Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Finally Finding the 'Unknown Unknowns' Across Your Entire Attack Surface

Finally Finding the 'Unknown Unknowns' Across Your Entire Attack Surface

CISOs dread the “unknown unknowns” – the assets, vulnerabilities, misconfigurations and system weaknesses that the security team hasn’t detected and thus hasn’t secured. These blind spots represent a golden opportunity for attackers – and a major security risk for organizations.

“Unknown unknowns.” It’s the answer I’ve heard most consistently from CISOs and other security leaders throughout my career when they’re asked: “What keeps you awake at night?” Most security programs are built to create broad visibility into the environment and identify where the organization is most at risk. With that insight, decisions can be made on how and where to best mitigate risk to reduce potential impact of loss to the business. In many ways, being a driving force within a risk management program is the core mission of any security effort. And while there are a number of tools and techniques that contribute to providing visibility, there is still a great deal of challenge around discovering and understanding the “unknown unknowns” and shifting them into the realm of what’s known. Once they’re visible and accounted for, security teams can leverage their risk decision-making engine and mitigate those risks like all the other known ones.

In recent years, we’ve seen two techniques in particular that are helping security teams close the gap on those “unknown unknowns”: External Attack Surface Management (EASM) and Attack Path Analysis (APA). Let’s discuss what these techniques are, why they’re becoming a critical part of a mature security program and how they help security organizations get their arms around their environment’s attack surface.

Attack surface management

One area that often hides “unknown unknowns” and that is particularly difficult to understand and manage is the externally-facing part of an organization’s infrastructure. Assets which are publicly and continuously accessible from the Internet are going to be the first things that an attacker will see and attempt to compromise, as they are expected to be connected to and even probed. Where this becomes a problem for defenders, though, is when there are assets out in the public space that they don’t know about. For example, there could be a leftover DNS entry, which could be hijacked by an attacker who intends to commit fraud with it, or a poorly secured server or web application that a well-intentioned developer has spun up as a test, but with the organization’s domain information. Typically, organizations have dozens of assets and services out there that security teams are not aware of – but attackers very likely are.

EASM technology specifically addresses this problem by continuously scanning and monitoring public-facing assets. These tools provide easy-to-digest searchability into whatever is found that is associated with an organization’s public assets (i.e., domain name, IP address space, etc.). Done right, EASM provides consistent, constant visibility into those public-facing assets, wherever and whatever they are. Anecdotally, when I have worked with organizations in my previous life as a consultant, EASM tools identify an order of magnitude more public-facing assets than most security teams believe they have. And with the rise of cloud infrastructure and environments, it’s easier than ever for developers, IT staff and yes, even the security team, to spin up new assets that may not be recorded or identified consistently. Leveraging EASM, though, means those potential attack vectors become known and steps can be taken to either bring them within the purview of the risk mitigation efforts or remove them outright from existence so they can no longer be maliciously utilized. It’s a powerful tool to shine a light into an area that’s very difficult to address without an automated toolset that can find, identify and organize Internet-exposed assets.

Attack path analysis

Now, if EASM can help identify the potential entry points for an attacker, then APA can identify which vulnerabilities, misconfigurations and other system weaknesses will likely be used to reach critical datasets and assets. At the most basic level, APA creates relationships between disparate types of security findings to pinpoint places that, unbeknownst to the security team, could be compromised, or areas where security controls can be circumvented to reach critical targets. Some SIEM tools and breach attack simulation (BAS) products attempt to identify these relationships between vulnerabilities , but their capabilities are either limited in scope or only replicate known attacks in static ways against a single vulnerability. However, APA technology approaches this from the bottom up, leveraging vulnerability assessment and exposure management efforts, which provide a more complete understanding of the configuration, vulnerability state and risk context for each asset. That way, APA tools can create a far better picture of the security posture of each asset and thus offer a more comprehensive view of the relationships between all of the data.

Think of it like this. If a nail puncture can cause a flat tire, then we know that there is a threat (nails) and a vulnerability (rubber is not impervious to punctures). We could use this information to test the other tires and confirm that there is a potential they’re also at risk from a nail puncture. But, if we tried to apply that same threat to other parts of the car, the analysis falls apart. The body of the car won’t suffer the same impact if a nail punctures the metal. The engine block might not even be damaged at all. Using a single threat and vulnerability type over and over again to assess the risk to the whole of the car doesn’t really provide meaningful information about what’s at risk and what could go wrong. 

But, what if we related different types of threats that related to each other? A nail puncture could cause a flat tire, and if the tire blows out completely, the car may ride on the rim long enough to cause structural damage to the suspension or braking system. If the car is old or hasn’t been properly maintained, the domino effect could continue unfolding, causing damage to the engine or cooling systems. In this case, we’re seeing different types of threats and weaknesses, but we’re able to relate them to each other to see how there could be a broader, systemic failure that stems from a single, initial threat.

This holds true in exactly the same way for the modern attack surface within our organizations. A public-facing asset might be compromised because of a misconfigured port, which then allows the attacker to launch a SQL Injection attack from that host against a corporate web application. The breached application in turn exposes data that allows the attackers to obtain a username and password that provides access to another host. From there, they can launch a broader attack against a known exploitable Windows vulnerability that gives them elevated administrative access, which can then be used to traverse the internal network to reach whatever critical assets the attackers might want. This is a truer picture of how attacks unfold. , To successfully defend against attacks, we must be able to understand the entire path and where one vulnerability type can lead to exploiting another, often completely different type of vulnerability. This is the key for deciding where to implement security controls that are quick to deploy and cost effective, so that we can close the holes in our defenses we didn’t previously know about. 

Defense-in-depth strategies have always been about layering security controls in a way that protects the assets and pathways we know about. APA surfaces the “unknown unknowns” of where an attacker is likely to strike and traverse through the environment, making those particular attack vectors “known knowns” and allowing teams to extend their controls to close those gaps. 

No more “unknown unknowns”

As environments get more and more complex, the potential for attack vectors that are “unknown unknowns” goes up exponentially. Leveraging our existing best practices for vulnerability assessment, configuration assessment and risk management to serve as the foundation for an analysis of the relationships between all of those findings arms security teams with an invaluable tool to protect their infrastructure, reduce the number of “unknown unknowns” and, hopefully, sleep a bit better at night.

Want more guidance about your security strategy? Check out Tenable’s 2021 Threat Landscape Retrospective, which provides a comprehensive analysis of last year's threat landscape that security professionals can use to improve their security right now, and view the webinar "Exposure Management for the Modern Attack Surface: Identify & Communicate What's Most at Risk in Your Environment and Vital to Fix First."

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

Contact a Sales Rep to Buy Tenable.cs

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Promotional pricing extended until December 31st.
Buy a multi-year license and save more.

Add Support and Training