This post is also available in: 日本語 (Japanese)
Seasoned security professionals know that while zero-days get the headlines, the real problems always come from the dozens of small decisions every day inside of an organization. Just one accidental misconfiguration could create a crack in defenses. So the Cortex® Xpanse™ research team looked at 2021 data (from the beginning of March to the end of September) from 100+ organizations spanning multiple industries to map their unmanaged attack surfaces to develop the 2022 ASM Threat Report.
Opportunistic attackers have begun to rely on these accidents and misconfigurations as it has become easy and inexpensive to find any vulnerabilities, exposures or other unknown open doors. Even lower-skilled attackers can put together a scanning infrastructure to perform a rough scan of the internet to uncover assets ripe for compromise.
Some may even take a shot at breaching that exposure, but far more enterprising attackers sell this scan data on the dark web to bidders who can then launch more sophisticated attacks. Defenders can gain a great advantage from having an attacker’s view of their attack surface.
To perform a deeper analysis, the researchers considered a sample of critical vulnerabilities and exposure (CVE) data from January to February 2022 that had known active exploits in the wild and were highlighted in key federal cybersecurity advisory notes.
These are some of the key findings from the 2022 ASM Threat Report, based on observable data from 100+ organizations and not self-reported surveys:
If you don’t know where exposures live, it’s impossible to ensure issues are remediated. For many organizations, the cloud and RDP are going to be persistent issues to target, but the constellation of exposures and vulnerabilities on your attack surface will only continue to grow as attack surfaces get more complex.
Attackers thrive on the complexity and ever-changing nature of attack surfaces because they can scan the entire internet looking for those weak points. With an attacker’s point of view, organizations can identify and prioritize issues for remediation. This also means focusing on metrics, like mean time to detect (MTTD) and mean time to respond (MTTR) is inherently flawed.
In the case of a breach, MTTD and MTTR are acceptable, but security should be focused on doing all they can to prevent breaches before they happen. That means putting more stake in the mean time to inventory (MTTI), because it is impossible to secure unknown assets and unknown exposures.
Modern attack surfaces are dynamic. Without clear visibility that is constantly updated, it is all too easy to have persistent exposures and unmanaged assets. Security practitioners can only be as good as the data they have, so having a strong foundation of continuous discovery and monitoring ensures you can keep up with modern, dynamic attack surfaces in order to find, prioritize and mitigate exposures as they arise.
To learn more about other critical findings on the unmanaged attack surface, based on observable data from 100+ companies, read the 2022 Cortex Xpanse Attack Surface Threat Report.