Managing and Mitigating Threat From Unknown Unknowns

Trendy IT environments are purposefully designed to be dynamic, evolving organically by means of issues akin to cloud computing, Web of Issues (IoT) gadgets, and, for a lot of organizations, by means of mergers and acquisitions and provide chain enterprise relationships. Whereas enabling higher enterprise effectivity and effectiveness, typically infrastructure and information are added advert hoc with out looping within the IT staff or adhering to organizational safety insurance policies. The result’s unmanaged or unknown infrastructure throughout the expertise ecosystem, which introduces hidden danger.

Most safety groups will acknowledge a scarcity of visibility on this dynamic surroundings. Whether or not it is credentialed entry or lacking brokers, it’s normal to have a niche in visibility. Nonetheless, unknown unknowns current an much more vital visibility problem in most organizations.

What Is an Unknown-Unknown Asset?

Let’s begin by defining what we imply by unknown unknowns, or property of which the safety and IT groups haven’t any consciousness. Unknown unknowns could be launched in a mess of the way. For instance, well-meaning builders with the flexibility to provision cloud assets on a private bank card can spin up new database cases.

Take into account succesful contractors who can spin up their very own infrastructure however neglect to restrict entry to the code on GitHub. Or the enterprise companions (third- and Nth-party suppliers) that aren’t accounted for within the prolonged enterprise ecosystem. Mergers are one other frequent method that “unknown unknowns” are launched — when the customarily outdated listing of IT infrastructure would not meet the present actuality of the infrastructure state.

With provide chain compromise on the rise and growing organizational sprawl, how can organizations handle and mitigate danger from unknown unknowns?

Closing Assault Floor Visibility Gaps

To unravel for unknown unknowns, safety groups want to ascertain mechanisms and processes to keep up an up-to-date stock of all recognized property related to their group and the vulnerabilities that can be utilized by risk actors as entry factors into the community. The extra recognized in regards to the group, the extra data to carry out lively and steady seek for unknowns, and even fewer unknown unknowns.

Under are 5 sensible steps to closing visibility gaps:

1. Enumerate and constantly monitor the asset stock: Create a course of and workflow for steady asset discovery that delivers a complete stock. Property embrace inner and exterior assets, cloud assets, workers, and the availability chain. Externally accessible property are sometimes focused by risk actors for preliminary entry (MITRE T1190) by exploiting recognized vulnerabilities. In conditions the place a zero-day is disclosed, the safety staff can leverage the stock to reply these questions: “Do we now have that expertise in our ecosystem and, in that case, the place?” and “Are we operating the susceptible model of the expertise?”
2. Decide possession of property: Attribution performs a giant function in offering related data to the safety staff. Receiving an inventory of property which will or is probably not owned by your group will decelerate the staff as they triage false positives (out-of-scope property). On the onset of asset discovery efforts, the stock must be audited to find out what’s instantly managed vs. shared safety mannequin (the place the administration of the asset is outsourced to a supplier – akin to a cloud service or SaaS supplier). Administration turns into simpler over time as a safety staff establishes the baseline understanding of asset possession.
3. Enrich property with intelligence to establish and prioritize important and high-severity points: The sooner vulnerabilities are recognized, the sooner the safety staff can reply. Indicators of compromise (IoCs) and Darkish Net monitoring can inform a safety staff of malicious exercise involving the model or an asset. Evaluation based mostly on incident response and adversary analysis may help defenders reply and prioritize appropriately based mostly on how a vulnerability is being leveraged and the impression of exploitation. Beneficial sources embrace NIST Nationwide Vulnerability Database (NVD), CISA’s Identified Exploited Vulnerability catalog, and intelligence feeds from the non-public sector.
4. Remediate and harden at scale: Prioritizing remediation and hardening efforts on the entry factors that current probably the most danger to the group is essential to mitigation methods. Important and high-severity safety findings must be investigated and remediated instantly. Over the medium and long run, the safety staff wants to concentrate on and monitor for decrease severity vulnerabilities which can be typically missed however can be utilized in tandem with easier-to-exploit vulnerabilities. Assign duty to the lower-priority gadgets and set expectations for quarterly reporting on progress.
5. Recurrently evaluation property for unknown unknowns — and combine your findings into steps 1–4: Data is simply helpful if it is used. As extra information is collected about a company’s assault floor, the data must be distributed to the suitable groups throughout the group and included into the operational workflows throughout the safety operations heart (SOC) or intelligence group. For instance, the SOC staff can leverage the most recent details about probably compromised gadgets to take particular threat-hunting actions after which implement mitigation methods.

Managing and mitigating danger from recognized threats is difficult sufficient for already over-stretched safety groups. By following the steps above, organizations can uplevel their assault floor administration packages and acquire higher visibility into potential danger inside their prolonged ecosystem as effectively.

In regards to the Writer

Jonathan Cran is head of engineering, Mandiant Benefit Assault Floor Administration, at Mandiant and was the founder and CEO of Intrigue previous to its acquisition by Mandiant in 2021. An skilled entrepreneur and builder, he is captivated with delivering high-quality outcomes and data-driven options, significantly after they require vital technical management. He’s continuously striving to know prospects’ challenges and ship elegant options. His background contains hands-on expertise as a safety practitioner and management roles at firms akin to Kenna Safety, Bugcrowd, and Rapid7.