Mainframe is happening now!

While most people may imagine mainframe computers to be an antiquated world of massive machinery, tape spools, and limited possibilities, they actually receive widespread use today in 2024 as the backbone infrastructure that allows billions of financial transactions to occur daily on a global scale.

Government entities can store and retrieve sensitive data with extremely high reliability and almost nonexistent downtime, and other sectors like healthcare, insurance, and utilities can meet the speed of demand by processing multiple terabytes of data with incredible ease, and consistency.

Mainframe computers have a wonderfully rich history that spans decades, and as such there have been many groups over the years that bring practitioners, vendors, and resource owners together for collaboration. SHARE, with an inauguration year of 1955, is the oldest and most well-known of these organizations — if you work in mainframe, you know about SHARE! It began as the first IT Enterprise group ever to form within the United States and has been operating continuously since, through industry publications, annual conferences, trainings, and ongoing opportunities to connect.

I had the pleasure of attending this year’s SHARE Orlando 2024 where I learned about the state of mainframe security today and the in-demand skills needed to protect these critical systems. Here’s what I thought of my time at the event.

Mainframe Penetration Testing is a Scarce Skillset 

SHARE Orlando 2024 was the first time I had the opportunity to experience a mainframe event, and it was an excellent introduction to the mainframe community at large with representation from organizations worldwide occupying the mainframe space. NetSPI was the only US-based proactive security consulting firm present, and I found myself engaged in multiple conversations on mainframe security as it relates to new integrations with data lakes, analytics platform, blockchain, and AI.

Also under frequent discussion were developments in hosted cloud computing, quantum cryptography, web applications on mainframe, and mainframe ethical hacking in general. I realized during my time at SHARE that there are currently very few dedicated ethical hackers working in mainframe; the arena is in great need of this skillset, and I was deeply encouraged to continue building my individual mainframe knowledge while contributing to the development of our expanding Mainframe Penetration Testing service line here at NetSPI.

IBM z/OS is the Most Popular 

IBM z/OS is by far the most common operating system you will find in use on mainframe today, and I was intrigued by a product IBM recently released called WatsonX AI. It makes use of foundational models and generative AI to assist with code translation from COBOL to Java for increased interoperability, and also makes it possible for businesses to train and deploy custom AI capabilities across the enterprise environment while maintaining full control of the data they own.

I also learned so much at both talks given by Philip Young, NetSPI’s Mainframe Director. At his first talk, entitled “Hacking CICS Applications: New Attacks on Old Screens”, the collaborative nature of SHARE was seen in full force as he was met with a great deal of feedback from the audience throughout the duration of the presentation. The talk covered an introduction to hack3270, a tool used to assist in CICS application pentesting, and certainly made an impression on the crowd… especially vendors and developers who had some new things to consider regarding the security of their CICS environments.

Philip’s second talk, “No Longer a Myth: A Guide to Mainframe Buffer Overflows”, was also well-received by the audience. A specific attack that for years many believed to be impossible was brought to light with a clear demo on how exactly this vulnerability can take place and some tips on ways to safeguard against buffer overflows on mainframe.

Finally, a talk given by Mark Wilson on the threat of ransomware within the mainframe environment. It was eye-opening for me as I personally was not aware of the native capability mainframe has for encrypting massive amounts of stored data within mere seconds. The fact that terabytes of mission-critical data could be encrypted in less than 12 minutes was a strong call to action for mainframe practitioners and owners alike to be aggressive with MFA requirements and tracking user behavior analytics.

Mainframe Security Is Mission-Critical 

I have a soft spot for mission-critical operations, legacy systems, and critical infrastructure. More specifically, I have a deep and abiding passion for the security of systems like mainframe that are heavily relied upon that do not frequently gain mainstream attention in the cybersecurity space. If we are relying on these computers, we must continuously work to protect them! Though they have been around for many years, new integrations and developments mean we will be faced with new potential vulnerabilities. All an attacker needs is one weakness to prevail, and these are the situations I am here to identify and report for eradication.

Check Out These Free Resources to Expand Your Mainframe Security Education 

There are some great talks available online, Philip has a fantastic list up (here and here are a few) covering many topics from the hacker perspective. IBM also hosts a free training program called IBM Z Xplore with hands-on interactive modules for learning to navigate and maximize z/OS use, as well as a networking platform called New to Z for burgeoning talent within any organization utilizing mainframe technology.

Overall, the experience at SHARE is a must-attend for those involved with or even just deeply fascinated by the world of mainframe. There is no other gathering of people with such passion and drive dedicated to this field. I was very pleased with the new information I was able to acquire and am so thankful for the connections I made among professionals and peers within the mainframe community.

See NetSPI’s technical research on Mainframe Penetration Testing by reading Philip’s article on Enumerating Users on z/OS with LISTUSER.

The post Mainframe Mania: Highlights from SHARE Orlando 2024  appeared first on NetSPI.

