Palo Alto Networks (NYSE: PANW) today released the 2021 Cortex Xpanse Attack Surface Threat Report, which highlights lessons in attack surface management from leading global enterprises.
The Palo Alto Networks Cortex® Xpanse™ research team studied the public-facing internet attack surface of some of the world’s largest businesses to help enterprises. From January to March, they monitored scans of 50 million IP addresses associated with 50 global enterprises to understand how quickly adversaries can identify vulnerable systems for fast exploitation.
Adversaries are constantly scanning for weaknesses in the public-facing internet attack surface of enterprises, in the cloud and traditional data centers. Attackers scan for vulnerable systems once an hour on a typical day, but this activity picks up dramatically when new vulnerabilities are disclosed.
Scans started within 5 minutes after disclosure of the high-profile zero-day vulnerabilities in Microsoft’s widely used Exchange Server.
Scans started within 15 minutes after most vulnerabilities were announced.
Global enterprises are far behind the attackers. It takes weeks for such scans to begin.
Vulnerabilities in the public-facing internet of global enterprises are widespread. One serious vulnerability turned up twice a day, or every 12 hours, in the global enterprises we studied.
As global enterprises transformed their operations to support remote work, that created security gaps:
79% of observed exposures were in the cloud, compared to 21% for on-premises data centers.
Nearly one in three vulnerabilities uncovered were due to issues with Remote Desktop Protocol (RDP), whose usage has soared to enable remote work. It can provide direct admin access to a server, which makes it one of the most common gateways for ransomware.
Concerns about digital transformation introducing security gaps not only proved grounded but also understated the impact.
In reality, digital transformation has realigned the risk equilibrium in the attacker’s favor. Most tools in IT and security’s arsenal—namely asset and vulnerability management—focus on evaluation but not discovery. In other words, these tools manage known assets while remaining blind to unknown ones. Worse yet, the common methods of discovering unknown assets—such as pen-testing—take place on a quarterly basis (see figure 1).
These programs should start with the basics:
Global internet visibility: Implement a system of record to track every asset, system, and service you own that is on the public internet, including across all major CSPs and dynamically leased (commercial and residential) ISP space using comprehensive indexing, spanning common and often misconfigured port/protocols (i.e., not limited to the old perspective of only tracking HTTP and HTTPS websites).
In-depth attribution: Detect systems and services belonging to your organization using a full protocol handshake to verify details about a specific service running at a given IP address. By fusing this information with a number of public and proprietary datasets, match the full and correct set of internet-facing systems and services back to a specific organization.
Graphical user interface, text, application
Description automatically generated
Using the externally available attack surface from global enterprises, Cortex Xpanse researchers examined and interpreted data to help defenders understand the attack surface in order to:
Quantify and remediate externally facing vulnerabilities.
Provide security teams with attack surface benchmark metrics.
Optimize threat modeling.
Convey the threat landscape to technical and nontechnical audiences.
Deploy proactive security measures.
Cortex Xpanse operates a proprietary platform that continuously collects more than one petabyte per day of information related to all systems on the public internet to ascertain how attackers view potential targets. We fuse this information to discover cybersecurity risks present on the networks of the world’s largest and most complex organizations, which no one else can find. Our technology helps our customers see the world through the eyes of highly sophisticated attackers.
For this report, they looked at the attack surface and threat data coming from 50 global enterprises, including a subset of the Fortune 500, covering around 50 million IP addresses from Q1 2021 (January 2021 – March 2021) and representing 1% of total, global IPv4 space.