Palo Alto Networks has released the 2021 Cortex Xpanse Attack Surface Threat Report, which highlights lessons in attack surface management from leading global enterprises.
The Palo Alto Networks Cortex Xpanse research team studied the public-facing internet attack surface of some of the world’s largest businesses to help enterprises. From January to March, they monitored scans of 50 million IP addresses associated with 50 global enterprises to understand how quickly adversaries can identify vulnerable systems for fast exploitation.
- Adversaries are constantly scanning for weaknesses in the public-facing internet attack surface of enterprises, in the cloud and traditional data centers. Attackers scan for vulnerable systems once an hour on a typical day, but this activity picks up dramatically when new vulnerabilities are disclosed.
- Scans started within 5 minutes after disclosure of the high-profile zero-day vulnerabilities in Microsoft’s widely used Exchange Server.
- Scans started within 15 minutes after most vulnerabilities were announced.
- Global enterprises are far behind the attackers. It takes weeks for such scans to begin.
- Vulnerabilities in the public-facing internet of global enterprises are widespread. One serious vulnerability turned up twice a day, or every 12 hours, in the global enterprises we studied.
- As global enterprises transformed their operations to support remote work, that created security gaps:
- 79% of observed exposures were in the cloud, compared to 21% for on-premises data centers.
- Nearly one in three vulnerabilities uncovered were due to issues with Remote Desktop Protocol (RDP), whose usage has soared to enable remote work. It can provide direct admin access to a server, which makes it one of the most common gateways for ransomware.
Concerns about digital transformation introducing security gaps not only proved grounded but also understated the impact.
In reality, digital transformation has realigned the risk equilibrium in the attacker’s favor. Most tools in IT and security’s arsenal—namely asset and vulnerability management—focus on evaluation but not discovery. In other words, these tools manage known assets while remaining blind to unknown ones. Worse yet, the common methods of discovering unknown assets—such as pen-testing—take place on a quarterly basis.
These programs should start with the basics:
- Global internet visibility: Implement a system of record to track every asset, system, and service you own that is on the public internet, including across all major CSPs and dynamically leased (commercial and residential) ISP space using comprehensive indexing, spanning common and often misconfigured port/protocols (i.e., not limited to the old perspective of only tracking HTTP and HTTPS websites).
- In-depth attribution: Detect systems and services belonging to your organization using a full protocol handshake to verify details about a specific service running at a given IP address. By fusing this information with a number of public and proprietary datasets, match the full and correct set of internet-facing systems and services back to a specific organization.