In many recent conversations with family, friends, colleagues and even people in the socially distanced line at the grocery store, I keep talking about external attack surfaces as an emerging (and vast) vulnerability. A family member felt somewhat lucky that he was spared doing it in person over a long holiday meal. However, the topic is fascinating and I am truly enthusiastic about the newly found attack surface. So are many hacking groups that IONIX is tracking closely. Who wouldn’t want to hear about it?
Roaming in the global digital attack surface
Tracking hacking campaigns is an intriguing job. In the cybersecurity equation, there are at least two sides of super smart people. Crafty, creative, thinking out of many boxes types of personalities. A lot of brain power goes into this cat-and-mouse game they are playing. Our team of analysts are always in the attack surface playfield looking around and exploring moves and changes.
While I am unable to keep pace with them, based on the quantitative output and number of meaningful findings our online security platform discovers and records, they must be doing something right. Our clients, big and small, are satisfied with their investment.
Spreading the word through ethical disclosures
On a daily basis, we uncover vulnerabilities and abuse in the wake of attack campaigns. Without diving into technical depths, I will say that many of the attacks, like poker players, have a tell that we can identify. Once identified, we start noticing those tells show up in the external attack surface of other organizations. I continue to feel that these incidental findings should be of great interest to the affected entities.
When we started our journey, we committed ourselves to approach and disclose these critical findings in good faith. Casting our bread upon the water is our way to help vulnerable and compromised entities strengthen their security posture. In some cases, it turned out to be the beginning of a dialogue. In others, it did not go beyond a one-way disclosure. To date, we have hundreds of both under our belt.
Ethical disclosure, really?
Ethical disclosures should be a grace to security teams. While skeptical and suspicious by nature, or reality, the value of disclosures is literally priceless. There are many security professionals who believe and act as if disclosures are a waste of time. Disclosures can also be malicious, leveraged as a distraction, misinformation, or a form of denial-of-service attack on the security team. However, ethical disclosure can also be what they are called: ethical (or responsible) disclosures. With IONIX disclosures, you do not have to create a bounty program and pay for valuable data. IONIX disclosures are always ethical in nature. Always.
The disclosure outliers
We are a little surprised by the fact that some of our disclosures are never responded to after they are fixed by the entity we disclosed them to. We are very surprised when disclosures are completely ignored and the vulnerability remains untouched. It is usually a matter of minutes to attend to the type of things we share. Those two response are unpleasant and potentially risky, but within the realm of what we can understand.
The shocking outliers are those where we provided a disclosure, connected with the team, provided context and details to one, or more, vulnerabilities and shared the path to remediation. And then nothing happens. The issues are not addressed, our follow-up emails (usually trying to offer additional help or guidance) are not answered, and the enterprise knowingly remains vulnerable or compromised. We learned that scratching one’s head for a long time is painful, so we stopped.
Incoming disclosure responsibility
The experience of how disclosures are handled across Global 5000 companies raises the question of responsibility and accountability.
What should the expectation be of response time and remediation of disclosed vulnerabilities?