Managing and Mitigating Risk From Unknown Unknowns

Modern IT environments are purposefully designed to be dynamic, evolving organically via issues equivalent to cloud computing, Internet of Things (IoT) gadgets, and, for a lot of organizations, via mergers and acquisitions and provide chain enterprise relationships. While enabling larger enterprise effectivity and effectiveness, typically infrastructure and information are added advert hoc with out looping within the IT crew or adhering to organizational safety insurance policies. The result’s unmanaged or unknown infrastructure inside the expertise ecosystem, which introduces hidden threat.

Most safety groups will acknowledge an absence of visibility on this dynamic surroundings. Whether it is credentialed entry or lacking brokers, it is common to have a spot in visibility. However, unknown unknowns current an much more important visibility problem in most organizations.

What Is an Unknown-Unknown Asset?

Let’s begin by defining what we imply by unknown unknowns, or belongings of which the safety and IT groups haven’t any consciousness. Unknown unknowns could be launched in a large number of the way. For instance, well-meaning builders with the power to provision cloud sources on a private bank card can spin up new database cases.

Consider succesful contractors who can spin up their very own infrastructure however neglect to restrict entry to the code on GitHub. Or the enterprise companions (third- and Nth-party suppliers) that aren’t accounted for within the prolonged enterprise ecosystem. Mergers are one other widespread means that “unknown unknowns” are launched — when the customarily outdated listing of IT infrastructure does not meet the present actuality of the infrastructure state.

With provide chain compromise on the rise and growing organizational sprawl, how can organizations handle and mitigate threat from unknown unknowns?

Closing Attack Surface Visibility Gaps

To resolve for unknown unknowns, safety groups want to determine mechanisms and processes to keep up an up-to-date stock of all identified belongings related to their group and the vulnerabilities that can be utilized by menace actors as entry factors into the community. The extra identified in regards to the group, the extra data to carry out lively and steady seek for unknowns, and even fewer unknown unknowns.

Below are 5 sensible steps to closing visibility gaps:

1. Enumerate and repeatedly monitor the asset stock: Create a course of and workflow for steady asset discovery that delivers a complete stock. Assets embody inner and exterior sources, cloud sources, workers, and the provision chain. Externally accessible belongings are sometimes focused by menace actors for preliminary entry (MITRE T1190) by exploiting identified vulnerabilities. In conditions the place a zero-day is disclosed, the safety crew can leverage the stock to reply these questions: “Do we have now that expertise in our ecosystem and, if that’s the case, the place?” and “Are we operating the susceptible model of the expertise?”
2. Determine possession of belongings: Attribution performs an enormous function in offering related data to the safety crew. Receiving a listing of belongings that will or will not be owned by your group will decelerate the crew as they triage false positives (out-of-scope belongings). At the onset of asset discovery efforts, the stock ought to be audited to find out what’s straight managed vs. shared safety mannequin (the place the administration of the asset is outsourced to a supplier – equivalent to a cloud service or SaaS supplier). Management turns into simpler over time as a safety crew establishes the baseline understanding of asset possession.
3. Enrich belongings with intelligence to establish and prioritize crucial and high-severity points: The quicker vulnerabilities are recognized, the quicker the safety crew can reply. Indicators of compromise (IoCs) and Dark Web monitoring can inform a safety crew of malicious exercise involving the model or an asset. Analysis based mostly on incident response and adversary analysis can assist defenders reply and prioritize appropriately based mostly on how a vulnerability is being leveraged and the impression of exploitation. Recommended sources embody NIST National Vulnerability Database (NVD), CISA’s Known Exploited Vulnerability catalog, and intelligence feeds from the personal sector.
4. Remediate and harden at scale: Prioritizing remediation and hardening efforts on the entry factors that current probably the most threat to the group is essential to mitigation methods. Critical and high-severity safety findings ought to be investigated and remediated instantly. Over the medium and long run, the safety crew wants to concentrate on and monitor for decrease severity vulnerabilities which are typically ignored however can be utilized in tandem with easier-to-exploit vulnerabilities. Assign duty to the lower-priority objects and set expectations for quarterly reporting on progress.
5. Regularly overview belongings for unknown unknowns — and combine your findings into steps 1–4: Information is just priceless if it is used. As extra information is collected about a company’s assault floor, the data must be distributed to the suitable groups inside the group and included into the operational workflows throughout the safety operations middle (SOC) or intelligence group. For instance, the SOC crew can leverage the most recent details about doubtlessly compromised gadgets to take particular threat-hunting actions after which implement mitigation methods.

Managing and mitigating threat from identified threats is difficult sufficient for already over-stretched safety groups. By following the steps above, organizations can uplevel their assault floor administration applications and achieve larger visibility into potential threat inside their prolonged ecosystem as nicely.

About the Author

Jonathan Cran is head of engineering, Mandiant Advantage Attack Surface Management, at Mandiant and was the founder and CEO of Intrigue previous to its acquisition by Mandiant in 2021. An skilled entrepreneur and builder, he is enthusiastic about delivering high-quality outcomes and data-driven options, notably after they require important technical management. He is consistently striving to know prospects’ challenges and ship elegant options. His background consists of hands-on expertise as a safety practitioner and management roles at firms equivalent to Kenna Security, Bugcrowd, and Rapid7.