Cyber Threats and the Hidden 20%: A Deep Dive into the Attack Surface with Matt Kraning
Matt Kraning: 20% of the cloud changes every month. That means that 20% of the exposures an organization has in a given month were not present the previous month in cloud. Unless you're actually doing something pretty much daily and continuously, you're actually missing almost all of your risks.
David Moulton: Welcome to "Threat Vector," a segment where Unit 42 shares unique threat intelligence insights, new threat actor TTPs, and real-world case studies. Unit 42 has a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, director of Thought Leadership for Unit 42. [ Music ] In today's episode, I'm going to be talking with Matt Kraning. Matt is the CTO on the Cortex Expanse Team, and we'll be unpacking the findings from the latest Attack Surface Management report. Matt and his team are able to scan the entire Internet and find weaknesses and vulnerabilities that plague organizations with the Expanse technology they've invented. This report shines a light on the most worrisome problems the team has uncovered. Matt, your team just put out a new Attack Surface Management report. Can you describe what this report is and who it's for?
Matt Kraning: The report that we just put out is a survey of over 250 large organizations, and it analyzes the risks and configurations present on the IT that they deploy across the Internet. So this report is for senior security leaders, CISOs, CIOs, to understand the risks that are present in large organizations.
David Moulton: So, Matt, the report says that RDP (Remote Desktop Protocol) exposures are prevalent. What are these and why is that such a bad thing?
Matt Kraning: Remote Desktop Protocol (or RDP) is service that is very frequently run by organizations across many, in some cases all, of their laptops. But this allows legitimate IT administrators of an organization to remotely troubleshoot and diagnose problems. This is a great tool that lots of teams should use. Unfortunately, it also tends to contain a number of security issues associated with the protocol. And if this protocol is actually present on the public Internet, then anyone in the world can go in and do one of two things. One, you can just start guessing passwords. And if you don't have a great password policy, it's like leaving a laptop open in Central Park. In addition, if you're running older versions of this protocol -- which unfortunately are present on the Internet frequently -- there are also a number remote code execution exploits where even if you don't know a username-password combination, you can immediately gain access to the client machine and any sensitive data and credentials on that machine.
David Moulton: Matt, one of the things that stood out in the report was that 85% of the industries studied had RDP exposed for at least a quarter of the month. If you're a security practitioner or you're a CISO that's listening right now, do you see that as one of those things that they're surprised that it's that prevalent?
Matt Kraning: I think a number of people are not surprised that it happens frequently to other people, but are sometimes surprised that it's happening to them. And there's two different ways that I explain this. One, our own reporting with Unit 42 has found that in the case of ransomware attacks -- which can generate substantial business interruption, cost into the millions or multiple millions of dollars -- over 60% of the time, there's ransomware that we have to respond to, the actual origin of the ransomware is not phishing, it is actually remote desktop protocol system on the public Internet that was exploited. So there's substantial risk when these exist. I think what a lot of people are surprised on is just how often and how many organizations this occurs for. And this occurred in over 250 organizations with over 10,000 people each. These are large organizations typically with well-funded substantial both IT and IT security teams. And even then, we see these exposures happening regularly. And when we look at the cause of why this happens, ultimately, it's that IT security teams typically do not have total visibility over all of the assets that the organization owns and manages. So while they may be very secure and for the assets they know about and track regularly, there might not be RDP exposed on the Internet. There's another class of assets that usually is 30, 40, sometimes even 50% of the total assets of the organization that security's effectively blind to. And that's where a substantially higher fraction of their risk lies in the systems that they don't even know about.
David Moulton: The report shows that there are several paths of least resistance for attackers to exploit. And if they're so prevalent, why aren't we seeing more attacks against those exposures?
Matt Kraning: I think we see a number of attacks against this. So over the last 20 years, I think it's been a kind of unchallenged belief in security that employees are always the weakest link. And this goes back more than two decades. And I think for a large fraction of that time, it was true. And you saw both a very high investment in attackers in attacking employees, and then also in defenders inventing a variety of different technologies to protect employees. I think what we're now seeing is no longer the early days but now kind of the middle of attackers realizing that weakest link and the easiest way into organizations in a lot of cases is actually through unknown, unmanaged IT assets of the organization rather than trying to get around a number of different phishing and other end-point protection mechanisms. And when we look at some of the largest, worst breaches of the last decade, many of them were not phishing, they were actually exactly this: an asset getting exploited on the public Internet that was not known or at least not centrally known in a standardized way to the security team. I think some of the best examples of this are things like the WannaCry attacks. Then you also look at things like TJ Maxx going through HVAC systems. The Equifax hack as well, all these are examples of where the company in question lost hundreds of millions, or in some cases billions of dollars, and it wasn't somebody being phished, it was actually an IT asset that was on the public Internet that was usually unmanaged, had not been updated in a very long time. And the companies unfortunately had a very bad day in all of those cases. [ Music ]
David Moulton: Matt, thanks for joining me today on Threat Vector. It's amazing what you and your team have been able to discover and publish. For those listening, the latest Attack Surface Management report is available on the Expanse website. A link will be on our show notes. We'll be back on the CyberWire Daily in two weeks. But in the meantime, stay secure, stay vigilant, goodbye for now. [ Music ]