As attack surfaces expand, security teams must respond from the outside-in, says Bharat Mistry, Director of Product Management, at the cyber firm Trend Micro.
On Monday, June 3, red lights started flashing for NHS IT teams in south east London. The culprit: a ransomware breach that caused critical operational disruption at a little-known pathology services provider. Soon, several local trusts and countless primary care services were in meltdown. A desperate call went out for new blood donors.
Itโs an extreme example of the kind of real-world impact that cyber-attacks can now have on organisations. The frequency of such breaches is increasing, in part down to the evolving threat landscape and the growing use of AI tools and pre-packaged services. However, itโs also due to the expansion of the typical corporate attack surface. Mitigating these urgent risks will require a potentially new approach, eschewing internal controls and perimeter defences in favour of managing risk across the external attack surface.
A chain reaction
The ransomware attack described above was targeted at Synnovis, a small but critically important supplier to local NHS organisations. It resulted in the cancellation of 10,152 acute outpatient appointments and 1,710 elective procedures in the two worst-affected London trusts, and the exposure of 400GB of sensitive internal data including patient names, dates of birth and HIV blood test results. Yet, the incident was by no means an isolated one. In October 2023, the British Library (pictured) suffered a massive double extortion ransomware attack which knocked over its server estate and led to the theft of 600GB of internal data. The government-backed public body has already spent ยฃ1.6m recovering from the breach. Like Synnovis, itโs unclear exactly how the threat actors made landfall, but the compromise of a privileged account credential is suspected. That is made more likely by the fact that the library has an extensive number of partners and suppliers who require network access. Subsequently, its adversaries accessed an on-premises terminal server which did not have multi-factor authentication (MFA) enabled.
The landscape is changing
These breaches are symptomatic of a concerning trend among modern organisations. The more they invest digitally to streamline operations and improve the employee and customer experience, the more they expose themselves to potential threats. The idea of a cyber-attack surface is a useful metaphor for whatโs happening. It has been expanded by remote working endpoints that are often employee-owned and lacking in adequate protection, or even software updates. And by the surge in SaaS application usage, can leave corporate data at the mercy of threat actors capable of guessing, phishing or brute forcing employee log-ins.
But thatโs not all. The corporate cyber-attack surface has also grown in recent years with the popularity of cloud-native apps and services, which can add complexity and lead to misconfiguration. And the increasing reliance on third-party software vendors and open-source components, which can introduce further risk. Just consider the tens of millions of individuals impacted by the MOVEit breach. Or the number of organisations exposed by the Log4Shell vulnerability, some of which are still being targeted. Thatโs not to mention the threat posed by suppliers like Synnovis, operational technology (OT) and IoT, and fast-evolving AI systems.
Two years ago we warned that over two-thirds of global organisations felt their attack surface was โspiralling out of controlโ. It would be interesting to see the figures today because things are certainly not improving.
Taking back control
This leaves cybersecurity professionals with a dilemma. Against a backdrop of persistently low UK productivity, they must support digital transformation initiatives where possible. But in a way that enables IT and OT solutions to be deployed and used safely, without slowing down innovation and growth. To do so, they will need some fresh thinking.
Traditional security approaches are no longer fit for purpose. They focus more on internal threats and perimeter defences, with firewalls, intrusion detection/prevention (IDS/IPS) and other network-based security measures such as data loss prevention and secure web/email gateways. Instead, CISOs must approach security from a more holistic, โoutside-inโ perspective to protect their highly distributed digital assets more effectively. This means shifting the focus from internal controls to continually mapping and responding to threats and vulnerabilities across the entire external attack surface.
A key pillar of this approach is risk and exposure management. This demands that teams perform continuous risk assessments to identify vulnerabilities, misconfigurations and other risks. Then they quantify the potential impact of each risk in financial, reputational and operational terms. And finally, they remediate the highest impact, most likely risks first. Vulnerability management is therefore another key discipline here.
Other related elements to this approach include supply chain securityโto assess and manage risks associated with third-party vendors and partners. Threat intelligence and detection response proactively discover and contain threats to the organisation before they can cause major damage. Incident response planning accelerates recovery from breaches and zero trust architectures continuously verify access, monitor for unusual activity, and contain the blast radius of attacks โ denying adversaries an advantage at every stage.
Our IT environments are more complex than theyโve ever been. Thatโs the price many organisations must pay for overlapping layers of digital investment in recent years. Tackling the new risks that this creates will take a new approach focused on the external attack surface. The best way to do this without adding to the complexity is to consolidate onto a single platform.
