Back

The Ins and Outs of External Attack Surface Management: What You Need to Know

Organizations need to proactively embrace the latest security strategies to protect against emerging risks. New, more advanced cybersecurity solutions are constantly developed to address core challenges in the industry. One of these new solutions, external attack surface management (EASM), entered the market in 2021 and is now starting to see increased adoption because of its ability to continuously discover, inventory, test, and prioritize known and unknown assets and exposures on a global external attack surface.

We recently had the pleasure of interviewing our guest Erik Nost, Senior Analyst at Forrester, during a webinar that explored external attack surface management in detail. Learn the key takeaways from the webinar and what to look for if you’re in the process of evaluating EASM vendors.   

How EASM complements external penetration testing 

Penetration testing is a mature cybersecurity solution and is more widely known than EASM today. However, many organizations still largely use penetration tests for compliance, essentially checking boxes because they have to. 

Threat actors thrive on this mentality.  

When penetration testing is approached with a compliance-first mindset for regulatory bodies and organization standards, tests are only completed a few times per year or less. Often no action is taken on the findings for months because of building the context and prioritizing which vulnerabilities need to be fixed first. 

On the other hand, organizations that are strategic about looking at penetration tests, red teams, and other control validation exercises to formally piece together a remediation puzzle achieve a stronger end state of security. EASM solutions help security teams keep pace with the rate of change in organizations today by offering continuous coverage of attack surfaces to find vulnerabilities as they arise. 

Pentesting is a priority that’s complemented by EASM with continuous discovery and prioritization of known and unknown assets and exposures. 

Watch Now: Breaking Down External Attack Surface Management (EASM) Featuring Forrester Analyst Erik Nost

Evaluating EASM vendors to make continuous pentesting a reality 

The responsibility of EASM often falls under security operations groups and vulnerability management teams rather than having team members solely responsible for EASM, such as an attack surface management analyst.   

These teams often have years of experience inventorying assets and identifying vulnerabilities, so they have a strong use case and the right experience to bring in an attack surface management solution. Vulnerability risk management (VRM) analysts, managers, and directors are the people who use ASM the most.  

Red teams and penetration testing teams are other groups involved in selecting and partnering with ASM vendors and can help develop plans to more rapidly discover assets to test and validate for any weaknesses or controls. If an organization has a threat intelligence team, an ASM vendor can also help build different types of threat modeling that they might want to look at to determine where the most risky exposures could be.

When evaluating and selecting an external attack surface management provider, organizations need to understand what the vendor brings to the table, including how they’re prioritizing risk and whether the approach matches their specific prioritization and remediation strategy. It’s also important to talk to potential ASM providers about how they can help supportcompliance and best practice frameworks. 

Looking ahead in EASM security 

The external attack surface management market has experienced a lot of mergers and acquisitions in recent years, with larger platforms that don’t have their own solutions buying up EASM providers. EASM may follow a similar path to vulnerability risk management (VRM), which has become a feature or solution as part of a larger platform offerings.  

Some standalone external attack surface management vendors may remain, but they will likely also include complementary features and capabilities to improve how organizations identify and protect against cyber threats. For the most part, as we see increased convergence of ASM, VRM, cloud security posture management (CSPM), continuous threat exposure management (CTEM), and other security solutions, EASM is likely to be one component in broader platform offerings in coming years.  

NetSPI’s approach to EASM 

Taking the time to evaluate and select an external attack surface management vendor is critical to finding a solution provider that aligns with your goals and brings proven experience. External attack surface management is gaining adoption because of its complementary role to pentesting. Think of EASM as continuous, always-on penetration testing with the ability to discover assets and monitor them at scale for real-time exposure alerts. All of this information is presented in prioritized order within a centralized EASM platform.  

Global organizations trust NetSPI’s Attack Surface Management (ASM) solution to monitor their external attack surfaces. Through a combination of our powerful ASM platform, global penetration testing experts, 20+ years of pentesting expertise, and comprehensive methodology, we can help your organization discover and address vulnerabilities before adversaries do.  

Learn more about NetSPI’s attack surface management solutions or request a demo.  

For more insights on external attack surface management, watch the full on-demand external attack surface management webinar with featured guest Forrester analyst Erik Nost.

ASM Freemium Scan Tool
Back

Dark Reading: As Social Engineering Attacks Skyrocket, Evaluate Your Security Education Plan

On February 27, NetSPI Director Patrick Sayler was featured in the Dark Reading article called As Social Engineering Attacks Skyrocket, Evaluate Your Security Education Plan. Read the preview below or view it online.

+++

Social engineering-based attacks are a popular form of security manipulation, with cybercriminals using this technique for 98% of attacks in 2022.

Social engineering can take many forms, including vishing (phone), phishing (email), and smishing (text). All have proven effective in infiltrating corporate networks. Social engineering attacks are so effective they’re even outsmarting some of the best cybersecurity experts. Just last month, threat actors targeted security enthusiasts by creating fake Twitter accounts and stores for the Flipper Zero, a penetration testing tool rising in popularity. One Twitter account even responded to users — making it appear legitimate.

