cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Op-Ed: Getting an attacker’s view of your security

It is often said in security circles that defenders have to be right all the time, while attackers only need to get things right once. For IT security teams, the emphasis is on asset management, vulnerability scanning, patching, and the prevention/remediation of attacks.

user iconSimon Ractliffe
Wed, 01 Feb 2023
Op-Ed: Getting an attacker’s view of your security
expand image

However, this approach will only cover the assets that you know about. In an ideal world, you would have a complete and accurate list of all assets, and any new devices or additions to the network would be fully managed right from the start.

Sadly, life is not ideal. Networks are more porous than we would like to admit. Individuals may bring in their own devices and plug them into the network, with little to no thought on the security impact. Operational technology assets might live on separate networks, unseen by IT until someone asks for that network to be connected to the internet to make data available for analysis. These “unknown unknowns” have to be found in other ways.

Mimicking an attacker’s view of your network will complement your existing traditional approach to security being viewed inside to outside and help you close those potential gaps. Here are three approaches that you may like to consider:


#1 - External penetration testing

This approach has existed for many years and involves hiring a team to probe your network for potential vulnerabilities. They will employ the same tools, techniques, and processes as a bad actor looking to gain access. The biggest bonus from this is that they are not your team — they won’t think the same way as you and they will approach security with a different mindset.

Employing pen testing is a great approach, but it is not enough on its own. It provides a great snapshot of your current security level, but it only works during that exercise, and it does not offer continuous oversight. When individuals can bring in new devices at any time, or when departments can implement whole new digital infrastructures in the cloud, it’s not enough on its own.

#2 - Open source intelligence

In recent years, more and more IT assets have been connected to company networks, and then onto the internet. These assets may then — if they are not properly secured — be visible on the internet. This data can then be scooped up and searched.

These sources of data can be available to everyone as open source intelligence, or OSINT. Using OSINT sources, you can look out for potential problem assets, or for issues in IT, operational technology, and IoT devices. The challenge around OSINT data is how to correlate any public data to your internal asset lists in order to make it useful to your team.

For instance, you may want to get more information on your domains and subdomains. Maybe you own xyz.com and there may be a mail server associated with that domain. However, can you see how that relates to another web server that has been spun up on a different subdomain? Without this visibility into all the subdomains and connections between internal and external assets, it can be harder to get a fully accurate picture.

#3 - External attack surface management

External attack surface management, or EASM, is an approach that looks at the whole organisation’s IT portfolio in order to detect any potential issues or threats over time. This includes all the different platforms that companies can use internally, and in the cloud, and looks to find any potential vulnerabilities due to poor configurations or insecure assets.

This approach aims to flag any assets that were not previously known about. This should look for potential problems such as unauthorised devices, unapproved or end-of-support software, open ports, or unsanctioned apps and domains. Like penetration testing, it provides an outside-in view of your network; however, EASM should provide insight both over time and automatically.

Getting insight into misconfigurations or vulnerabilities as early as possible is essential in order to be able to fix them before any attacker can exploit them. Ideally, you can combine approaches to improve your visibility, ensuring continuous security. This can help you benefit from the human insight and expertise that testing can provide, but also automate processes to help your team be more effective and efficient to respond.

Simon Ractciffe is Qualys' regional vice-president for Australia and New Zealand.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.