Attack surface sprawl is a growing challenge with 76% of organizations experiencing some type of cyberattack that started through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset.¹ The constant expansion of attack surfaces has made the need for visibility into potentially unknown attack surfaces more important than ever.  

Pairing vulnerability scanners with attack surface management (ASM) gives security teams high-fidelity analysis and prioritization of assets and exposures, while limiting noise and false positives commonly associated with technology-only platforms.

Why vulnerability scanners aren’t enough 

The issue lies in the fact that vulnerability scanners can only scan entities you tell them to. Vulnerability assessments operate on a tactical level, often treated as commodities where you acquire a scanner and direct it toward known targets.  

Vulnerability scanners rely on a policy that defines the scope and dictates where the scanner should focus its efforts, whether that’s on targets, networks, or assets. Without this essential step, the scanner lacks the intelligence to identify assets, as its sole purpose is to scan what it’s told to. Vulnerability scanning on its own is an output of potential issues; the tool can’t go out and find assets you haven’t explicitly told it to find. That’s where NetSPI ASM comes in. 

How NetSPI Attack Surface Management covers gaps

The beauty of ASM is its ability to uncover what’s unknown. This aspect is crucial as it offers a more strategic approach compared to traditional vulnerability assessments. When transitioning to ASM, security experts conduct specific operations to identify elements such as subsidiaries and various IPs associated with the organization. Through these efforts, previously undiscovered assets come to light that had been omitted from scanning and thus excluded entirely from a vulnerability assessment program. 

Vulnerability scanners paired with NetSPI ASM enrich the assets, ensuring the scope of your scan is comprehensive.  

Leveraging technology, intelligence, and expertise for Proactive Security 

The advanced technology behind NetSPI ASM combines with our security experts to deliver the most comprehensive view of external attack surfaces. Our deep visibility helps you understand specific risks to your business so your team can spend less time sifting through alerts or responding to false positives. With the full force of NetSPI in your corner, you can navigate rapid innovation with confidence, while protecting the trust you’ve worked so hard to build. 

How do we go about enriching asset discovery?  

We research multiple data sources to identify external-facing assets, utilizing a combination of human intelligence and third-party services in our research, a task that a vulnerability scanner could never accomplish on its own. 

For example, we use a blend of various OSINT, proprietary and commercial sources, and techniques to continuously search the internet to identify your entire attack surface. This process is a collection of items including, but not limited to business and legal structures, domains, and IP addresses.  

Our team performs exposure identification by:  

• Port scanning  
• Certificate scanning  
• DNS scanning / querying  
• Sub-domain brute forcing  
• Web application scanning  
• SNMP queries  
• UDP scanning  
• TCP scanning  
• Taking screenshots, grabbing banners  
• API-queries of cloud configured could environments 

We utilize active and passive techniques to continuously identify the existence of exposures on assets. Active discovery is performed on all identified assets for ports, technologies, certificates, vulnerabilities, DNS records, etc., while passive discovery is performed through integrations with data feeds that allow us to enrich data found through active discovery.  

This detailed information gathering leads to high-quality findings, allowing us to report only on true positives, with highly documented verification steps and remediation instructions. We provide detailed validation and evidence verification, so you only receive the true positives that matter the most to accelerate remediation and eliminate constant alerts and manual correlation from multiple sources. This is the “secret sauce” behind The NetSPI Advantage. Machine intelligence plus human intelligence is compound intelligence that benefits our customers. To put it simply, we go beyond for our customers so they can go beyond for theirs.

Vulnerability scanning vs penetration testing 

Both vulnerability scanners and penetration testing have their time and place to enhance the overall security of systems. The biggest difference is the depth of results from each measure. Vulnerability scanning is an automated process that identifies and reports potential vulnerabilities in a system, focusing on known weaknesses.  

Penetration testing, on the other hand, involves simulating real-world attacks by skilled professionals, a la The NetSPI Agents, to actively exploit vulnerabilities and assess the system’s security posture. While vulnerability scanning provides a broad overview of potential issues, penetration testing goes deeper, uncovering weaknesses that may not be apparent through automated scans. See if you’re getting the most value from your penetration testing reports. 

Empower your security posture with NetSPI 

The most helpful lesson we can share with anyone working to advance your security posture is don’t go it alone. The shared learning from experts who have worked through the same challenges you face is invaluable to bring clarity, speed, and scale to your security programs.  

Reach out to connect with our security experts or keep learning about NetSPI ASM by watching our demo.  

The post From Scanners to Strategies: How Attack Surface Management Enhances Vulnerability Scanning  appeared first on NetSPI.