One social engineering tactic that’s continued to hamper organizations over time is vishing, a phone-based attack that remains a successful, lucrative avenue for cybercriminals. This method is typically used to gain a foothold in an environment through a less-senior or new employee, often by the attacker posing as a help desk representative or another helpful internal resource.

Defensive Security Options

While many organizations understand the rise in social engineering attacks and the importance of education and awareness to prevent them, recent trends indicate a need for a more strategic approach. To kickstart a new defensive security plan designed specifically for social engineering attacks, give these practices a try.

  • Educate from the top down. Too often, we see organizations focused on educating newer employees. To have a real effect, organizations’ security training programs must start at the top and trickle down to the bottom.

This means including the C-suite, regardless of their tenure, in regular education training and curriculum. It’s not on one individual to stop social engineering attacks from happening. Rather, it requires leadership to recognize there’s an ongoing challenge and put precautions in place to remediate the issue. With senior leaders regularly making security a priority across the entire business, this will help all employees adopt a security-first mindset over time.

Read the full article at Dark Reading!

Back

Pentesting: The Forgotten HIPAA Requirement

Since the inception of the Health Insurance Portability and Accountability Act (HIPAA) in 1996, covered entities have had to navigate its murky waters. Those who fail to do so are penalized with hefty fines and requirements to adopt a corrective action plan. 

Last year, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) filed 22 HIPAA resolution agreements totaling over $1.12 million in settlement fines. In just the past two months, financial penalties have already surpassed that number, with two settlements totaling $1.27 million. This trend points to HHS becoming more stringent with its enforcement of HIPAA, a trend that could be driven by the increase in healthcare ransomware attacks and opportunistic nation state adversaries eyeing the industry as a key target. 

In my 25+ years working in cybersecurity, the majority of my time was spent in the healthcare industry, where I held roles such as HIPAA security officer, information security manager, health information technology director, and security auditor for several large health systems. 

In these roles, and still today, the HIPAA Security Rule has left me wanting more.  

The vague nature of the Rule leaves much of the compliance requirements up for interpretation. The Rule was written to ensure that healthcare organizations are doing what is necessary to protect ePHI – yet there is no explicit mention of penetration testing

HIPAA is notorious for telling security leaders what needs to be done to achieve compliance, without explaining best practices to get there. Let’s eliminate the gray area and examine penetration testing’s critical role in HIPAA compliance. 

What is HIPAA Penetration Testing? 

I will start this section off with a harsh truth: There is no such thing as a “HIPAA Penetration Test”. Though we often see the term used in marketing, pentesting has long been an unwritten component within the Security Rule. You can review the full Rule online here.  

The following items within the administrative safeguards section touch on security testing criteria: 

  • Standard 45 CFR 164.308(a)(1)(i): Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. 
    • Implementation specifications 45 CFR 164.308(a)(1)(ii)(A): Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. 
  • Standard 45 CFR 164.308(a)(8): Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity’s or business associate’s security policies and procedures meet the requirements of this subpart. 

Within this section, you will also find standards and implementation specifications around workforce security, information access management, security awareness training, and contingency planning. All of which can be evaluated and validated through a variety of offensive security engagements, such as pentesting, red teams, breach and attack simulation, or social engineering engagements

HIPAA does a great job highlighting the requirements clearly, without providing actionable steps to achieve compliance. To help, we put together a checklist to ensure your security testing program meets the needs of Security Rule. 

HIPAA Pentesting Checklist

  Continuous Penetration Testing

HIPAA requires “periodic” evaluations, particularly in response to environmental or operational changes. The rate of change in healthcare environments has increased exponentially over the years. Continuous pentesting can take form of more frequent tests enabled by a penetration testing as a service (PTaaS) delivery model, or through an attack surface management platform. As a rule of thumb, key moments of change could include version upgrades of software that houses ePHI or architecture changes. At the very least, perform penetration tests on a quarterly basis. 

  Risk Prioritization, With an Emphasis on Application Security

Are you targeting the applications that pose the greatest risk to your sensitive health information? A pentest that meets HIPAA standards should not stop at vulnerability discovery. Whether you are pentesting internally or working with a third-party partner, work together to identify which application pentests should be prioritized – and, more importantly, align on vulnerability severity definitions and remediation timelines based on your organization’s risk profile.  

  Validation of Security Controls

It is important to note that pentests can and should also be used to validate your security controls. Are your pentests alerting you to flaws and policy gaps within your identity and access management, threat detection, and other security controls implemented? Additionally, consider breach and attack simulation (BAS) platforms to help evaluate and improve the effectiveness of your detective controls. Learn about the top use case for BAS technology in this Gartner report.  

  Comprehensive Reporting and Historical Data

Standard 45 CFR 164.316(a) in the HIPAA Security Rule highlights the policies and procedures and documentation requirements. According to the standard, healthcare organizations must maintain a written record of each action, activity, or assessment. They also must retain documentation for six years from the date of its creation. Bonus points to pentesting partners who track and trend historical pentesting reports in a single platform. 

