn more about PTaaS in TechTarget’s WhatIs.com article Word of the Day: Penetration Testing as a Service.

Choosing the Best PTaaS Partner for Your Business

When evaluating PTaaS options, security professionals would be well advised to:

• Insist on real-time accessible reporting and not settle for reams and reams of static PDF reports that don’t allow for access to data in real-time as vulnerabilities are found.
• Look for a platform, dashboard or technology efficiencies, that offer increased speed to remediation and direct communication with the pentesting experts. For example, NetSPI’s platform houses all vulnerability data and provides remediation guidance for real-time access and assessment.
• Prioritize non-negotiables like employing a team of expert deep-dive manual pentesting professionals with enhanced automation, as automated pentesting and scanners will only ever find a portion of an organization’s vulnerabilities. While automation creates efficiencies, the human touch is also necessary to identify potentially high and critical severity threats that can only be discovered by manual testing.

As attack surfaces constantly grow and evolve, it’s important to recognize that point-in-time penetration testing, while important, is no longer an effective means of year-round security and that there are options available that can increase the value that you get from traditional testing. As an industry, our ultimate goal is to prevent breaches from happening – but, how can we make that happen without having an “always-on” mentality?

Learn more about NetSPI PTaaS here.

The post Keep Pace with Evolving Attack Surfaces: Penetration Testing as a Service appeared first on NetSPI.

The first step in that process is to search for hardcoded passwords. I dug out the simple and ugly password regex I’ve created for this and did a search for /pa?ssw?o?r?d?|pwd/gi across the entire codebase. This regex covers all of the standard ways I’ve seen “password” used as a variable name in code. Without fail I got back:

After digging through all the results and parsing out the false positives I ended up with a total of 30 hardcoded passwords. All of them were database connection strings spread across 20 total users, including multiple users with admin access to the database. Our recommendation for this is simple:

Passwords should never be hardcoded in the source code.

Why?

The reasoning behind this is that there are multiple attack paths that result in source code/arbitrary file disclosure. Error messages, public Github repos, arbitrary file read, “oopsies” email attachments, and shoulder surfing being just a few.

A typical escalation path that exploits hardcoded passwords could start with an XML External Entity (XXE) Injection. An application that is vulnerable to XXE will allow us to read (almost) any file on the server. Through this an attacker will fingerprint the technology at play and target the important source code files.  For example, a web application using the Python Django framework will contain a settings.py file. This file will sometimes contain hardcoded passwords for the DB connection. With some luck/bruteforce an attacker can find the source code directory and read the settings.py file via XXE.

HTTP Request:

POST /xxe HTTP/1.1
Host: netspi.com
Connection: close

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY settings SYSTEM "file:///django-app/settings.py" >]>
<foo>&settings;</foo>

HTTP Response:

HTTP/1.1 200 OK
Content-Length: 178
Connection: close

DATABASES = {
 'default': {
 'ENGINE': 'django.db.backends.mysql',
 'NAME': 'admin',
 'USER': 'admin',
 'PASSWORD': 'password',
 'HOST': 'prod-db.netspi.com',
 'PORT': '3306',
 }
}

An attacker can now take this information and connect directly to the database, which is public-facing because someone assumed authentication was enough. Once an attacker has this amount of access, any number of paths can be followed to further infiltrate the network. This attack extends to anything that requires a password: admin pages, config pages, mail servers, etc…

Remediation

We need various forms of secrets (passwords, api keys, etc…) on the box somehow and the goal is to find the method that minimizes the organization’s risk to the greatest degree. Our suggested remediation regularly has the goal of assigning them through environmental variables on the server. Environmental variables are the recommended method due to the low likelihood of an attacker gaining access to them. I’ve only seen them exploited in two common scenarios, overly-verbose debug pages left running in prod, or using OS command execution to list all of the environmental variables*. Both of which are easily combatable in large code repositories. Environmental variables also allow a more scalable solution, as rotating secrets will only require one configuration change.

Resources

Like most things in security, except 0days, all the information is out there. A lot of people just aren’t aware of the vulnerability or what the proper way to fix it is. Because of that I won’t rehash how every platform implements environmental variables, but I will identify what I think are the best resources for doing so.

The handling of sensitive data for an app should always be done at the deployment/orchestration level. This ensures that secrets are stored and managed away from the web servers and databases. Here are some of the popular deployment and orchestration frameworks, with their related resources:

Kubernetes

Jenkins

TravisCI

Drone

TeamCity

CircleCI

GitlabCI

AWS

• This uses IAM roles, which are not discussed in this blog, but are a stronger substitute for environmental variables in AWS applications.

Docker Swarm

• This is an interesting method using Docker Secrets. Unfortunately they are stored in files, but are the recommended method inside of the Docker ecosystem.

In the end, secrets don’t belong in the code. Proper distribution will decrease the reach an attacker has through other methods of attack and protect an organization by allowing them to rotate secrets easily and often.

Coming Up

This blog is an attempt at describing a holistic solution to secret handling that will work in every environment. Using environmental variables is still not the most secure method, as plaintext sensitive information is available to every user on the box. To combat this a platform-specific method is usually required, which Windows and Linux both offer.

We’re curious to hear how other organizations handle secrets in their code and what improvements could be made to further advance the topic. Let us know @NetSPI or by leaving a comment below!

* Edit 10:13 AM: Unfortunately environmental variables on linux are still vulnerable to arbitrary file disclosure as seen here https://blog.netspi.com/directory-traversal-file-inclusion-proc-file-system/.

The post Please Stop Giving Me Your Passwords appeared first on NetSPI.

Another SQL Injection Wiki?

SQL injections are one of those vulnerabilities that, without a proper knowledge base, can take a surprising amount of time to exploit and still get meaningful results. When you have to exploit them in multiple Database Management Systems (DBMSs) every week it becomes annoying looking up all the queries and table names repeatedly. There are many resources on the internet for various injection types and DBMSs, but they only seem to give a cursory glance of the injections and lack in describing what to do after you successfully exploit one.

One of our Senior Consultants, Alexander Leary, brought up this issue and proposed an idea to Ben Tindell and I earlier this year. Ben, who loves a good wiki, and I, who was terrible at advanced SQL injection, really enjoyed the idea of a comprehensive centralized knowledge base for SQL injection. Through that exchange the NetSPI SQL Injection Wiki was born. Like other sites, aggregating the basics of injections was important. But we also wanted to aggregate what data was most valuable and where it resided within the various DBMSs, while adding injection techniques to extract that data, obfuscate queries, pivot further into the internal network, and more. Most importantly we wanted it all in one, easy to understand, place.

Presenting

Today we are open-sourcing our wiki to address the problems listed above. You can view the wiki at https://sqlwiki.netspi.com and you can help contribute to its development on Github. We are striving to make this a teaching tool as much as it is a lookup tool. Beginners will benefit from starting at Step 1: Injection Detection, while experienced testers may want to skip straight to the thick of it at Step 5: Attack Queries. If you think any information is inaccurate, or think there is more information we should add, please feel free to create an issue or submit a pull request.

A huge thanks to all those who have already contributed!

We’re excited to be releasing this and we will continue to work on making it as informative and intuitive as possible. For the time being, what other vulnerabilities do you waste the most time on Googling for exploits? Let us know on Twitter @NetSPI, or by leaving a comment below!

The post NetSPI SQL Injection Wiki appeared first on NetSPI.