About a month ago, I wrote a blog about how COVID-19 was driving rapid and dynamic changes for CISOs. I followed this up with a second blog, detailing a number of subsequent cybersecurity phases CISOs are now pursuing to assess and mitigate COVID-19-based cyber risks.
Both blogs describe some fundamental problems. Corporate cybersecurity now extends to home networks filled with insecure IP devices with little or no security protection whatsoever. Meanwhile, hackers are exploiting societal malaise with online scams, rogue websites, and phishing campaigns preying upon COVID-19 paranoia. A recent article in the Washington Post described research from Palo Alto Networks identifying more than 2,000 malicious COVID-19 web domains and another 40,000 it classifies as “high risk.”
So, work from home (WFH) initiatives have greatly expanded the attack surface AND pivoted traffic away from corporate networks instrumented with tried-and-true security controls. CISOs are struggling to figure out what’s out there and whether they are vulnerable to a growing barrage of COVID-19 cyber-attacks.
What can be done? Just like COVID-19 itself, one way to address this situation is through testing, testing, testing. Rather than novel coronaviruses and antibodies, however, WFH security vulnerabilities can be assessed through new types of continuous automated penetration and attack testing (CAPAT) tools.
These tools are provided as a SaaS offering so there’s no onsite hardware/software to install and operate. While CAPAT tools weren’t designed for WFH explicitly, I believe that CISOs may find them to be helpful for addressing current COVID-19 challenges by:
- Mapping the attack surface. Cybersecurity teams aren’t sure exactly what’s on the extended network right now. Old insecure PCs? Chatty gaming systems? Mirai botnet infected video cameras? Discovering what’s out there is an important step as experienced red teamers often find lots of assets that cybersecurity teams don’t know about but are still responsible for. Some CAPAT tools address this visibility gap by discovering and mapping the attack surface – a good starting point for risk assessment and mitigation.
- Testing security controls. Organizations spend millions of dollars on endpoint security software, firewalls, and a potpourri of security controls sitting between the two. Do these things work? This basic question is worth pursuing – according to research from ESG and the Information Systems Security Association (ISSA), 38% of cybersecurity pros say that one of the main implications of the global cybersecurity skills shortage is that their organization cannot fully learn or utilize their security technologies to their full potential. Thus, an overworked cybersecurity staff can lead to human error and misconfigured security controls languishing on the network. CAPAT tools can help CISOs assess whether their defenses work and whether they would know about it if they failed.
- Pinpointing cyber risks. Armed with an attack surface map and CAPAT reports, CISOs can identify and address specific weaknesses with the right training, processes, and countermeasures. Yes, they do this already with penetration testing and red teaming exercises, but these tend to be expensive third-party services conducted once or twice per year. CAPAT tools replace costly service engagement with automation, providing a continual closed-loop cycle for risk assessment and mitigation.
- Supplementing existing security programs and technologies. CAPAT tools tend to emulate cyber-adversaries by breaking attacks into kill chains over time. Each CAPAT automated tactics, techniques, and procedures (TTPs) can then be mapped into the MITRE ATT&CK framework – a popular taxonomy that aligns security programs and tools to an ‘outside-in’ hacker perspective and timeline. I’ve also witnessed CAPAT tools used in conjunction with security information and event management (SIEM) and security orchestration automation and response (SOAR) tools to fine-tune correlation rules and incident response runbooks. Finally, as CAPAT tools expose system configurations issues, these vulnerabilities can be programmed into deception technologies used to fool enemies and capture valuable threat intelligence.
To be clear, CAPAT tools aren’t a panacea but they can help expose WFH blind spots by increasing attack surface visibility – as the old management principle states, "you can’t manage (or in this case, secure) what you can’t measure." Additionally, CAPAT tools can help security professionals "think like the enemy," another fundamental tenet of cybersecurity. Finally, CAPAT tools have the potential to democratize penetration testing and red teaming. While most organizations can’t hire and retain experienced FTEs in these areas, CISOs should be able to find affordable SaaS options.
There are a host of innovative CAPAT vendors out there including AttackIQ, CyCognito, Cymulate, Randori, SafeBreach, Verodin (FireEye), and XM Cyber, amongst others. Some focus on attack surface discovery, some test controls, and some automate red teaming. I believe CAPAT tools will ultimately become a key technology in the SOC arsenal.