The Complete Guide to Healthcare Ransomware Attacks – Get Your Copy Today

The Relationship Between Pentesting and Privacy 

HIPAA and other privacy regulations (GDPR, FERPA, CPRA) are in place to protect data from being exposed to unintended recipients. To accomplish this, these regulations all require that an organization’s IT Infrastructure must be secure. 

As privacy regulations and standards have evolved, I’ve found that if you are compliant with PCI DSS and are HITRUST certified, it is likely you will be HIPAA compliant as well. Both are significantly more prescriptive and actionable than the HIPAA rules and can help you proactively secure ePHI. 

Securing an IT infrastructure involves many steps that we will not get into here, but instead will concentrate on how to ensure that an environment remains in a constant state of security. Regular and sometimes continuous penetration testing is the most effective way to provide continued assurance. 

Penetration Testing is used to identify how a hacker can gain access to an environment and provide an organization with a roadmap of how to address those vulnerabilities and findings. Pentesting does not inherently make you secure; it makes you aware of your security flaws. 

By conducting regular penetration testing, an organization can check that they have successfully remedied known issues and identify any new concerns due to new equipment, configuration changes, or even missed patches on software or hardware. 

A Proactive Approach to HIPAA Compliance 

Healthcare security and IT teams should approach HIPAA with a foundational mindset. The requirements outline what you should already be doing and thinking about on an ongoing basis.  

Mature healthcare organizations have comprehensive vulnerability management and pentesting programs in place. Pentesting is a powerful first step towards compliance – when done right. 

Be proactive, not reactive. Be a leader, not a pawn. 

NetSPI’s penetration testing solutions can help you chart a clear path to HIPAA compliance. Contact us today.

Back

NetSPI Appoints Scott Lundgren and John Spiliotis to its Board of Directors

Veteran security industry executives appointed to support offensive security leader’s next stage of growth.

Minneapolis, MN NetSPI, the leader in enterprise penetration testing and offensive security, today announced the appointment of Scott Lundgren and  John Spiliotis to its Board of Directors. The two veteran security industry executives will help support the company’s next stage of growth following a year of record momentum

“We’re honored to have Scott and John join our Board during such an exciting, pivotal time for NetSPI,” said Aaron Shilts, CEO of NetSPI. “Their proven track records of building and advising high-growth cybersecurity companies, combined with their passion for empowering the next generation of business leaders, will be invaluable as we continue to innovate and scale.” 

With over two decades of technology and security industry experience, Lundgren currently serves as the Chief Technology Officer at VMware Carbon Black. Having taken the journey with Carbon Black as a founding member, through IPO in 2018, and the VMware acquisition in 2019, he brings a long history of balancing technology requirements under the pressure of rapid business growth. Lundgren has a foundational understanding of offensive security, beginning his cybersecurity career penetration testing for the U.S. Air Force. 

“Penetration testing is an area of security that benefits from the underlying expertise of the team and the rigor in which the work is performed and communicated,” said Lundgren. “NetSPI has built an incredible team of offensive security experts, with a hands-on, customer-first approach that stands out in the industry. I look forward to being part of NetSPI’s growth story.” 

Spiliotis currently serves as a sales and go-to-market (GTM) advisor with NetSPI investor KKR. Prior to his advisory engagement with the global investment firm, he held several executive sales positions with high-growth technology companies, most recently serving as the Senior Vice President of Sales at Palo Alto Networks. Spiliotis also serves on the Board of Directors for ReliaQuest and is a GTM advisor for various other cybersecurity companies. 

“Two years ago, I was introduced to NetSPI through KKR’s Next-Generation Technology growth portfolio. Immediately, they impressed me with their momentum, energy, and value proposition,” said Spiliotis. “NetSPI has the right ingredients to continue achieving massive success. I’m honored to join the Board, where I’ll continue to help NetSPI maximize its opportunity and support employee development in the sales organization alongside the leadership team and my partners at KKR.” 

The Board appointments follow a string of notable company updates, with NetSPI recently announcing the acquisition of nVisium and the introduction of NetSPI Labs. For more information about NetSPI, visit www.netspi.com.

About NetSPI  

NetSPI is the leader in enterprise penetration testing and attack surface management. Today, NetSPI offers the most comprehensive suite of offensive security solutions – penetration testing as a service, attack surface management, and breach and attack simulation. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading global cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers and e-commerce companies, and 50 percent of the Fortune® 50. NetSPI is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India. Follow NetSPI on Twitter and LinkedIn. 

Media Contacts: 
Tori Norris, NetSPI 
victoria.norris@netspi.com
(630) 258-0277  

Jessica Bettencourt, Inkhouse for NetSPI
netspi@inkhouse.com
(774) 451-5142 

Back

Pivoting with Azure Automation Account Connections

Intro 

Azure Automation Accounts are a frequent topic on the NetSPI technical blog. To the point that we compiled our research into a presentation for the DEFCON 30 cloud village and the Azure Cloud Security Meetup Group. We’re always trying to find new ways to leverage Automation Accounts during cloud penetration testing. To automate enumerating our privilege escalation options, we looked at how Automation Accounts handle authenticating as other accounts within a runbook, and how we can abuse those authentication connections to pivot to other Azure resources.

