Last Updated on February 8, 2022
Modern attack surface management techniques are increasingly seen as critical to identify and mitigate emerging attacks and risks across a company’s internet-facing assets, from web servers to IoT devices to network gear to SaaS tools to social media accounts—even your vendors.
There’s no question that attack surface management can help you identify unknown or “rogue” assets, boost the scope and pace of monitoring, and prioritize vulnerabilities and risks. But can it help with incident response?
Steve Ginty, Director of Threat Intelligence at RiskIQ, spoke in-depth about the value of attack surface management for incident response on a recent episode of The Virtual CISO Podcast. Hosting the podcast as always is John Verry, Pivot Point Security CISO and Managing Partner.
Ingesting relevant data
RiskIQ customers can ingest relevant data in their dashboards or systems of choice, such as JIRA or a SOC or SIEM solution, by leveraging APIs. RiskIQ also provides a centralized dashboard where users can go to stay informed about changing assets, new events and other data.
Further, on a trial basis, organizations can try out a “templatized” version of the offering at community.riskiq.com.
“It’s a combination of this attack surface management capability with our investigative tool, PassiveTotal,” says Steve. “It has a portal of open-source intelligence articles and vulnerabilities that have been coming out, where we extract the pertinent information and extract indicators of compromise (IOCs) for any of this public reporting so that it’s nicely packaged up and you can start pivoting and click and get all that context right away. And then if you want to dig into our data, you can go from there.”
Gleaning data for incident response
Not only incident response teams internal to companies, but also security vendors that provide incident response services rely on RiskIQ to provide additional insights when incidents occur.
The platform can be used programmatically via APIs to gather data pertinent to an incident. Further, it can serve as a “hunting tool” to understand the attacker. Steve illustrates: “These are the IPs and domains and we’ve seen from the infrastructure where their malware is communicating to. What else do we know? Can we find additional infrastructure that that actor may own? And can we proactively block that or maybe put it into a SIEM to alert, to find other hosts inside the environment that may be compromised?”
That incident response is taking advantage of the threat intelligence that you have from my org and all the other orgs,” John observes. “You know about my vulnerabilities, so you can tell me whether or not I was vulnerable to the attack that I might be investigating. And then I would imagine that you could also tell me at the same time, whether or not any of my third parties might be subject to the same risk so that I can reduce my supply chain risk at the same time I’m reducing my [internal] risk.”
“They all seem disparate at times,” Steve replies. “Vuln management and threat intelligence don’t always come together. But I think you’re seeing that shift a little bit more in the market right now.”
John encapsulates: “If I give you the right information, you can give me some level of visibility into all that. I mean, there’s no 100%, there’s no fail-proof, but I’m going to be in a lot better shape if I’m looking at all that information than if I’m not.”
More confident decision-making
The RiskIQ platform gets you answers faster, plus it gives you more confidence in the picture you’re seeing.
When someone in your C-suite says, ‘Do we have to be concerned about this?’, with some confidence, I can show you where those assets are and help you manage that infrastructure and possibly help you get ahead of it—or at least have that visibility to have some confidence in the decisions you’re making,” Steve notes.
Firms trialing RiskIQ can request a snapshot of their attack service, to be presented in the platform for you to investigate. Based mainly off your email domain, the snapshot won’t include all your assets. But many people are surprised how much can be discovered from so little information.
“We’ll show you the new assets over the last 30 days,” reports Steve. “We’ll show you anything that we think is potentially vulnerable or that should be investigated. And then we’ll give you the tools to go dig through our data to respond to an incident or to enrich any investigations you’re doing or any kind of incidents or alerts that may be happening.”
“It’s a lot of information to hand over, because we want people to understand the value proposition, get their hands dirty and really see the value we’re bringing,” Steve highlights.
To hear the complete episode with Steve Ginty from RiskIQ, click here
Want more ideas on how new tools and services can strengthen your security posture? We recommend this podcast episode with Chris Nyhuis, CEO of Vigilant: https://www.pivotpointsecurity.com/podcasts/ep50-chris-neyhuis-how-edr-ndr-help-you-make-better-security-decisions/