• What is External Attack Surface Management?
• Beyond Asset Discovery: How External Attack Surface Management
  Prioritizes Vulnerability Remediation
  • Why Asset Discovery Isn’t Enough
  • Using an EASM Platform for Prioritized Vulnerability Remediation
• The Role of EASM in Continuous Threat Exposure Management (CTEM)
  • According to Gartner, there are 5 Phases of Continuous Threat
    Exposure Management
  • External Attack Surface Management Supports Scoping,
    Discovery, and Prioritization
• How External Asset Surface Management Relates to Penetration Testing
• Manage Your Growing Attack Surface with NetSPI ASM

External Attack Surface Management (EASM) accelerated to the frontline of proactive security — and for good reason. The technology creates a comprehensive view of a company’s external assets by mapping the internet-facing attack surface to provide better insight into changes and where to focus the attention of security teams. Gartner wrote a report that explains EASM in-depth, including why asset discovery is the tip of the EASM iceberg, and how EASM support Continuous Threat Exposure Management.¹ 

What is External Attack Surface Management? 

External Attack Surface Management provides an outside-in view across a company’s attack surface to reveal assets and potential exposures. Focusing on external attack surfaces brings the greatest security value to organizations because of the sprawling growth of external attack surfaces. In fact, 67% of organizations have seen their attack surfaces expand in the last two years.² 

EASM is useful in identifying unknown assets and providing information about the organization’s systems, cloud services and applications that are available and visible in the public domain and therefore could be exploited by an adversary. 

According to Gartner, “Common EASM capabilities include:  

• Performing external asset discovery of a variety of environments (on-premises and cloud).  
• Continuously discovering public-facing assets as soon as they surface on the internet and attribute those assets to the organization (commonly using proprietary algorithms) for a real-time inventory of assets. Examples of public-facing assets are IP, domains, certificates and services.  
• Evaluating if the assets discovered are risky and/or behaving anomalously to prioritize mitigation/remediation actions.” 

Beyond Asset Discovery: How External Attack Surface Management Prioritizes Vulnerability Remediation 

Given the inevitable sprawl of attack surfaces, many companies are embracing External Attack Surface Management solutions to discover their full scope of assets and prioritize critical remediations. 

Asset discovery is an important capability to have, and one that’s helping to drive the adoption of external attack surface management. That said, asset discovery is only one aspect of effective EASM.  

Why Asset Discovery Isn’t Enough 

While asset discovery is an important and complex step, by itself, it’s not a comprehensive measure to advance security posture. 

According to the Gartner report: 

“In order to be more actionable, EASM needs to support data integration and deduplication of findings across systems, automation of assigning the asset/issues to the owner of the remediation process and tighter integration with third party systems. These include ticketing systems, security information and event management (SIEM), security orchestration, automation and response (SOAR), configuration management database (CMDB), and vulnerability assessment tools. Some EASM provides remediation steps and guidance on prioritized issues, a dashboard to track the remediation progress, or the creation of playbooks.” 

For attack surface management to effectively improve an organization’s offensive security program, it must incorporate vulnerability prioritization and remediation tracking as well, such as with NetSPI ASM. 

See what NetSPI ASM can do for your security by watching an on-demand demo of NetSPI’s solution.

Using an EASM Platform for Prioritized Vulnerability Remediation 

Taking a penetration testing engagement from start to finish requires many phases, including steps for remediation. Tests often result in a lengthy list of vulnerabilities that are ranked by severity. At NetSPI, our differentiator is the people behind our platform. Our human team of proactive security agents has deep cross-domain experience with manual analysis of vulnerability findings to validate their potential risk to a business. This context limits false positives, reducing noise and helping security teams respond more effectively. 

Automation is a vital capability, both for asset discovery and vulnerability remediation. But when human-driven noise reduction is involved, it creates the strongest attack surface possible. 

The Role of EASM in Continuous Threat Exposure Management (CTEM)

Gartner states:  

“CTEM is defined as a set of processes and capabilities that allows enterprises to continually and consistently evaluate the accessibility, exposure and exploitability of an enterprise’s digital and physical assets. It is composed of phases — scoping, discovery, prioritization, validation and mobilization — and underpinned by a set of technologies and capabilities, of which EASM is one. CTEM is different from risk-based vulnerability management (RBVM) in that the latter is an evolution of traditional vulnerability management, while CTEM is the wider process around operating and governing overall exposure. It includes solving the identified vulnerabilities as well as optimizing processes in the future so that the vulnerabilities do not resurface. 

EASM is foundational to CTEM for two reasons. First, it provides continuous and improved visibility into assets that organizations have less control over, such as SaaS applications and data held by supply chain partners and suppliers. Second, it assesses and prioritizes resources in mitigating/remediating issues that attackers are most likely to exploit and therefore benefits organizations during the first three phases of CTEM: scoping, discovery and prioritization.”

According to Gartner, there are 5 Phases of Continuous Threat Exposure Management: 

1. Scoping 
2. Discovery 
3. Prioritization 
4. Validation 
5. Mobilization 

External Attack Surface Management Supports Scoping, Discovery, and Prioritization 

External Attack Surface Management assists in the first three phases of CTEM: scoping, discovery, and prioritization by supporting businesses through the inventory of known digital assets, continuous discovery of unknown assets, and human intelligence to prioritize severe exposures for timely remediation.  

