Last Updated on January 4, 2022
Every organization with internet-facing assets has the same basic concerns when it comes to cybersecurity risk. Where are we exposed and vulnerable? What attacks and risks are we most likely to face in the current threat environment? And, if we’re being targeted, what hackers specifically are behind it?
Answering these questions is the province of attack surface management. One of the leading experts on this emergent hot topic is Steve Ginty, Director of Threat Intelligence at RiskIQ. Steve was our special guest on a recent episode of The Virtual CISO Podcast, hosted as always by John Verry, Pivot Point Security’s CISO and Managing Partner.
Your web-facing assets are a moving target
The idea behind attack surface management is that there’s a lot of information exposed on the internet that bad actors can leverage to identify and exploit vulnerabilities. Identifying what and where these assets are, and what they’re running, is the critical first step in proactively managing the risk associated with them—no easy feat in today’s world of multi-cloud, container clusters and infrastructure as code.
“Everybody’s had internal IT capabilities and spreadsheets of things and databases of assets and where they live,” says Steve. “But the IT environment of organizations is changing so dramatically now, and even more so with the shift to the cloud. We try to help organizations understand what their exposure is. And we help answer questions that they may have about their attack surface.”
Tools of the trade
Attack surface management is by nature an ongoing effort. The starting point is what Steve calls “seeds” that RiskIQ’s customers provide. These could be domains, IP blocks, Autonomous System Numbers (ASNs), etc. that an organization owns. RiskIQ’s offerings use these seeds as inputs to algorithms that venture into its vast data stores and discover what the data holds about the organization.
“RiskIQ has collected and indexed WHOIS data,” Steve explains. “On a large scale, we have a full instance of passive DNS collection that helps us understand domain-to-IP and historical connection points. We also have a crawling and scanning infrastructure that goes out and interrogates specific web properties and webpages to understand interactions on them. There’s also a scanning environment that focuses on fingerprinting [but not fully interrogating] ports and services open on IP addresses.”
Steve cites an example of how that latter service works: “For the Cisco vManage vulnerability that came out last week, I can go into our system and say, ‘Show me everywhere we’ve observed those systems over the past 30 days.’ I can’t tell you if an asset is 100% vulnerable to that remote code execution vulnerability, but I can tell you where they are in your environment or if it’s something you should be worried about.”
RiskIQ is a big data company
RiskIQ’s scanning technology looks at all asset types, including webpages. “It’s not specifically IP and services,” Steve notes. “We’ll look at hosts and domains and everything as a part of our scanning. And we have a crawling environment that will go on a virtual walk through your webpage and click down through connected links to see how the page interacts.”
“We’re doing a whole host of information collection,” Steve continues. “And then we’re layering filters on top of that information collection for a given customer. So, if you want to know what domains are expiring in the next 30 days, you can come in and see that filter inside of our platform, because for our customers, we do more active monitoring.”
If you tell RiskIQ what web-connected assets are most important to your business, they can do extensive monitoring (e.g., on a daily or weekly cadence) based on your unique scenario, so that you can get the exact information you need: WHOIS look-ups, expiration dates, SSL certificates that are about to expire, and more.
“I like to say that RiskIQ is a big data company,” Steve summarizes. We do large-scale internet data collection. Our products are just filters on top of that data that let you answer questions.”
Ready for a flyover of your company’s attack surface? Click here to hear the full episode with Steve Ginty: EP#69 – Steve Ginty – Can You Benefit From Attack Surface Management? – Pivot Point Security
Looking for more ways to reduce your attack surface? We recommend this podcast episode with Dr. Eric Cole on assessing cybersecurity risk: https://pivotpointsecurity.com/podcasts/ep53-dr-eric-cole-you-are-a-target-assessing-cybersecurity-risk/