Passing the Identity in Azure Active Directory 

As a primer, an Azure Active Directory (AAD) identity (User, App Registration, or Managed Identity) can have a role (Contributor) on an Automation Account that allows them to modify the account. The Automation Account can have attached identities that allow the account to authenticate to Azure AD as those identities. Once authenticated as the identity, the Automation Account runbook code will then run any Azure commands in the context of the identity. If that Identity has additional (or different) permissions from those of the AAD user that is writing the runbook, the AAD user can abuse those permissions to escalate or move laterally.

Simply put, Contributor on the Automation Account allows an attacker to be any identity attached to the Automation Account. These attached identities can have additional privileges, leading to a privilege escalation for the original Contributor account. 

Available Identities for Azure Automation Accounts 

There are two types of identities available for Automation Accounts: Run As Accounts and Managed Identities. The Run As Accounts will be deprecated on September 30, 2023, but they have been a source of several issues since they were introduced. When initially created, a Run As Account will be granted the Contributor role on the subscription it is created in.  

These accounts are also App Registrations in Azure Active Directory that use certificates for authentication. These certificates can be extracted from Automation Accounts with a runbook and used for gaining access to the Run As Account. This is also helpful for persistence, as App Registrations typically don’t have conditional access restrictions applied. 

For more on Azure Privilege Escalation using Managed Identities, check out this blog.

Screenshot of the Run As account type, one of two identities available for Azure Automation Accounts.

Managed Identities are the currently recommended option for using an execution identity in Automation Account runbooks. Managed Identities can either be system-assigned or user-assigned. System-assigned identities are tied to the resource that they are created for and cannot be shared between resources. User-assigned Managed Identities are a subscription level resource that can be shared across resources, which is handy for situations where resources, like multiple App Services applications, require shared access to a specific resource (Storage Account, Key Vault, etc.). Managed Identities are a more secure option for Automation Account Identities, as their access is temporary and must be generated from the attached resource.

A description of a system-assigned identity in Azure Automation Account.

Since Automation Accounts are frequently used to automate actions in multiple subscriptions, they are often granted roles in other subscriptions, or on higher level management groups. As attackers, we like to look for resources in Azure that can allow for pivoting to other parts of an Azure tenant. To help in automating this enumeration of the identity privileges, we put together a PowerShell script. 

Automating Privilege Enumeration 

The Get-AzAutomationConnectionScope function in MicroBurst is a relatively simple PowerShell script that uses the following logic:

  • Get a list of available subscriptions 
    • For each selected subscription 
      • Get a list of available connections (Run As or Managed Identity) 
      • Build the Automation Account runbook to authenticate as the connection, and list available subscriptions and available Key Vaults 
      • Upload and run the runbook 
      • Retrieve the output and return it
      • Delete the runbook 

In general, we are going to create a “malicious” automation runbook that goes through all the available identities in the Automation Account to tell us the available subscriptions and Key Vaults. Since the Key Vaults utilize a secondary access control mechanism (Access Policies), the script will also review the policies for each available Key Vault and report back any that have entries for our current identity. While a Contributor on a Key Vault can change these Access Policies, it is helpful to know which identities already have Key Vault access. 

The usage of the script is simple. Just authenticate to the Az PowerShell module (Connect-AzAccount) as a Contributor on an Automation Account and run “Get-AzAutomationConnectionScope”. The verbose flag is very helpful here, as runbooks can take a while to run, and the verbose status update is nice.

PowerShell script for automating the enumeration of identity privileges.

Note that this will also work for cross-tenant Run As connections. As a proof of concept, we created a Run As account in another tenant (see “Automation Account Connection – dso” above), uploaded the certificate and authentication information (Application ID and Tenant) to our Automation Account, and the connection was usable with this script. This can be a convenient way to pivot to other tenants that your Automation Account is responsible for. That said, it’s rare for us to see a cross-tenant connection like that.

As a final note on the script, the “Classic Run As” connections in an older Automation Account will not work with this script. They may show up in your output, but they require additional authentication logic in the runbook, and given the low likelihood of their usage, we’ve opted to avoid adding the logic in for those connections. 

Indicators of Compromise 

To help out the Azure defenders, here is a rough outline on how this script would look in a subscription/tenant from an incident response perspective: 

  1. Initial Account Authentication 
    a.   User/App Registration authenticates via the Az PowerShell cmdlets 
  1. Subscriptions / Automation Accounts Enumerated 
    a.   The script has you select an available subscription to test, then lists the available Automation Accounts to select from 
  1. Malicious Runbook draft is created in the Automation Account
    a.   Microsoft.Automation/automationAccounts/runbooks/write
    b.   Microsoft.Automation/automationAccounts/runbooks/draft/write 
  1. Malicious Runbook is published to the Automation Account
    a.   Microsoft.Automation/automationAccounts/runbooks/publish/action 
  1. Malicious Runbook is executed as a job
    a.   Microsoft.Automation/automationAccounts/jobs/write 
  1. Run As connections and/or Managed Identities should show up as authentication events 
  1. Malicious Runbook is deleted from the Automation Account
    a.   Microsoft.Automation/automationAccounts/runbooks/delete 

Providing the full rundown is a little beyond the scope of this blog, but Lina Lau (@inversecos) has a great blog on detections for Automation Accounts that covers a persistence technique I previously outlined in a previous article titled, Maintaining Azure Persistence via Automation Accounts. Lina’s blog should also cover most of the steps that we have outlined above. 