Let’s look deeper at the first three phases in CTEM: 

• Scoping: Identifies known and unknown exposures by mapping an organization’s attack surface. 
• Discovery: Uncovers misconfigurations or vulnerabilities within the attack surface. 
• Prioritization: Evaluates the likelihood of an exposure being exploited. NetSPI ASM combines technology innovation with human ingenuity to verify alerts and add the necessary context to prioritize remediation efforts. 

In some cases, such as with NetSPI, proactive security companies take this a step further by also performing penetration testing on the identified vulnerabilities to validate they are vulnerable and to prove exploitation.

How External Asset Surface Management Relates to Penetration Testing 

The Gartner report explains: 

“EASM can complement penetration testing during the information gathering phase about the target (finding exploitable points of entry). The convergence between penetration testing and EASM will become more prominent as automated penetration testing solutions continue to emerge. 

Most penetration testing performed today is human-driven, outsourced and conducted annually (making it a point-in-time view), which is why the automated penetration testing market has emerged. Although automated penetration testing is an emerging market on its own, some vendors have already added EASM and vice versa. This is because vendors that started in the automated penetration testing market were initially only doing automated network penetration testing and not external testing. Technologies such as EASM, DRPS, BAS and automated penetration testing can collectively provide organizations with a realistic view of the full attack surface within their environment. This lets organizations test what they can or cannot prevent and detect, as well as determine how they would respond in the event of an attack. Therefore, the convergence of these technologies can better support organizations in their CTEM program.”

Manage Your Growing Attack Surface with NetSPI ASM 

NetSPI is recognized as a Sample Vendor in the Security Testing category offering EASM. We believe NetSPI Attack Surface Management solution combines cutting-edge technology with extensive proactive security expertise to provide the richest insight into the attack surface. Our team and tools empower security staff to protect an ever-expanding number of assets and address vulnerabilities with prioritized remediation actions. By making the external attack surface as difficult to penetrate as possible, companies prevent more attacks before they even start, further improving the effectiveness of security teams. 

Ready to bring proactive insights to your attack surface? Learn more about advancing your security program by talking with our team.

Gartner Objectivity Disclaimer

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

The post NetSPI’s View on the 2023 Gartner® Competitive Landscape: External Attack Surface Management Report  appeared first on NetSPI.

These five questions will kickstart any AI journey with security in mind from the start. For a comprehensive view of security in ML models, access our white paper, “The CISO’s Guide to Securing AI/ML Models.”

5 Questions to Ask for Better AI Security

1. What is the business use-case of the model?
   Clearly defining the model’s intended purpose helps in identifying potential threat vectors. Will it be deployed in sensitive environments, such as healthcare or finance? Understanding the use-case allows for tailored defensive strategies against adversarial attacks. 
2. What is the target function or objective of the model?
   Understanding what the model aims to achieve, whether it’s classification, regression, or another task, can help in identifying possible adversarial manipulations. For instance, will the model be vulnerable to attacks that attempt to shift its predictions just slightly or those that aim for more drastic misclassifications? 
3. What is the nature of the training data, and are there potential blind spots?
   Consider potential biases or imbalances in the training data that adversaries might exploit. Do you have a comprehensive dataset, or are there underrepresented classes or features that could be manipulated by attackers?

4. How transparent is the model architecture?
   Will the architecture details be publicly available or proprietary? Fully transparent models might be more susceptible to white-box adversarial attacks where the attacker has full knowledge of the model. On the other hand, keeping it a secret could lead to security through obscurity, which might not be a sustainable defense. 

5. How will the model be evaluated for robustness?
   Before deployment, it’s crucial to have an evaluation plan in place. Will the model be tested against known adversarial attack techniques? What tools or benchmarks will be used to measure the model’s resilience? Having a clear evaluation plan can ensure that defenses are systematically checked and optimized.

The most successful technology innovations start with security from the ground up. AI is new and exciting, but it leaves room for critical flaws if security isn’t considered from the beginning. At NetSPI, our proactive security experts help customers innovate with confidence by proactively planning for security through an adversarial lens. 

If your team is exploring the applications of AI, ML, or LLMs in your company, NetSPI can help define a secure path forward. Learn about our AI/ML Penetration Testing or contact us for a consultation.  

The post Ask These 5 AI Cybersecurity Questions for a More Secure Approach to Adversarial Machine Learning appeared first on NetSPI.

Read on for the highlights or watch the webinar for the full conversation.

What is Proactive Security?  

Tim explains that in terms of proactive security, the approach involves considering the continuity beyond isolated engagements, such as performing an external penetration test. Given that a penetration testing engagement typically lasts for a few days to a couple weeks, the question arises: What measures are in place during the remaining 50 weeks of the year?  

