Last Updated on January 10, 2022
Every organization has an attack surface, consisting of all the hardware, software, SaaS resource and cloud-based assets that connect to the internet. Everything from web servers and web applications to network assets, IoT devices, social media content, your shadow IT—even your critical vendors’ environments—it’s all part of your attack surface.
How do you approach proactively monitoring and managing something so vast, complex and ephemeral?
To talk about the security value of attack surface management tools and services, a recent episode of The Virtual CISO Podcast features Steve Ginty, Director of Threat Intelligence at RiskIQ. Hosting the podcast is John Verry, Pivot Point Security CISO and Managing Partner.
Managing vulnerabilities and threats with attack surface management
In RiskIQ’s model, attack surface management starts with big data analytics. From there, RiskIQ offers different ways to view and process the data to support security goals like threat intelligence, incident response or overall security operations, as part of its PassiveTotal investigative platform.
“What PassiveTotal allows organizations to do is come in with a suspicious or malicious IP domain, and basically ask us to provide everything we know about that instance across PDNS [protective DNS], malware, WHOIS, our crawling infrastructure, et cetera. We basically allow organizations to make an assessment about whether something is good or bad and, if it’s bad, are there other associations to it? Like, does this IP have other domains on it that may be malicious? Di cvcd the actor use the same WHOIS email address to register multiple domains? That analyst-tailored view into our indexed data allows them to start to answer questions about an attack.”
A primary value of this capability is to make available threat intelligence from an aggregate view of the internet, which can help RiskIQ customers assess and triage events more quickly.
Bigger data equals sharper insight
Sorting the signal from the noise remains a major ongoing challenge. But there’s power in tracking consistent, repeated observations on a massive scale.
“Since we are doing this crawling and active scanning a daily basis, we can observe something as being malicious,” Steve asserts. “This is more towards domains and hosts, but we add things with high fidelity to any of our block lists. So, if we’ve observed this specific host and URL in a phishing campaign, the URL is bad. If we see that host associated with multiple URLs, once it hits a certain threshold, we will promote the host to being on the block list. Once we’ve seen multiple hosts associated with the domain, we move up the chain of fidelity so that we’re reducing some of the noise that an organization would see.”
Because the whole internet is so cloudified and dynamic, malicious resources are often repurposed with lightning speed. “I was looking at something that was Cobalt Strike two months ago, and today it is part of Slack’s CDN because it’s an AWS IP address,” Steve relates. “That’s something we grapple with and talk about a lot.”
Again, the benefit of RiskIQ’s visibility and analytics is to reduce the noise and accelerate the time to insight. Ingesting their block list within your environment is a great example of how attack surface management can yield proactive results to reduce exposure.
To find out more about how attack surface management could help your company, you’ll find the full episode with Steve Ginty here: EP#69 – Steve Ginty – Can You Benefit From Attack Surface Management? – Pivot Point Security
Looking for more insight on managing security in the cloud? Take a peek at this show with John Grange, CTO at OpsCompass: https://pivotpointsecurity.com/podcasts/ep64-john-grange-head-in-the-clouds-multi-cloud-security-governance/