For additional detail on Automation Account attack paths, take a look at Andy Robbins’ blog, Managed Identity Attack Paths, Part 1: Automation Accounts

Conclusion 

While Automation Account identities are often a necessity for automating actions in an Azure tenant, they can allow a user (with the correct role) to abuse the identity permissions to escalate and/or pivot to other subscriptions.

The function outlined in this blog should be helpful for enumerating potential pivot points from an existing Automation Account where you have Contributor access. From here, you could create custom runbooks to extract credentials, or pivot to Virtual Machines that your identity has access to. Alternatively, defenders can use this script to see the potential blast radius of a compromised Automation Account in their subscriptions. 

Ready to improve your Azure security? Explore NetSPI’s Azure Cloud Penetration Testing solutions. Or checkout these blog posts for more in-depth research on Azure Automation Accounts:  

Back

NetSPI Recognized in the External Attack Surface Management Landscape Report

In this overview of 36 notable vendors, Forrester explores the benefits of External Attack Surface Management (EASM) and key functionalities to consider when selecting a partner.

Minneapolis, MN NetSPI, the leader in enterprise penetration testing and attack surface management is recognized in The External Attack Surface Management Landscape, Q1 2023, authored by global research and advisory firm Forrester. The Landscape report aims to help organizations understand the value of EASM solutions and provides security professionals with an overview of notable vendors so they can select a solution based on their needs.

“The attack surface management market has seen incredible innovation and evolution. This report examines the benefits EASM brings to global enterprises – increased asset visibility, continuous pentesting, and better risk prioritization, to name a few,” said Jake Reynolds, Head of Emerging Technology at NetSPI. “We believe we play an important role in this market and are honored to be recognized by Forrester.”

In the report, Forrester defines EASM as “tools or functionalities that continually scan for, discover, and enumerate internet-facing assets, establish the unique fingerprints of discovered assets, and identify exposures on both known and unknown assets.” EASM vendors recognized alongside NetSPI all have varying features and use cases.

As mentioned in the research, NetSPI reports that its Attack Surface Management (ASM) solution is selected by clients for most or all of the use cases identified by Forrester. Forrester’s complete list of included use cases is:

  • Asset discovery 
  • Asset inventory management 
  • Vulnerability risk management 
  • Cloud security posture management 
  • Mergers and acquisitions (M&A) due diligence assistance 
  • Supply chain/third-party risk management 
  • Penetration testing 
  • Governance, risk, and compliance (GRC) 
  • Incident response and investigations 
  • Breach and attack simulations (BAS) 
  • Certificate management 

NetSPI is listed as a managed service offering, with an industry focus in financial services, high-tech, and media. Visit www.netspi.com to schedule a demo of NetSPI’s ASM platform.

The report is co-authored by Forrester Senior Analysts Erik Nost and Jess Burn. Erik discusses the findings and explores the attack surface management market in depth during his guest appearance on NetSPI’s on-demand webinar, Breaking Down External Attack Surface Management (EASM) Featuring Forrester Analyst Erik Nost.

About NetSPI  

NetSPI is the leader in enterprise penetration testing and attack surface management. Today, NetSPI offers the most comprehensive suite of offensive security solutions – penetration testing as a service, attack surface management, and breach and attack simulation. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading global cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers and e-commerce companies, and 50 percent of the Fortune® 50. NetSPI is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India. Follow NetSPI on Facebook, Twitter, and LinkedIn. 

Media Contacts: 
Tori Norris, NetSPI 
victoria.norris@netspi.com
(630) 258-0277  

Jessica Bettencourt, Inkhouse for NetSPI
netspi@inkhouse.com
(774) 451-5142 

Back

Digital Journal: What Cybersecurity Risk do AI Chatbots Pose?

On February 9, NetSPI’s Nick Landers and Nabil Hannan were featured in the Digital Journal article called What Cybersecurity Risk to AI Chatbots Pose?. Read the preview below or view it online.

+++

ChatGPT is a tool from OpenAI that enables a person to type natural-language prompts. To this, ChatGPT offers conversational, if somewhat stilted, responses. The potential of this form of ‘artificial intelligence’ is, nonetheless, considerable.

Google is launching Bard A.I. in response to ChatGPT and Microsoft is following closely with an application called Redmond.

What do these tools mean for the expanding threat landscape? To find out, Digital Journal sought the opinions of two NetSPI representatives.

First is Nabil Hannan, Managing Director at NetSPI. According to Hannan businesses seeking to adopted the technology need to stand back and consider the implications: “With the likes of ChatGPT, organizations have gotten extremely excited about what’s possible when leveraging AI for identifying and understanding security issues—but there are still limitations. Even though AI can help identify and triage common security bugs faster – which will benefit security teams immensely – the need for human/manual testing will be more critical than ever as AI-based penetration testing can give organizations a false sense of security.”