With your attack surface expanding and the perimeter continually evolving, your security controls face relentless scrutiny. Gaining insight into external-facing assets, vulnerabilities, and exposures presents a noisy and time-consuming challenge for security teams. Furthermore, even upon identifying validated vulnerabilities, ensuring that your security stack effectively detects and mitigates them poses another hurdle.

External pentesters have a knack for identifying anomalies that might otherwise go unnoticed. Seizing such opportunities becomes pivotal, as these anomalies could potentially lead to breaches. Therefore, the focus with proactive security lies in outpacing cyber threats. The relentless nature of SOC work underscores the need for constant vigilance. The objective is to streamline this mindset, ensuring that critical issues are promptly addressed to optimize efficiency and minimize time waste. 

You may find yourself considering these common questions about your organization’s security stance:  

1. Where are my vulnerabilities?  
2. Can I maintain continuous awareness of them?  
3. What aspects can I monitor effectively, and is my team equipped to respond promptly?  

These are key questions to surface internally to help define a path forward toward proactive security.

Watch the Q&A on Proactive Security 

Watch the full webinar with Aaron and Tim!  

Tim’s impressive background in various security roles, coupled with his extensive experience in hacking diverse systems, adds depth and expertise to the discussion. Take the next step in enhancing your organization’s security posture by contacting NetSPI for a consultation. 

The post Annual Pentest? Done. How Proactive Security Covers the Other 50 Weeks in a Year  appeared first on NetSPI.

What to Look for When Evaluating External Attack Surface Management Providers  

To simplify the process of evaluating attack surface management vendors, we’ve identified five important criteria to look for when comparing different companies.  

1. Proven Reputation and Third-Party Validation 

Vendors new to the attack surface management space may not have enough experience tailoring their platform for greater business needs. Selecting a tenured vendor with a history in ASM can offer benefits such as streamlined processes, quick access to support teams, and proven methods to improve security. 

Look for attack surface management providers that have received recognition from trusted third parties such as Gartner® or Forrester. Expert analysts at these and other research and advisory firms perform a factual review of information from technology providers to recognize solutions that demonstrate innovation.

As part of this research, Forrester included NetSPI in its External Attack Surface Management Landscape Report featuring top EASM vendors, and Gartner featured NetSPI in its EASM Competitive Landscape Report.

Gartner shared the following about NetSPI in the report:

NetSPI differentiates by combining its ASM capability with its human pentesting expertise. This is achieved via the attack surface operations team, who manually test and validate the exposures found. As a result, it reduces alert fatigue and false positives, while providing customers only the critical and high exposures relative to their organization, as well as the support on how to remediate said exposures.

2. Critical Functionality 

Depending on your business needs and use cases for choosing an ASM platform, some functionalities may be more important than others. 

In The External Attack Surface Management Landscape, Q1 2023, Forrester listed several core functionalities to look for in attack surface management platforms, including:

• External/internet-facing asset discovery 
• Asset identification 
• Asset and business relationship mapping 
• Active and passive vulnerability scanning 
• Open ports and services monitoring 
• URL and IP range tracking 
• Certificate monitoring 
• Exposure/risk prioritization 
• Custom dashboarding and reporting  

3. Screenshots and Software Demos of the Platform  

Trusted attack surface management providers have screenshots of the platform readily available so prospective customers can see what the platform and key functionalities look like firsthand.

In addition to screenshots, having the option to take an ASM platform for a test drive through a guided demo or webinar is an important step before selecting an ASM vendor. This option can enable your team to experience the platform, ask specific questions about capabilities, and better understand feature differentiators between tools.

4. Human Analysis and Guidance  

In addition to advanced functionality, human analysis and expertise is essential to take into consideration when evaluating attack surface management companies. With human analysis, the vendor’s ASM operations team manually reviews and validates findings to reduce false positive alerts and minimize disruptions to business operations as a result. The team also helps by answering any questions that come up related to findings and providing guidance for remediation. 

One challenge businesses often face is that security or IT teams need to hire a dedicated employee to manage an ASM solution on top of investing in the solution itself, which drives up costs including hiring, training, and salary. In fact, our 2023 Offensive Security Vision Report found that one of the greatest barriers to improved offensive security is a lack of resources.  

With a user-friendly ASM platform powered by human expertise, an entire team is available to triage alerts, so you don’t need to add additional responsibilities or headcount to your team.

5. Simple Onboarding  

Some attack surface management companies require time-intensive setup and onboarding, which can take several hours of your team’s time and can push back the timeline of full platform implementation by weeks.

As you consider different ASM platforms, look for one with a streamlined or automated onboarding process, on-demand training materials, a user-friendly design, easy to digest dashboards, and human support as-needed during the onboarding process. Seamless onboarding can help ensure you start off on the right foot with an ASM vendor and accelerate time to value.

Types of Attack Surface Management Vendors 

A few different types of ASM vendors are available:

Human-Based

With this type of ASM vendor, expert human pentesters conduct penetration testing and vulnerability assessments to test the external network, typically on a quarterly basis. 

