Attackers have the information advantage

From SOC analysts to threat actors, everyone benefits from understanding the exposures existing in an organization’s external risks. While the SOC analysts’ benefits are more … wholesome, it is often found that adversaries have a more comprehensive understanding of an organization’s vulnerabilities. Leaked credentials, exposed documents, vulnerable hosts and hard-coded secrets frequently go unnoticed by organizations for months or years. Cyber adversaries consistently demonstrate their information advantage when it comes to discovering these exposures.

Why do attackers often have the information advantage?

Cybercriminals have developed effective strategies to maintain their information advantage. 

Knowing where to look

Cyber adversaries are adept at finding data leaks and exposed credentials because they know exactly where to search. They have an intimate understanding of where sensitive information might be exposed, whether in SaaS platforms, internet scanners, cloud storage solutions or public code repositories. A misplaced sense of passion and curiosity can be found in cybercrime communities, whether fueled by ideological causes or an insatiable lust for ill gotten gains, and it often manifests itself in developing and sharing creative new techniques for finding the information they are looking for. Given the sheer volume of third-party leaks that impact a variety of corporations (either directly or indirectly) and appear on cybercrime forums, we can see that cyber adversaries understand the modern attack surface better than many organizations themselves. They seem to appreciate the fact that the modern attack surface spreads far beyond any traditional notion of a perimeter and extends to the many disparate SaaS tools, data storage solutions, consultants, contractors and subcontractors that an organization uses in addition to the traditional hosts and on-premise web applications that make up the well understood organizational attack surface.

Dedicated time and resources

Adversaries dedicate significant time to reconnaissance. Generally, threat actors benefit from front-loading their campaigns with reconnaissance, allowing them to understand and probe at possible attack paths in detail. In recent years, more complex attack paths have been left in the past, favoring finding data accidentally exposed in a public place, an increasingly common phenomenon in the era of SaaSification — where an attacker can find exposed data on a third party SaaS tool that doesn’t have the ability to centrally log. And what better way for a criminal to find their crown jewel than by walking in through the front door? Unlike their corporate targets, who may be preoccupied with a new EDR deployment or writing log parsers for obscure cloud microservices, attackers can focus on studying their target’s attack surface and automating their collection strategies.

Automation

Automation plays a crucial role in maintaining the information advantage. Attackers use automated tools to continuously monitor their sources for new exposures, such as leaked credentials, exposed API keys, vulnerable subdomains, misconfigured services, etc. This allows them to react quickly in a variety of situations — like automatically attempting a new RCE exploit on public hosts with a specific software version running on them, or monitoring an organization’s public github for accidental commits that contain hard coded secrets using a scanner, and attempting access using the API keys before they can be rotated.

Collaborative ecosystem

Cybercriminals benefit from a robust ecosystem that facilitates the sharing of new techniques, exposed files, discovered credentials and other sensitive information. Platforms like Telegram and dark web forums are used to disseminate stolen data rapidly, giving typically hundreds to thousands of cybercriminals access to the same information. For example, Telegram hosts a variety of stealer log channels. The owner of the channel will host a stealer malware campaign that posts its infected devices stored browser credentials, cookies and other sensitive data to the channel, making them available to the groups members shortly after infection.

How can you gain the information advantage?

To level the playing field, organizations need to adopt a proactive approach to understanding their external attack surface and minimizing exposures.

Automated reconnaissance

Just as attackers use automation to exploit vulnerabilities at scale, organizations should employ automated tools to scan for exposures. The same tools professionals should employ here are those leveraged regularly by red teams for penetration tests. This includes monitoring for leaked credentials or leaked secrets in the public code locations organizations know their development teams use, scanning web applications for undocumented or misconfigured API endpoints or vulnerabilities, etc. The philosophy to follow here is that security professionals want to be running the reconnaissance phase of a penetration test on a regular cadence, as opposed to learning of exposures during a bi-annual penetration test. Once professionals understand the locations they are searching for exposures within, they can begin to automate the more manual steps. For example, if security professionals are manually Google dorking for exposed files which contain the organization’s internal file footer, e.g. “Property of Acme Corp. Company Confidential,” they can leverage the Google JSON Search API to quickly notify them when new files emerge, so they can determine if the files are indeed confidential or contain any revealing metadata. This may save security teams the hassle, and potential time delay, of manually dorking periodically for leaked files. Automations like these will enable organizations to exceed (or at worst, keep up with) the speed with which adversaries discover exposures, allowing companies to mitigate before damage can be inflicted.

Adversarial techniques

Organizations should use the same techniques that adversaries use. This includes leveraging offensive security tools for enumeration and reconnaissance that can reveal potential exposures. By adopting an adversarial mindset, defenders can anticipate where attackers typically look. Or, by monitoring their channels, defenders can anticipate where attackers are starting to look and secure those areas first. A great way to adopt the attacker’s mindset is to monitor dark web news sources like Daily Dark Web or Dark Web Informer to understand how threat actors communicate, what they are talking about lately and their jargon.

Collaboration and intelligence sharing

Participate in threat intelligence sharing with other organizations and security communities. By staying informed about the latest threats and exposures discovered by others, organizations can quickly apply that knowledge to your own security posture. Many industries have ISACs, which are member-driven threat sharing programs for companies in like-industries. These groups openly share threat intelligence indicators and evolving adversarial techniques (like new reconnaissance techniques) relevant to the group.

Regain and maintain the information advantage

Attackers don’t have to have the information advantage. By understanding the attack surface better than the adversaries, leveraging automation, adopting adversarial techniques and collaborating on threat intelligence, security professionals can regain and maintain the information advantage.