Hannan adds that things can still go wrong, and that AI is not perfect. This could, if unplanned, impact on a firm’s reputation. Hannan adds: “In many cases, it may not produce the desired response or action because it is only as good as its training model, or the data used to train it. As more AI-based tools emerge, such as Google’s Bard, attackers will also start leveraging AI (more than they already do) to target organizations. Organizations need to build systems with this in mind and have an AI-based “immune system” (or something similar) in place sooner rather than later, that will take AI-based attacks and automatically learn how to protect against them through AI in real-time.”

The second commentator is Nick Landers, VP of Research at NetSPI.

Landers looks at wider developments, noting: “The news from Google and Microsoft is strong evidence of the larger shift toward commercialized AI. Machine learning (ML) and AI have been heavily used across technical disciplines for the better part of 10 years, and I don’t predict that the adoption of advanced language models will significantly change the AI/ML threat landscape in the short term – any more than it already is. Rather, the popularization of AI/ML as both a casual conversation topic and an accessible tool will prompt some threat actors to ask, “how can I use this for malicious purposes?” – if they haven’t already.”

What does this mean for cybersecurity? Landers’ view is: “The larger security concern has less to do with people using AI/ML for malicious reasons and more to do with people implementing this technology without knowing how to secure it properly.”

He adds: “In many instances, the engineers deploying these models are disregarding years of security best practices in their race to the top. Every adoption of new technology comes with a fresh attack surface and risk. In the vein of leveraging models for malicious content, we’re already starting to see tools to detect generated content – and I‘m sure similar features will be implemented by security vendors throughout the year.”

Landers concludes, offering: “In short, AI/ML will become a tool leveraged by both offensive and defensive actors, but defenders have a huge head start at present. A fresh cat-and-mouse game has already begun with models detecting other models, and I’m sure this will continue. I would urge people to focus on defense-in-depth with ML as opposed to the “malicious actors with ChatGPT AI” narrative.”

Read the article at Digital Journal!

Back

The CyberWire: Water armies across the Taiwan Strait. Pakistan blocks access to Wikipedia. Normalizing an illegal occupation. AI chatbots.

On February 9, NetSPI’s Nick Landers, Nabil Hannan, and Cody Chamberlain were featured in The CyberWire: Water armies across the Taiwan Strait. Pakistan blocks access to Wikipedia. Normalizing an illegal occupation. AI chatbots. Read the preview below or view it online.

+++

Chatbots.

Artificially intelligent chatbots and allied technologies have attracted enthusiasm, competition, and concern reminiscent, on a smaller scale, of the dot-com mania at the turn of this century. Right now the two big competitors are Microsoft’s ChatGPT, ahead by a neck, and Google’s more recently released Bard. They’re both pretty plausible, but both of them have stumbled a bit, too. ChatGPT seems, the Wall Street Journal reports, to need some help with math problems (maybe get it a calculator). And Bard embarrassed Google in its own ad. According to Reuters, some questions about the James Webb Space Telescope intended to display the AI chatbot as a knowing savant showed that Bard wasn’t up to the task either (maybe Bard could’ve Googled those questions). But the potential for deception remains a concern. BlackBerry speculates that nation-state services are already working on attacks based on the new AI capabilities.

Nabil Hannan, Managing Director at NetSPI, commented on the use and abuse of AI:

“With the likes of ChatGPT, organizations have gotten extremely excited about what’s possible when leveraging AI for identifying and understanding security issues—but there are still limitations. Even though AI can help identify and triage common security bugs faster – which will benefit security teams immensely – the need for human/manual testing will be more critical than ever as AI-based penetration testing can give organizations a false sense of security.

We received some comment from NetSPI on the implications and potential of this kind of artificial intelligence. Nick Landers, NetSPI’s VP of Research, addressed the commercial potential of AI:

“The news from Google and Microsoft is strong evidence of the larger shift toward commercialized AI. Machine learning (ML) and AI have been heavily used across technical disciplines for the better part of 10 years, and I don’t predict that the adoption of advanced language models will significantly change the AI/ML threat landscape in the short term – any more than it already is. Rather, the popularization of AI/ML as both a casual conversation topic and an accessible tool will prompt some threat actors to ask, ‘how can I use this for malicious purposes?’ – if they haven’t already. 

Cody Chamberlain, NetSPI’s Head of Product, distinguishes adversarial from offensive AI:

“When considering the security gaps these new tools from Google and Microsoft present to the threat landscape, it’s best to consider security approaches based on two implications of AI in cyber: Adversarial AI and Offensive AI. When looking at Adversarial AI, the data is only as good as its training model, which opens up attack scenarios for poisoning models, introducing bias, etc. Organizations must perform extensive threat models against their implementations to combat these gaps – thinking like the hacker. When performing extensive testing of the data supply chain, organizations can better determine who can access it and how they can validate its integrity.

Read the full commentary on The CyberWire!

Back

NetSPI Offensive Security Solutions Updates: Q1 2023

NetSPI prides itself on maintaining a leadership position in the global offensive security space by listening to client feedback, analyzing industry trends, and investing in breakthrough technology developments.

