The cost of computing has become so inexpensive that a would-be attacker need only spend HK$100 (US$13) to rent enough cloud computing power to do an imprecise scan of the entire Internet for vulnerable systems.
From the surge in successful attacks, it has become apparent that adversaries are regularly winning the race and finding at-risk IT assets before defenders can patch new vulnerabilities.
In Hong Kong, it is hard to ignore the increasingly common first-hand experiences with breaches disrupting our digital lives, as well as the continuous flow of news reports from overseas chronicling the surge in cyber extortion.
The vulnerability management system most enterprises follow is not designed to cope with the modern reality of what is dubbed an “attack surface”.
V.S. Subrahmanian, director of the Institute for Security, Technology, and Society at Dartmouth College in the U.S. recently warned in a Wall Street Journal op-ed that “Cybersecurity Needs a New Alert System” and outlined flaws in the communication process for patches from vendors to customers. This, however, is only half the story.
In the past five years, attackers have perfected techniques that scale at speed. To identify new targets, scanners just need a target—usually a list of IPs or a specific vulnerability.
For attackers not using online tools, many scanners are open source. With a simple trip to GitHub, attackers need merely download a scanner, deploy it onto infrastructure, and off they go.
Remote Desktop Protocol is the main weakness
A Cortex Xpanse survey, conducted from 1 January to 31 March this year, identified the most common vulnerability as being related to Remote Desktop Protocol (RDP), use of which has surged since the beginning of 2020 as enterprises speed-up efforts to move to the cloud to support remote workers under COVID-19.
RDP’s top spot is particularly worrisome because it’s a key gateway for ransomware. The survey found constant RDP scanning for port 3389—reserved for RDP. Such scanning is often followed by brute-forcing credentials or basic credential cracking tools.
Worse, in the remote work environment, connecting from a personal device means it’s out of the security team’s control. This gap means most companies don’t have the right controls, and without visibility, attackers have the luxury of time to find and exploit RDP.
Organizations are moving to the cloud, and it is too easy for employees to spin up a cloud service outside of normal IT processes. Across cloud infrastructure providers like Amazon
Web Services (AWS), Microsoft Azure, Google Cloud, Oracle, Rackspace, and more, the survey findings show that organizations experience nearly four times the total number of critical issues for cloud infrastructure than they do for on-premises environments. Several factors contribute to the cloud’s significant risk.
- The cloud is harder to manage because it’s easy to deploy. Employees can set up in any cloud provider, oblivious to corporate policies that state otherwise.
The COVID-19 pandemic accelerated the growth of the cloud, which, most likely, won’t revert to old-school IT anytime soon – even in Hong Kong.
Cloud spending globally rose 37% to US$29 billion during the first quarter of 2020. According to Gartner, cloud spending rose to 19% in 2020, even as IT spending fell 8%.
- The cloud is constantly changing. Prior Cortex Xpanse research shows that, on average, companies add 3.5 new publicly accessible cloud services per day—nearly 1,300 per year.
Poorly provisioned cloud and on-premises might both be exposed on the internet, and enterprises are at risk in either case.
- CSP security may not suffice. Relying on only what the baked-in security cloud service providers (CSPs) include can be insufficient.
CSP tooling can provide basic vulnerability scanning and cloud security posture management capabilities, but it’s just the basics. For enterprises, it doesn’t provide the visibility or full-stack security that you would need to be cloud-native.
The attack surface and some recommendations
With intrusions becoming more sophisticated, enterprises must think harder about the attack surface. Digital transformation has turned enterprises inside out, creating numerous and frequently insecure backdoors into their network in the form of abandoned, rogue, or misconfigured assets.
Advancements in scanning technology made these backdoors easier to find and fundamentally changed how we think about the Internet and gathering information on it -- especially for hackers, who, by definition, are innovators and early adopters.
To counter these attacks organizations should focus on the basics.
- Gain better global Internet visibility: Implement a system of record to track every asset, system, and service owned that is on the public Internet, including across all major CSPs and dynamically leased (commercial and residential) ISP space using comprehensive indexing, spanning common and often misconfigured port/protocols (i.e., not limited to the old perspective of only tracking HTTP and HTTPS websites).
- In-depth attribution: Detect systems and services belonging to your organization using a full protocol handshake to verify details about a specific service running at a given IP address.
By fusing this information with several public and proprietary datasets, match the full and correct set of Internet-facing systems and services back to a specific organization.
With these in hand, then countering surface attacks becomes more manageable.