Pure Technology-Driven

Technology-driven ASM solutions involve tools or scanners that review the full attack surface (aka the assets a business has on the Internet) and use scores to prioritize and remediate impactful findings.  

Hybrid

A hybrid approach involves combining both human intuition and analysis with advanced, automated technology to more effectively identify vulnerabilities and filter prioritized alerts. 

Partnering with a hybrid ASM vendor is the most impactful option because it enables verified prioritization of results to ensure only the most relevant alerts are delivered, resulting in the best ROI on your cybersecurity investment.

Questions to Ask Attack Surface Management Vendors 

To effectively evaluate an ASM solution and select the right partner that aligns with your business requirements, develop a standardized list of questions to ask each vendor before making a decision.

Questions to consider asking include: 

• Do you offer a human-based, technology-driven, or hybrid approach to attack surface management? 
• How often are tests conducted? 
• Do you offer continuous pentesting? If so, how do you approach it? 
• How broad and up-to-date is the data?  
• How soon do new assets appear and get recognized by the ASM tool? 
• Do you support exposure remediation once vulnerabilities are discovered? How? 
• Do I have access to all of my scan data if needed?  
• What does the onboarding process look like? How much time is required of my team?  
• What’s your process for managing and prioritizing alerts? 
• How will you help me understand the most critical assets or vulnerabilities on my attack surface? 
• What are the critical risk factors most likely to impact the business?  
• Who are the potential attackers threatening my business?  
• Which vulnerabilities are the most important to prioritize with remediation?  
• Which exposures are threat actors most likely to exploit? 

Partner with NetSPI for the Most Comprehensive ASM Capabilities  

The right attack surface management provider can help your organization more effectively manage your attack surfaces and quickly identify and remediate vulnerabilities.
If you’re looking for an ASM platform that includes all the criteria listed above – and more – NetSPI has you covered. We created our attack surface management platform based on three essential pillars of ASM—human expertise, always-on, continuous pentesting, and risk prioritization.

Some of the benefits of selecting NetSPI as your attack surface management provider include:  

• Simple setup and onboarding  
• Comprehensive asset discovery  
• Manual triaging of exposures  
• Prioritized alerts 

Learn more about how we can improve your offensive security together by watching a demo of our ASM platform. Also take our free attack surface management tool for a test drive and search more than 800 million public records for potential attack surface exposures.

The post 5 Criteria for Evaluating External Attack Surface Management Vendors appeared first on NetSPI.

But before you begin, it’s important to consider: What am I not thinking about? Are we ready? How can I prepare for this?

What if I Have Specific Objectives for Red Teaming?

If you haven’t already, make sure you’ve discussed your objectives with your Red Team partners to ensure alignment with what you’re hoping to learn and focus on. This conversation will often center around matching Red Team objectives with the maturity of the security program and your Blue Team to get the most benefit from a Red Team exercise, because this definitely should not be a one-size-fits-all exercise. For example, at NetSPI, we tailor match the Tactics, Techniques, and Procedures (TTPs) we use to your currently known capabilities and gaps. Our goal is to help you grow your program in a meaningful and material way, even if resources are constrained and growth is gradual.

How Much Do I Tell My Team when Engaging Red Team Testing?

It’s most common for a Red Team exercise to be an extremely limited knowledge event. Who you provide advanced notice to is up to you. Our advice: less is more if you want to know how truly prepared your security program is.  

If you do these all the time, you may want to tell your team that a Red Team exercise will happen in the future but remain vague—no specific dates. This has a “Secret Shopper” effect, just like a retail clerk who is unsure if their customer is an actual customer, or a plant sent from corporate headquarters to evaluate the store. The foreknowledge that a secret shopper may arrive at any time can have a positive psychological effect, bringing out the best performance of the team. Likewise, your Blue Team may become naturally more vigilant simply because they know a Red Team may come anytime.

What if I have an MSSP or MDR Provider?

Since most MSSP or MDR provider relationships are focused solely on the ability to detect and respond to credible threats, it is best to NOT advise them in advance that the Red Team exercise is happening. However, post-exercise, it is critical that you properly read-in your provider so that they can collaborate with you on a path to improve detection and response coverage. NetSPI, specifically, loves to partner with MSSPs and MDR Providers, because they are your Blue Team on the front lines. Our objective isn’t to make your provider look bad; our objective is to prepare your organization for the eventuality of a real incident.

Should I Have Expectations on How Successful the Red Team Exercise Will Be? 

It’s probably best to set expectations that while your Blue Team will bring some friction to the Red Team, it will feel like the Red Team managed to get ahead and reach objectives too easily. This isn’t always the case, of course, and we love to have our best tradecraft get shut down by our customers!  

But since our Red Team constantly focuses on what works, what doesn’t, what security controls provide friction against which TTPs, etc., we are constantly improving. If our Red Team is successful, it doesn’t mean that the threat actors most likely to land in your environment will automatically have equal success.  

