By Byron V. Acohido
When it comes to defending their networks, most companies have had it drilled into them, by now, that it’s essential to erect layered defenses.
Related:Promise vs. pitfalls of IoT
For small- and mid-sized businesses, firewalls, antivirus suites and access management systems represent the entry stakes for participating in today’s digital economy. Security-mature SMBs go the next step and embrace incidence response and disaster recovery planning, as well
Meanwhile, large enterprises pour tens of billions of dollars annually into next-gen firewalls, EDR, DLP and IDStechnologies, each system generating a fire-hose of threat feeds, with all of this threat intel flooding, hour-by-hour, into SIEMs, UEBAs and other analytics platforms.
And yet, after a couple of decades of piling up layer upon layer of defenses, catastrophic breaches persist — they’re occurring as often as ever, and causing more harm than ever. Threat actors simply seek out the endless fresh attack vectors arising as an unintended consequence of digital transformation. In short, layered defenses have turned out to be cheesecloth.
Acknowledging this, a few cybersecurity innovators are taking a different tack. Instead of offering up more layers of defense, they’ve slipped on the shoes of the attackers and taken an offensive approach to defending IT assets. One of the most single-minded of these security vendors is startup CyCognito.
The company was launched in Tel Aviv in 2017 by a couple of former Israeli military cyber ops attack specialists, Rob Gurzeev and Dima Potekhin. Gurzeev and Potekhin set out to mirror the perspective of threat actors — and then help companies tactically leverage this attackers’ view to shore up their porous networks.
“The attackers need only to find a single blind spot to gain entry – it’s like singling out the weakest zebra in the herd,” says Gurzeev, CyCognito’s CEO. “Defenders, meanwhile, have to guard everything all of the time, and most organizations have many more Internet pathways than they even know about, much less are taking steps to defend.”
CyCognito’s employment of a bot network is what struck me most after I sat down with the team and learned in more detail what they’re up to. They’re not just borrowing a few pages from the attackers’ handbook; they’re actually utilizing the bad guys’ core tool – botnets They’ve set out to boldly redirect botnet-power towards helping, instead of exploiting, the good guys.
I first wrote about criminal botnets at USA TODAY in 2004. Botnets at the time were just emerging; they’ve since become entrenched as the engine that drives all of cybercrime. A bot is a computing nodule that strictly obeys instructions from a command and control server. A criminal botnet is a network of bots under control of an individual attacker.
Botnets are the nimble infrastructure that enables criminals to blast out massive ransomware and denial of service attacks and also to execute intricate advanced persistent threat (APT) hacks that play out over months and go very deep. Bots traditionally have arisen from compromised, or “pwned,” computing devices. Today bots are more often spun up as virtual instances of computing devices. Bad actors are spinning up these virtual bots by the million, utilizing computing resources sold, no questions asked, by the major cloud service providers, Amazon Web Services, Microsoft Azure and Google Cloud .
By contrast, CyCognito’s 60,000 nodule-strong bot network is comprised of computing instances distributed globally with the expressed intent to help enterprises protect themselves. Bots do what they’re told. CyCognito’s bot network actively crawls the Internet identifying and mapping all exposed IP assets, fingerprinting each asset. This is essentially identical to the ground-level crawling and probing reconnaissance tasks that criminal botnets perform every day.
Upon finding an exposed IT asset, say a web server or a gateway router, CyCognito can pinpoint the IP address, confirm what type of asset it is and check whether the asset has any open ports; it can even ferret out snippets of coding or text, such as a copyright, that indicates more granularly what specific functions the asset performs, who the asset belongs to and what other assets it communicates with.
CyCognito’s bots feed this ground-level intelligence back to an analytics platform, which makes correlations and may ask for more information. This results in an assessment of the business context surrounding each asset. “We’re building a live picture of what’s out there, not specifically looking for problems, at that stage,” explains Raphael Reich, CyCognito’s vice president of product marketing. “We’re collecting information to build associations between assets that other solutions miss: assets in the cloud, in subsidiaries, in third-party networks.”
Another thing about bots, they do what they’re told — for as long as they’re told to do it. Over the past couple of years, CyCognito’s botnet has surveilled and fingerprinted some 3.5 billion Internet-exposed IT assets, resulting in rich data sets that are fed into the company’s analytics. CyCognito has been able to map details of specific assets to thousands of organizations in much the way a criminal ring would do, which allows it to understand attackers’ easiest pathways i
Last November, the company released findings from an analysis it conducted to identify what it calls “shadow risk” – exposures that, for whatever reasons, enterprise IT and security teams are often blind to. Shadow risk creates attack vectors that are externally exposed to anyone with the skill and desire to go find them. The data reveals that a stunning percentage of organizations have a significant number of security blind spots, most often stemming from third-party and cloud interconnectivity. For instance, CyCognito’s research found:
•Organizations are unaware of as much as 75% of their attack surface.
•Some 82% of these hidden assets impact the organization’s cybersecurity posture and are managed by their cloud providers, partners or subsidiaries.
•Some 87% of organizations have critical exposures that are visible to attackers at a given point in time.
These findings are not at all surprising. Quite the opposite, they ring very true. Companies never found a way to stop intruders from breaching and plundering with impunity, even when all they had to defend were on-premises IT systems. Today we’re in the throes of digital transformation. Agility, speed, and modular transactions happen on the fly and in the cloud. This sets up a much more complex security challenge than setting up trip-wire alarms around an on-prem data center.
“Most organizations have expanded and broadly diversified their IT resources on-premises and in the cloud, making continuous monitoring and timely mitigation extremely challenging,” observes Potekhin, CyCognito’s CTO. “The inspiration for the CyCognito platform was the realization that the explosive growth in the numbers of threat actors and the sophistication of their tools has leapfrogged the capabilities of legacy security solutions and most of today’s enterprises, even those who are highly security-aware.”
What CyCognito has set out to do is outflank attackers and one of the results is a high-definition snapshot of the threat landscape, on any given day. That’s a major step forward. I hope they are able to trigger a new era of advances in the overall field of attack surface monitoring.
Meanwhile, as you might expect, the company has also designed its botnet and analytics platform to be available for hire — to drill down on individual companies’ IT assets. This can help companies identify and address open attack vectors — before the bad guys can get to them. “We looked to create a new class of solution to beat the attackers at their own game,” Gurzeev says. “It’s heartening that from Day One on our platform, customers are finding, assessing and closing open pathways.”
I expect layered defenses will continue to have a place, moving forward. But it’s going to be fascinating to see how adding a bit of offensive punch to defending networks catches on, and how much of a difference offensive security solutions will make, overall. I’ll keep watching.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)