The brutal rise in cyberattacks is harshly affecting small and mid-sized enterprises, with attacks on small companies rising 150% between 2020 and 2021. As organisations strive to increase security, this article by cybersecurity veteran Esteban Borges and cybersecurity professional and threat researcher Gianni Perez lists the top five surface attacks to watch out for in 2023.
In a bid to contend with this year’s most prominent cyberthreats, security teams everywhere have been forced to duly advance their understanding of what constitutes an attack surface.
A typical response from the community at large abides somewhere between the glaring redefinition of the traditional perimeter, one which incorporates the eroding or blurring of former demarcation lines and the incidental yet insidious role of social engineering techniques threatening to run aground any significant defensive posture.
Cyberdefence programs could be reactive and disappointing at times. The idea of having an immersive, lessons-learned approach to security, where we generally assume to be faster in detecting attackers than they are in inflicting damage as a sign of success, has gone ‘up in smoke’ in more ways than we care to admit.
And what better example than a recap of 2022’s top five cyberthreats, through the lens of Attack Surface Intelligence, to emphasise the importance of having a unified solution to engage cyberthreats proactively and systematically before they become cyber incidents.
Here are the top five attack surface risks to watch out for in 2023:
- Poor cyber hygiene
Cyber hygiene is a broad topic with an equally large set of risk assessment implications. Drawing from the concept of personal hygiene in the public health discourse, it is foremost a foundational representation of years’ worth of empirical data and best practices around the suitable protection of digital systems and personal information. Unfortunately, with too many in the field, it is also a complex abstraction laced with implementation deficiencies and hidden strategic costs – always making asset prioritisation a subject of debate.
Some of the most riveting examples of poor cyber hygiene include the failure to encrypt data when required, the mishandling and exposure of Tier 0 assets or the incorrect implementation of access management policies. Adding to the complicity is the exposure of databases, vendor-supplied default settings and ports – which cyber actors can quickly sift out and turn into exploit opportunities.
As poor or weak institutional cyber hygiene can be envisioned as (essentially) self-inflicted damage, the opposite speaks volumes about the reality that, without a properly functioning cyber hygiene program, these organisations expose themselves to an even greater number of threats than most.
- Incomplete asset visibility
Inaccurate or incomplete asset inventories can be considered the pinnacle of poor cyber-risk management. A recent CISA Binding Operational Directive confidently exposes why; precise asset representation is an essential precondition to any modern cyberdefence strategy.
Moreover, with the ever-more-normal and growing presence of cloud-based services rolled out and decommissioned at staggering rates, it becomes imperative to avoid the nearby pitfalls that can quickly hurl your attack surface down an unmanageable path. After all, what is more dangerous than looming vulnerabilities? Either inherent or imposed, hiding away in remote corners of your public-facing inventory without the slightest hint of visibility?
The overarching success of Attack Surface Intelligence is precisely its ability to put this kind of ‘shadow’ risk at rest once and for all by taking into account cloud asymmetries beyond the simple collection of IP addresses and ports. With such emphasis on context prioritisation, organisations can finally fill in the gaps on the road to successful remediation and prevention.
- Cloud misconfigurations
As the concept implies, misconfigured cloud resources refer to the undisciplined administration of either storage buckets, networking components or credential material responsible for exposing highly sensitive information to attackers. Using Verizon DBIR’s parlance, this is where cybercriminals (opportunistic or not) continue to derive substantial profit; in fact, up to 13% of all system breaches can be attributed to overly permissive entitlements across different cloud-based assets, according to the latest report.
There are a handful of reasons why this happens. On the one hand, there’s the sheer misinterpretation of the shared responsibility model, leaving ample room for ambiguity in the implementation of security controls amongst all stakeholders. And lax security controls can only mean one thing; leaked credentials that allow unauthorised access to an even higher number of systems, leaving entire organisations utterly unaware of the extended risks. Add to this mix the pace at which we’re building, backed by poor engineering decisions and the potential for misuse exponentially increases.