Over the last few months, our development teams have been busy, and are excited to introduce a variety of new features and capabilities across our Breach and Attack Simulation, Attack Surface Management, and Penetration Testing as a Service (PTaaS) solutions to help organizations improve security posture, streamline remediation, and protect themselves from adversaries.

Of the releases across our solutions portfolio, Breach and Attack Simulation (BAS) received the most significant updates, so let’s start there.

Breach and Attack Simulation (BAS) 

NetSPI BAS data shows that only 20% of common attack behaviors are detected by traditional EDR, SIEM, and MSSP solutions. Although most companies spend thousands, even millions, of dollars on detective controls, very few test to validate if they work and provide the value they claim to.

NetSPI’s Breach and Attack Simulation is designed to evaluate detective control effectiveness and educate security operations teams around common TTPs across the cyber kill chain. After many invaluable feedback sessions with NetSPI clients and hours of market research, we are excited to unveil major updates to our Breach and Attack Simulation platform, dialing in on three core dashboards: the Workspace, Timeline, and Heat Map dashboards.

Workspace 

The Workspace is where red teams, purple teams, security engineers, and analysts will spend a majority of their time. Here, they can build, configure and run customized procedures to test their detective controls. Key features within the Workspace include:

  • Utilize preconfigured procedures – or customize your own – to put detective controls to the test 
  • Visualize security posture and identify gaps using detailed summary charts that update in real time. These can be saved and downloaded to easily share with SOC teams and executive leadership to highlight gaps and justify budget for new staff and technology. 
  • While in the Workspace, users can also learn about each detection phase (logged, detected, alerted, responded, and prevented) for common TTPs within the Mitre ATT&CK framework – down to the individual procedure level.  
  • The Activity Log feature allows security teams to ditch the spreadsheets, wiki pages, and notepads they currently use to track information around their detective control capabilities and centralize this information from a summary viewpoint down to the findings level, allowing streamlined communication and remediation. It will also automatically log play execution and visibility state changes. 
  • Tags allow security teams to see the number of malware and threat actors that use the specific technique, helping prioritize resources and remediation efforts. Tags can also be leveraged to generate custom playbooks that include procedures used by unique threat actors, allowing security teams to measure their resiliency to specific threats quickly and easily. 
  • Export test results in JSON or CSV, allowing the SOC team to plug information into existing business processes and products, or develop customized metrics. 

In summary, the Workspace is designed to educate and enable security teams to understand common attack procedures, how to detect them, and provide resources where they can learn more. 

Timeline 

While the Workspace shows a lot of great information, it focuses on a single point in time. The Timeline dashboard, however, allows you to measure detective controls over time.

This allows security teams to prove the value of investments in people, processes or technology. The Timeline Dashboard will also show where things have improved, stayed the same, or gotten worse at any stage of the Mitre ATT&CK kill chain.

While many competitive BAS offerings will show what is being Alerted on, a unique differentiator for NetSPI is the ability to filter results and show changes in what is logged, detected, alerted, responded, and prevented. These changes can be shown as a percentage (i.e. Logging improved 5 percent) or a count (i.e. Logging improved within two different procedures). Similarly to the Workspace, these charts can be downloaded and easily inserted into presentations, emails, or other reports as needed.

For additional information on how NetSPI defines logging, detection, alerting, response, and prevention, read How to Paint a Comprehensive Threat Detection Landscape

Heat Map

Security teams often refer to the Mitre ATT&CK framework, which shows the phases, tactics, or techniques of common TTPs and procedures seen in the wild. We know that many teams prefer seeing results in this framework, and as such, have built it into our Breach and Attack Simulation platform. BAS delivers a familiar way to interact with the data, while still connecting to the workspace created for detection engineers and other security team members.

As mentioned in the Timeline dashboard, a key differentiator is that we show the different visibility levels (logged, detected, alerted, responded, and prevented) within the Mitre ATT&CK framework coverage within each phase of the cyber kill chain and even down to each specific technique.

Here, we also have the ability to dig in and show all of the procedures that are supported within each technique category. These are then cross-linked back to the Workspace, to streamline remediation and re-testing of specific coverage gaps.

This is a quick summary of a few new features and benefits included in our updated Breach and Attack Simulation solution. If you would like to learn more, we encourage you to read our release notes, or contact us for a demo.

Attack Surface Management (ASM) 

Attack Surface Management continues to be a major focus and growing technology within the cybersecurity industry. NetSPI’s most recent ASM updates focus on organizing, filtering, and expanding on information that was previously included, but will now be even easier to locate and pull actionable information from.  

Three key new feature highlights from last quarter include Vulnerability Triggers, Certificate Transparency Logs, and the Subdomain Facet within our domain explore page.

Vulnerability Triggers

First off, what is a vulnerability? Vulnerabilities consist of any exploits of significant risk identified on your attack surface, which are found by combining both assets and exposures. Although a specific asset or exposure might not be very impactful, when combined into a series of steps it can result in a much greater risk.

With the recent introduction of Vulnerability Triggers, admins can now query assets and exposures for specific criteria based on preconfigured or customized search results, and alert on the ones that are the most concerning to you or your company. These Vulnerability Triggers can now be customized to search for criteria related to Domains, IPs, or Ports.