Threat groups tend to cluster around a smaller set of TTPs than our Red Team because they apply them at Internet scale across many organizations. If the techniques fail and a Blue Team contains them, they don’t care. There isn’t enough friction to change TTPs often if they still work on the next victim. Our goal is to be the best [simulated] threat actor we can be for you. This is a subtle, but important difference. 

Now all of that isn’t to say this is easy for our Red Team. By far the hardest part of our job is getting the initial access foothold into your organization. We don’t have magic 0-day exploits to walk right in. We have drudgery ahead of us: scouring your entire perimeter, learning about your business using Open-Source Intelligence (OSINT), social engineering our way in (if that’s in scope for your engagement) … essentially leaving no stone unturned.  

We prefer to do it this way, when possible, because once our Red Team lands inside your organization, it will “feel natural” to incident responders who eventually (hopefully) will see something unusual that they chase to its origin. But that said: do not over-index on this step. If your goal is to absolutely find a way from the outside into your organization, you probably should do an External Network Penetration Test instead.  

What you’re ultimately buying in a Red Team exercise is the detection and response cat-and-mouse game that helps you evaluate your readiness for a breach. You don’t get that benefit from us until we land inside your organization. Because neither you nor we have unlimited surplus budget, we will want to time box our efforts looking for the “natural” ingress point, and when we hit that point, we will want to switch to an “assumed breach” scenario where you seed us access. We can even do it this way from the start to save time and money.

What Happens After a Red Team Exercise? 

Besides the debrief meeting and handing you deliverables, what’s next for a CISO after a Red Team exercise? In most cases, there will be significant security engineering and process overhaul project work. Unlike a pentest, where a finding can be quite small and tactical, such as applying a patch, fixing permissions, changing a password, or updating a line of code, findings coming out of Red Team exercises are typically wide-reaching and systemic. Some may require projects that span more than a year to complete. It may be good for you to brief your CFO, CEO, and Board of Directors about the exercise in advance that you will likely come asking for a budget increase to cover control gaps. We can certainly help you with messaging there as well! Reach out anytime. 

What about Follow-Up Testing? 

While the Red Team may likely find and exploit vulnerabilities in your internal environment, they won’t exhaustively search for all related instances of that vulnerability. Red Teaming is a depth-first search: chaining vulnerabilities, detection gaps, process flaws, and misplaced human trust together to reach an objective.  

Penetration Testing, on the other hand, is a breadth-first search: locating all instances and permutations of all possible vulnerabilities. For example, if the Red Team finds a single instance of SQL injection on an internal web application, exploiting that to gain additional objectives or access, the best next step is to perform a top-to-bottom penetration test on that web application, to ensure nothing else was missed that the Red Team didn’t have time to find, or was trying to be too quiet to test. 

How Often Should I Plan for Red Team Testing?  

This is entirely up to you, of course, but here are some things for you to consider:  

• How much has changed with your controls since you completed the first Red Team exercise?
  If not much, don’t expect a wildly different experience in the Red Team’s ability to reach objectives—but the exercise can still be meaningful to give your Blue Team another chance to train and become more prepared for an actual event. You can also ask us to avoid certain things or modify the path towards objectives to vary from your prior experience. 
• How large and segmented is your business?
  If you have a lot of M&A, subsidiaries, disparate geographic locations, etc., you may benefit from intentionally scoping another Red Team exercise to land in another part of your organization sooner than later. These “satellite” organizations often provide less detection and response friction to adversaries looking for a path to pivot into the corporate mothership.
• What cadence are you trying to establish?
  It may be beneficial from a budgeting perspective to plan for a semi-annual or annual Red Team exercise to set a solid precedent with your CFO, CEO, and Board of Directors that this is a meaningful recurring part of your security program. When combined with the ideas above, the experiences each time will definitely vary. 

How Can I Tell if a Red Team Exercise is Successful? 

As the CISO, you will appreciate that a successful Red Team exercise has almost nothing to do with whether the Red Team reached an objective.  

The Red Team could reach an objective but highlight serious gaps in the process that you can quickly fix with existing controls or help make the business case for a security budget extension. Or they could be contained by your Blue Team without any new technical learnings, yet the confidence the Blue Team gains from containing the Red Team might be precisely what is needed for your security program. 

At the end of the day, “success” is largely a product of clearly defining the goals you have for the engagement and tying the results back to the identification and reduction of risk, improving your cybersecurity program, and protecting your organization. No two exercises are exactly alike! 

Whether you’re starting your first Red Team exercise, or you’re looking for an outside perspective on your overall security, NetSPI is here to help. Access our Red Team data sheet below to get started.

The post What is the CISO Experience in a Red Team Exercise? appeared first on NetSPI.

