CybelAngel’s State of External Attack report, 2023.

This week CybelAngel released its 2023 State of the External Attack Surface report, which details the company’s analysis of vulnerabilities across various business sectors. CybelAngel utilized its proprietary scanners for this report which allowed them to achieve a broad scope analysis. As they report “In 2022, CybelAngel’s scanning capabilities detected over 439 million assets. Of those, over 39 million had an associated vulnerability.” CybelAngel provides in-depth analysis of various vectors of attack like unsecured files, unknown assets, and cloud storage. It also broke down at-risk industries based on trends analyzed in 2022 such as leaked credentials and vulnerable database applications. 

Unsecured files offer low hanging fruit. 

One of the biggest takeaways is the sheer number of unsecured files in internet facing databases. As CybelAngel puts it “70 billion files were found within 498,976 unique open servers in a 31-day period in 2022. We could give you the yearly data but we'd be talking in the incomprehensible quadrillions.” They outline 2022s vulnerabilities broken down by industry and it is clear from their findings that databases make up a significant amount of liabilities that they could detect. CybelAngel names MongoDB as the most common database protocol found as it made up 71.8% of the just under 740,000 databases that were unsecured and open to the internet.

Unknown assets are costly.

Unknown assets are of concern, as they “often carry an inherent cost to keep and/or maintain—a cost that the organization could be putting to better use.” The report adds, “However, the real issue is that 8% of every internet-facing device detected by CybelAngel had an associated vulnerability.” 

Cloud storage can be a target.

CybelAngel also looked into cloud vulnerabilities, broken into two categories: personal cloud storage and enterprise storage. In personal cloud storage, one technology stands out: personal Google Drive accounts. Personal Google Drive storage accounted for almost 50% of the 1.4 million vulnerable cloud devices. CybelAngel attributes this to people not understanding how to configure their security settings properly. About the enterprise services, CybelAngle wrote, “AWS - S3 devices or buckets are by far the most detected as being open and accessible to attackers… The raw detection numbers could be a direct correlation to their respective market shares, i.e., cloud services that are more popular are detected more frequently simply because they are more abundant, not necessarily that they are less secure.” 

Codeshare sites are great places to gather target information.

Another trend CybelAngel notes was an increase in overshared information on code sharing sites such as GitHub. It explained users can “overshare, cut & paste and place critical code, API keys and credentials by mistake, leaving the door open to an easier attack via more access at a deeper level.”

Telecommunication is constantly on top, and not in a good way. 

Telecommunications seems to be a sector that is particularly vulnerable as it shows up in the top three industries in seven of the eight risk areas by industry graphs in the report. CybelAngel attributes this to a myriad of factors but mostly to the fact that telecommunications is a massive industry that is constantly evolving and using ever developing technologies. Additionally, they explain that telecommunications has a large supply chain, and so it has a very complex and intricate group of dependencies that could be used as attack vectors.

In the “average number of leaked credentials” graph we can see that telecommunications, aviation, and oil & gas are the top three industries listed. As CybelAngel puts it, “What is especially concerning about seeing these particular industries top the chart for leaked credentials is that they are all critical infrastructure sectors that are vital to the functioning of the global economy. If the right credentials end up in the wrong hands, nation-state actors could gain unauthorized access to sabotage these critical choke points, causing wide-ranging and debilitating effects on international economic security.”

CybelAngel’s recommendation.

CybelAngel suggests that companies “adopt a preemptive strategy”:

“The days of passive or reactive security are gone. Today’s threats cannot be found by waiting for detections from endpoints or alerts from inside your security perimeter. Security teams need to be on the constant lookout for early indicators and address them before they even become problems. 

“To do this effectively, you need full visibility of your extended external attack surface, which not only includes your known assets, but also shadow assets of your employees and assets belonging to your partners, vendors, suppliers or other third parties. Taking an outside-in view, like an attacker would, allows you to spot any weaknesses in your security and remediate them before they can be exploited.”