Organizations spend a lot of time and money on penetration tests and “red team” exercises to identify which vulnerabilities attackers will use to get into the network and to figure out what the attackers will do afterward. Gaining insights into what attackers are most likely to do helps defenders adapt their security decisions appropriately, said Brian Hazzard, CEO and cofounder of security startup Randori.
Randori provides red teaming-as-a-service via its Randori Attack Platform so enterprises can test their defenses with real exploits and attack techniques in a safe environment. The company’s Recon product helps organizations find vulnerabilities in their environments, while Attack tests real exploits against production systems to see how they would fare in a real attack. Randori’s Target Temptation engine, which launched last week, helps identify the assets attackers are most likely to target.
The Target Temptation engine tells an organization how the attacker sees their infrastructure, which encompasses internet-accessible systems, as well as other services — including third-party services and tools. The assets are ranked by “attackability,” or the likelihood an attacker would want to try to compromise them. This is different from asset inventory, which provides the organization with an internal view of what it has, and vulnerability management, which identifies what is vulnerable.
“For every 1,000 exposed assets, there is often only one that’s truly interesting to an attacker,” Hazzard told VentureBeat.
Thinking like an attacker
It’s important to realize that asset management and attack surface management look at the infrastructure from different directions.
“Customers have one view of their infrastructure, but the reality is that the attackers are seeing a totally different view,” Hazzard said.
Attackers also care about their return on investment (ROI). They don’t want to waste time targeting systems that are well-defended or won’t lead to something worth stealing. They look for published proofs-of-concept and exploits because that is cheaper than developing their own attack tools. They will also put more effort into targeting platforms that are widely used. Attackers typically don’t go where the organization is defending, Hazard said.
“First thing you want to do when you get your hands on a security program is to know what you have,” Lionbridge chief trust officer Doug Graham told VentureBeat. “It’s important to know, ‘What does the world see when they look at Lionbridge?’”
What is “attackability”?
There are certain properties attackers look for in a potential target: what useful information the attacker would be able to see about the target (enumerability), how valuable the asset is (criticality), whether there are any known vulnerabilities or published proofs of concept (weakness), how well-defended the asset is (post-exploitation), how long it would take to develop an exploit (research), and the ROI for doing so (applicability).
“Things that make a software interesting are not always related to vulnerabilities,” Randori cofounder and CTO David Wolpoff told VentureBeat.
This is what makes Target Temptation useful. Instead of defenders using severity scores to decide which vulnerability to fix or trying to figure out the firewall rules to protect all their internet-facing systems, organizations can focus on assets that are most likely to be compromised.
“The combination helps [the organization] figure out what to do next,” Wolpoff said.
Some targets are juicier than others because of where they lead. “I am always going to be interested in a VPN,” Wolpoff said, noting that he also pays attention to remote access technology, credential stores, and authentication systems. Compromising these types of components potentially opens up paths to go deeper into the network.
“There is a thing in your perimeter that draws my interest. All things equal, you better have defenses around it,” Wolpoff said.
Graham can see everything Randori found in Lionbridge’s environment, and any asset the security team doesn’t recognize is treated as a “risk event” to investigate. The unknown asset may be the result of an incomplete asset inventory, a case of shadow IT, or an unknown system set up by an attacker. Lionbridge found vulnerable assets shortly after signing on with Randori and was able to promptly address the issue, Graham said.
The value of a platform like Randori should not be measured in terms of time saved or breaches prevented, but rather reducing attack surface, Graham said. “We measure our attack surface. What’s the vulnerability? What’s the target temptation? What is the priority?” he said. “Can I find a way to shrink that target?”
Graham said he has three questions when hearing about a new vulnerability or an attack: “Do I have it [the affected system]? Is it vulnerable? And is it accessible to the internet?” The answers to those questions shape how he would respond to the executive team when they inevitably ask what is being done.
“When [the CEO] sends me an email and he says, ‘What are we doing about this?’ I can say, ‘We know about it, and we’re not vulnerable’ or ‘We’re going to jump on it, and we’re going to solve it immediately,’” Graham said.
For example, if a vulnerability becomes public, Randori would notify Lionbridge of the fact that it’s present in the company’s environment. But because Randori uses real exploits to test the environment to find weaknesses in the network and provides mitigation controls to fix those issues, the company may already have the controls in place and not actually be vulnerable. Or Randori may provide information about additional controls needed to address the issue.
“The difference for me is between a ruined day chasing the latest brand-name vulnerability and just another routine day,” Graham said.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more