Through the Eyes of the Adversary: Moving Beyond the External Attack Surface

It is a well-known fact that the pandemic was a catalyst for our society’s digital transformation. In the last few years, we have come to rely on an ever-expanding pool of technologies and services that include more digital channels and increasingly complex security management.

As a result, organisations’ attack surface continues to grow exponentially. Be it through misconfigurations, risky corporate user behaviour, third-party suppliers, or the ever-increasing number of software vulnerabilities, the expansion and evolution of business networks introduce greater cybersecurity risk. In response, organisations need to move from a purely reactionary security strategy to being more proactive. The attack surface must be seen and understood from the perspective of an adversary.

The cybercriminal underworld has become increasingly sophisticated, building an economy of its own, with a web of vendors, investors, suppliers and buyers. One of the core service providers within this economy is the Access Broker. These are the middlemen whose job it is to search for entry points to organisations and sell them on, making it easier than ever for cybercriminals to buy their way into an organisation’s network. Once an initial foothold is obtained, adversary’s can immediately begin to perform reconnaissance of the organisation’s internal attack surface.

Assuming the worst, that a breach of the internal network is inevitable permits organisations to make a subtle shift in mindset that transitions them from a purely defensive and passive strategy to an active and preemptive framework for risk reduction. This enables them to view the risk to their internal and critical assets from the perspective of the adversary.

Traditionally, security assurance activities such as red teaming and penetration testing have been used to provide an adversary’s view of the organisations network and system weaknesses. While such activities will always be valuable, they do suffer from some obvious limitations. Both activities are point-in-time and therefore only provide a snapshot of the organisations security posture. Additionally, the outcomes of both activities are directly related to the competence of the individuals performing them. This is particularly important where organisations use multiple vendors to perform such activities across large estates, leading to inconsistent results.

To overcome these limitations a new strategy needs to be employed; one that monitors, identifies, measures and reduces the risks of a growing attack surface continuously and consistently.

Automated attack path analysis can be used to identify all the attack vectors that could be leveraged by an adversary to create paths to the organisation’s critical assets. Such analysis is performed continuously and consistently by deploying sensors to endpoints across the organisation’s internal workstation and server estate. By keeping an open mind as opposed to having a specific goal of getting from A to B, we can better understand the numerous routes and techniques an adversary might adopt.

Once the attack paths have been discovered and prioritised in terms of the risk they pose, the most efficient way of disrupting them can be provided – fixing weaknesses at the crossroads of multiple attack paths can disrupt multiple attack paths with a single fix.

This approach allows us to enhance the red team’s capabilities while making them more efficient. Instead of sending them on a wild goose chase, we can offer a map of all the attack paths as well as the security controls already in place. Then, leverage the skills of the red team to test those specific controls by seeing if they can manually bypass any of them. This creates the perfect opportunity for synergy between humans and technology: the machines do the work of assimilating data at scale to provide visibility, and the humans step in to do what they do best, which is to think laterally.