Additional concerns span the domain of containerised apps and any supporting runtime architectures, whose entire lifecycle can include security risks such as improper access rights at both the OS and application levels, ‘container escape’ scenarios due to network misconfigurations or the subversion of software orchestrators leading to systemwide compromise.
Similarly, with the growing influence of DevOps and the emphasis placed on CI/CD processes, there is a sense of urgency in protecting these from security risks or neglect, namely, those that entail the accidental exposure of sensitive credentials and secrets (often hard-coded and plainly visible) or the misconfiguration of code repositories leading to unauthorised access. Further analysis points to developer errors signalling unsanitised code and other qualitative mistakes – increasing the likelihood of exploitation considerably.
- Exploited vulnerabilities
Almost no successful attack exists without some sort of intervening vulnerability. And 2022 is no exception when it comes to the active exploitation of an untold number of cross-cutting CVEs, ranging from the now infamous Log4J (Log4Shell) to ProxyShell, a spillover duo from 2021 culminating in the likes of Follina (CVE-2022-30190), as well as a handful of zero days responsible for remote code execution and privilege escalation scenarios across organisations.
Customer-managed hardware and traffic-shaping appliances have also been at the forefront of the challenge. Recently, federal authorities released an advisory detailing three distinct Citrix Gateway and Citrix ADC vulnerabilities, impacting specific network pre-conditions (e.g. SSL VPN), including an authentication bypass labelled as critical with a score of 9.8. Earlier this year, a similar CVE impacting publicly exposed F5’s BIG-IP management interfaces had already shown signs of abuse by Chinese threat actors by the time the first patches were released.
In 2022, security researchers were notoriously busy discovering and disclosing a linear progression of high-impact vulnerabilities throughout the open-source ecosystem. For example, cases like CVE-2022-3786 and CVE-2022-3602 led to significant upheavals, given OpenSSL’s considerable reach within the cryptographic community. Proprietary technologies also had their fair share of high severity CVEs. As we noted in a previous post, two distinct Microsoft Exchange vulnerabilities simulating ProxyShell conditions surprised organisations while spawning a frenzy of possible mitigations and threat-hunting exercises for contingency purposes.
Finally, we’d do well to heed CISA’s call to action through the use of their Known Exploited Vulnerabilities (KEV) catalogue, an extensive collection of today’s top vulnerabilities (either successful or attempted) available to every organisation for immediate download and consumption in a variety of formats. Some of these can take many hours to find through other technical means – so the KEV is an invaluable resource to have at hand.
- Remote workers
Recognisably so, the year 2020 marked the definitive transition to a new work paradigm bustling with a host of hybrid work alternatives and fully remote choices, with the safety net that was once the office constituent effectively fading under the new banner of flexibility.
In the past, we’ve alluded to the technical and organisational challenges facing businesses when an important part of the workforce goes mobile. For example, we’ve explored the dangers to privacy and confidentiality posed by public Wi-Fi and similar unprotected networks, the risks presented by exposed RDP endpoints or the role of financially motivated APT groups in targeting small office/home office (SOHO) routers for botnet like purposes.
Lastly, with the welcoming addition of ‘bring your own device’ (BYOD) alternatives and the use of personal accounts in support of this model, cybercriminals are well placed to take advantage of known techniques to subvert corporate security protections. In a recent case, a Cisco employee whose Google account had been compromised, had granted unfettered VPN access to a Cadre of ransomware groups in a series of attacks that led to these cyber gangs establishing a strong foothold on the internal Cisco network.
Final words
Undoubtedly, corporate information and technology services across the globe are currently under a wave of cybercrime. Compounding the problem is an ever-increasing availability of a veritable arsenal of exploit and attack tools at the disposal of practically everyone, forcing organisations to redouble efforts to minimise repercussions of a broader scale.
But whether the threat comes from the human side or the computing side, the reality is that, as the attack surface widens in both scope and complexity, cybercriminals continue to be disproportionately ahead of the game in terms of organisation and resources; a technical slant now famously accounting for the bulk of advanced threats worldwide.
Click below to share this article