Long story short, Vulnerability triggers allow your company to not only search for common assets, exploits and vulnerabilities, but also key areas of concern for your executive team, industry, organization, or project.

Certificate Transparency Logs & Subdomain Facet

The next two new features are focused on root domain and subdomain discovery.

NetSPI’s ASM has searched root domains and subdomains since its creation, however we are proud to officially introduce Certificate Transparency Logs! We now ingest certificate transparency logs from public data sources, allowing us to significantly increase domain discovery.

We are also excited to announce the release of our Subdomain Facet within our domain explore page. It is common for companies to have tens, or even hundreds, of subdomains on their attack surface, however with the Subdomain Facet within our domains explore page, you will now be able to filter the common subdomains on your attack surface.

A great use case example of this is to discover development subdomains (dev.netspi.com, stage.netspi.com, or prod.netspi.com, etc.) where sensitive projects or intellectual property might be located, and unintentionally exposed externally.

Another common use case for these types of features could be to detect sub domains that have been hijacked by malicious adversaries in an attempt to steal sensitive customer or employee information.

This is a quick summary of a few new features and benefits included in our Attack Surface Management offering, however if you would like to learn more, we encourage you to read our release notes, or contact us for a demo.

Penetration Testing as a Service (Resolve™) 

NetSPI’s Resolve, our penetration testing as a service (PTaaS) platform, has been an industry leader for years, allowing users to visualize their test results and streamline remediation by up to 40%. This product would not be able to remain a leader without continued updates from our product development teams.

Recently, we have been focused on delivering updates to enhance the user experience and make data within the platform to be more accessible and easily leveraged within other security team processes and platforms.

AND/OR Logic

Previously, when users created filters in the grid, AND Logic, as well as OR Logic could be used on filtered search results. We are excited to introduce AND/OR Logic to filters, allowing users to combine both AND Logic and OR Logic to deliver more detailed results to their security teams or business leaders.

Automated Instance State Workflow

Finally, we have introduced automated instance state workflows to include bulk edits. Previously, this was only applicable while updating individual instance states. This change improves efficiencies within the Resolve platform for entire vulnerability management teams.

This is a quick summary of a few new features and benefits included in our PTaaS solution, however if you would like to learn more, we encourage you to read our release notes, or contact us for a demo.

This blog post is a part of our offensive security solutions update series. Stay tuned for additional innovations within Resolve (PTaaS), ASM (Attack Surface Management), and BAS (Breach and Attack Simulation).


Read past solutions update blogs: 

Back

SecurityWeek: Cyber Insights 2023 | The Coming of Web3

On February 6, NetSPI Director of Research Nick Landers was featured in the SecurityWeek article called Cyber Insights 2023 | The Coming of Web3. Read the preview below or view it online.

+++

SecurityWeek Cyber Insights 2023 | The Coming of Web3 – Web3 is a term that has been hijacked for marketing purposes. Since web3 obviously represents the future internet, claiming to be web3 now is a claim to be the future today. Such claims should be viewed with caution – we don’t yet know what web3 will be.

Two of the biggest culprits are the cryptocurrency and NFT investment industries, which both use blockchains. They have claimed to be web3 so vociferously that some pundits believe that web3 is blockchain. This is way too simplistic – these are just applications running on one technology that may become one of the web3 building blocks. 

Before we discuss the evolution of, and issues with, web3 in 2023 and beyond, we’ll first define one specific view of its basics. 

Financial institutions 

Since the blockchain was originally developed for use in the finance sector, it should be no surprise that the finance industry is one of the more interested sectors. “There is a major trend of blockchain adoption in large financial institutions,” says Nick Landers, director of research at NetSPI, specifically citing Broadridge, Citi and BNY Mellon. 

“The primary focus,” he continued, “is custodial offerings of digital assets, and private chains to maintain and execute trading contracts. Despite what popular culture would indicate, the business use cases for blockchain technology will likely deviate starkly from popularized tokens and NFTs.” Instead, he believes, industries will prioritize private chains to accelerate business logic, digital asset ownership on behalf of customers, and institutional investment in proof-of-stake chains.

By the end of next year, he expects that every major financial institution will have announced adoption of blockchain technology, if it hasn’t already. “While Ethereum, EVM, and Solidity-based smart contracts have received a huge portion of the security research, nuanced technologies like Hyperledger Fabric have received much less. In addition, the supported features in these business-focused private chain technologies differ significantly from their public counterparts.” 

It is worth noting that private blockchains are not decentralized blockchains – which begs the question, are they really web3?

Either way, this ultimately means more attack surface, more potential configuration mistakes, and more required training for development teams. “If you thought that blockchain is ‘secure by default’,” added Landers, “think again. Just like cloud platform adoption, we’ll see the promises of ‘secure by default’ fall away as unique attack paths and vulnerabilities are discovered in the nuances of this technology.”

Read the full article at SecurityWeek!

Discover how NetSPI ASM solution helps organizations identify, inventory, and reduce risk to both known and unknown assets.

X