Organisational Attack Surface - The Attacker's Perspective
Recently there has been a lot of hype around Attack Surface Management (ASM). This concept has been around for years, but the importance of it has come to light only lately. An organisation's attack surface includes anything that belongs to the organisation that an attacker can target and leverage. Due to the sensitive nature of this it could be assumed that companies may:
• Readily monitor this.
• Know exactly what their risk appetite is.
• Know how it changes over time.
• Make an effort to control this very tightly.
In reality, for the majority of organisations, the opposite couldn't be more true. They often have yearly penetration tests, work towards cyber security compliance certifications, spend money on vulnerability scanners and infrastructure management tooling - and yes, these are all things that should be invested in - but assuming that these alone are going to protect you over time from attackers is a naive viewpoint.
If you ask these organisations if they can readily produce a list of their assets from an attacker's perspective, the answer is often no - and even if they do, it is often a huge effort to maintain this as it is ever-changing. What is often overlooked is that understanding your organisation's risk as an employee is one thing, but being able to view this through the eyes of an attacker is another.
Bug bounty is the prime example of this - where large organisations with huge, well funded security teams, using a plethora of tooling, are consistently hacked by talented communities of ethical hackers. A big shout out to Bugcrowd, HackerOne and Intigriti, who provide great examples of just how powerful an attacker's perspective can be through their bug bounty communities. The constant research by ethical hackers on these ever-evolving organisations frequently drums up new vulnerabilities and security pitfalls that may have gone unnoticed internally. The ethical hacker's perspective helps to identify these threats, and allows organisations to prevent cyber attacks that may have occurred if malicious attackers had uncovered the vulnerabilities first.
I personally believe that the ideal solution to ASM is achieved through a mix of Bug Bounty and a managed SaaS solution, that continuously indexes your attacker-exposed assets.
• Bug Bounty: For a wider community to test company assets, looking for more specific deep-rooted vulnerabilities.
• SaaS: To perform many different analyses on the data it collects about organisational assets, and provide risk-based insights across many different formats.
These insights can range from easy-to-identify misconfigurations or vulnerabilities within the assets, to identifying outdated technologies, and even mapping your assets to the associated cloud infrastructure. It should do this on a continuous basis, identifying any changes over time and keeping you in the loop so you can take action and secure your organisation as it grows.
Overcast Security is an attempt to bridge this gap by allowing companies to look at their organisation through an attacker's lens and was formed as a result of my experience as a bug bounty hunter on both Bugcrowd, Hackerone and Initigriti. The core product was originally built to identify misconfigurations and vulnerabilities at scale across both web and network assets. It also provided valuable insights into how a company's infrastructure is set up, the tech stacks they use, and many other factors often considered when conducting recon on an organisation. Below, you can see an example asset inventory that was discussed in the introduction and the data associated with these assets.
The core Overcast product has encountered success within the bug bounty space by identifying bounty-eligible vulnerabilities, but I believe that there is a better, more flexible use case than just identifying these vulnerabilities/misconfigurations in companies running bug bounty programs. Through storing, displaying and analysing this data, we give organisations the opportunity to see the same insights as attackers, on-demand. The metrics below are just some of the useful examples around the attacker-based insights the platform generates, and these can be analysed on how they change over time.
Understanding a company's cloud infrastructure is important, as it allows you to look for common misconfigurations of these assets, and also potentially allows for the escalation of potential bugs in this infrastructure.
Understanding active vulnerabilities in your assets, rapidly identifying any new ones, and observing how - and in what manner - these are remediated, is essential for attack surface management. The image above shows how the Overcast platform allows you to view the vulnerabilities that exist in your organisation, and how quickly these are identified and remediated over time.
These are just some of the features provided within Overcast, but they best showcase how things can change over time, and highlight the power of being able to visualise this in a flexible manner. It is very easy to identify changes and abnormalities through these data visualisations within Overcast, and as discussed earlier - the importance of being alerted to these changes before attackers discover them is paramount in limiting your attack surface.
Overall, by switching lenses and looking at your organisation from an attacker's perspective, you will learn a lot - and it may often be scary to understand just how much detail they can observe about your organisation, if they approach it in a targeted manner. Monitoring your organisation's attack surface constantly with solutions like Overcast ASM to get these insights before attackers is key for managing your risk and organisational security. This combinational approach of continuous ASM, as well as leveraging the powerful communities over at platforms like Bugcrowd, HackerOne & Intigriti, will help you identify any security issues before malicious attackers can.
.svg)
