After a very tumultuous year in cybersecurity, including the Solarwinds hack and numerous ransomware and supply chain attacks, Randori set out to understand the ongoing prevalence of internet-facing assets that contribute to these attacks. The result, our 2021 Attack Surface Report.
Because we’re attackers—and do reconnaissance like attackers do—we have a deep understanding of what attack surfaces look like at scale. We’ve invested heavily in building technology that helps us understand what technologies are exposed on the internet, and which are tempting to an attacker to exploit. We apply our patent-pending Target Temptation model to our massive dataset of exposed internet assets, assigning each IT asset an attacker “Temptation Score”—identifying the technologies an attacker is most likely to target for exploitation.
Today, for the first time ever, we’re releasing insights from that data, consolidating Randori’s insights about attack surfaces into actionable data and advice. Download the full 2021 Attack Surface Report: Internet’s Most Tempting Targets, or read on for a summary of the data and takeaways for security leaders.
Key Attack Surface Revelations
- One in 15 organizations currently runs a version of SolarWinds that is known to be actively exploited or highly tempting.
- 15% of organizations are running an outdated version of IIS 6, which hasn’t been supported by Microsoft for six years.
- 38% of organizations use Cisco’s Adaptive Security Appliance (ASA) firewall, which has a history of public vulnerabilities.
- 46% of organizations are running Citrix NetScaler, which has a history of public exploits, and if hacked would give an adversary high privileges.
- 3% of organizations still run older versions of Microsoft Outlook Web Access (OWA) — versions 15.2.659 or older — despite the recent Exchange hacks and several known exploits.
- More than 25% of organizations have RDP exposed to the internet, which when exposed to the internet, increases the risk for attacks, including ransomware.
Prioritizing by vulnerability severity is no longer an effective security strategy.
Security leaders are seeking out solutions to better secure their attack surfaces. With cloud migration and the work-from-home boom dramatically increasing the number of exposed assets, existing security strategies, like vulnerability management (VM), can no longer keep up. In fact, more than half of security leaders acknowledge that vulnerability management isn’t as effective as it once was. With so many assets now exposed to the internet, it’s no wonder CISOs (like yourself) are struggling to know what their teams should prioritize first. The fact is that complexity is the attacker’s friend and the defender’s foe. For every 1,000 assets on an attack surface, there is often only one that’s truly interesting to an attacker.
Enter the emerging market of attack surface management (ASM). Over the past two to three years, ASM emerged as a new way to assess risk and identify assets on an attack surface. Done right, an ASM tool should help you prioritize what to secure first based on the attackability of an asset, expose shadow IT, identify misconfigurations, and deeply integrate with your other security solutions.
We are always looking to provide the security community with more insight into the attacker’s perspective. Attackers search for the path of least resistance that will get them to their goal. They must operate within limited budgets, and their technical capabilities have an upper bound — they are not magicians. Their objective is to find the most attackable assets as quickly as possible. There’s a bit of an equation that goes into deciding what an attacker will go after on your attack surface. It’s not as simple as asking: “How critical is this CVE?” Security teams are constantly focused on building a bigger castle to keep out intruders, but hackers don’t see walls. All attacker’s see is a personal cost of time and effort. CISOs who start to think through what’s possible for an attacker, will get closer to reducing their attack surfaces.
No system will ever be fully secure, but limiting the information attackers can get their hands on out of the gate goes a long way toward taking the wind out of their sails. We find that an organization dedicated to the security fundamentals is significantly harder to breach than one with lots of security technologies sloppily deployed.
Prioritize securing the most valuable resources by keeping them behind layered defenses — so that it takes multiple individual failures to really do damage. Good ol’ fashioned network segmentation and defense and depth will get better results than what you’re getting today.
The Defender’s Steps to Take
- Find an attack surface management partner who can help you get a handle on what your perimeter looks like, and gives you the likelihood of attack. Randori offers an ASM solution that includes Temptation Scores, helping you determine what’s most critical to fix first.
- Reduce your attack surface. Take things offline that don’t need to be there, or disable functionality that you don’t use—minimize its features.
- Make the assets on your perimeter as opaque as possible. Much of this is configurable and lowering outside visibility is an easy way organizations can increase the cost or risk to an attacker. A good ASM product can also help with this. Its black box discovery can continuously find and identify what’s on your perimeter.
- Stress test your overall security posture with a red team — see if they can uncover an easy-to-exploit asset.
- Triple secure your important assets. This is where creating a strong DMZ around critical assets is crucial. Add logging/monitoring, WAFs, a secondary firewall, or segmentation to any critical asset on an attack surface.
- Treat appliances like you might treat any other asset you know is a risk. Appliances and IoT are endpoints — not just your desktop systems. Do not settle for the configuration the manufacturer sets as default. Deploy firewalls, WAFs, logging, and segmentation on assets your program deems high risk — and that should include embedded devices, security appliances, VoIP phones, etc.