What started as a penetration testing program for Chubb has evolved into a partnership in which NetSPI will help Chubb cyber insurance clients proactively assess and mitigate risks that could lead to claims. Core benefits Chubb clients receive as a part of the collaboration include:

• Preferred pricing on Attack Surface Management (ASM), Breach and Attack
  Simulation (BAS), and Penetration Testing as a Service (PTaaS). Plus, select clients will be able to access the ASM platform at no cost.
• The resources and expertise to stay resilient throughout the lifecycle of their policy which will, in turn, improve and inform the underwriting process for renewals.
• Access to 280+ expert penetration testers across the globe for tailored proactive security solutions to support any size business across all industries.

Want to delve deeper into what this partnership means for security teams and how it will impact the future of the cyber insurance industry? Hear first-hand from Chubb in this video, and read the Q&A below, featuring Chubb Cyber Intelligence Officer Craig Guiliano and NetSPI CEO Aaron Shilts.

What is proactive security? And why must it be prioritized across the greater security community?

Craig Guiliano: Proactive security, quite simply, is trying to identify exposures before a threat actor, but often from the point of view of the threat actor.  By taking a proactive approach, you could mitigate the exposure before a threat actor can exploit it. Through Chubb’s partnership with NetSPI, Chubb policyholders in the U.S. and Canada can take advantage of NetSPI’s full portfolio of proactive security solutions, including Breach and Attack Simulation (BAS), Attack Surface Management (ASM), as well as a suite of comprehensive penetration testing offerings, at preferred pricing, subject to applicable insurance laws.

Aaron Shilts: Proactive security is at the core of NetSPI’s DNA. It’s the combination of security activities that ultimately mitigate the risk of a security incident or breach. Pentesting, red teaming, breach and attack simulation, and external attack surface management all contribute to a well-rounded program. For those who follow NIST’s cybersecurity framework, these activities fall within the Identify and Protect functions at the framework’s core. We’re eager to help Chubb clients activate proactive security so that they can gain visibility into which critical assets must be protected to ensure business continuity, accurately discover exposures and vulnerabilities, and break through the noise to prioritize remediations. It’s essentially the first line of defense against adversaries – and an incredible opportunity to build trust with customers.

How will this program impact Chubb clients and, more generally, those seeking cyber insurance? 

Craig Guiliano: Chubb is now able to provide our Cyber insurance policyholders across all segments access to NetSPI’s enterprise-class offensive security services to help them mitigate cyber threats and exposures. NetSPI has developed a customized set of services for Chubb clients that are particularly geared towards smaller companies, in addition to preferred pricing for any of NetSPI’s services. For companies with annual revenues over $100m seeking cyber insurance, Chubb will be leveraging NetSPI’s Attack Surface Management platform to proactively perform a scan to identify vulnerabilities and/or exposures before it could be exploited by a threat actor.

Aaron Shilts: Chubb’s commitment to helping their clients mitigate risks that could lead to a claim should be applauded. Chubb is setting a high standard in the insurance industry by offering the resources necessary to stay resilient throughout the policy lifecycle – and beyond. NetSPI shares the same commitment by being hyper-focused on helping organizations discover, prioritize, and remediate security issues, before it’s too late. Whether we’re alerting to high-impact attack surface exposures, facilitating deep-dive, comprehensive pentests in your critical environments, fine tuning detections to prevent ransomware, or anything in between, we’re thrilled to have this opportunity to bring our team, expertise, and technology to Chubb’s customer base so they can continue to innovate with confidence.

Why now? How has the cyber landscape changed, prompting a program like this?

Craig Guiliano: Cyber insurance must evolve because the cyber threat landscape is constantly changing. Attack surfaces are growing, and as they grow, the opportunities for threat actors to find new exposures to exploit increases. Chubb is always looking to assist our customers in avoiding cyber threats, because a cyber incident can not only be disruptive, but for many businesses, it could be devastating.

Aaron Shilts: Security leaders today are faced with a seemingly impossible task of keeping pace with the rate of change and innovation. And that rate is only increasing with the advancements in machine learning and adoption of large language models (LLMs), among other emerging technologies. Now is the time for organizations to double down on their proactive security to continuously evaluate and improve their security posture alongside innovation. This program is a great reminder that security should not be an afterthought.

Why did Chubb select NetSPI as its proactive security partner?

Craig Guiliano: In my career, I’ve worked with several proactive security vendors, including NetSPI, and NetSPI consistently delivered high-quality assessment results. They understand the importance of not only identifying risks and exposures, but of ensuring the customer understands the exposure and mitigation options. The NetSPI team’s quick understanding of what we were trying to accomplish from a cyber underwriting standpoint, and their ability to rapidly develop a tailored Attack Surface Management (ASM) solution for Chubb and our clients that provides a level of visibility that can help identify exposures and risks before they escalate to a claim.

Are you a cyber insurer looking to bring added value to your policyholders and help them mitigate the risk of claim? Get a conversation started with our partnerships team.

The post [Q&A] Chubb Cyber Insurance Clients Activate Proactive Security with NetSPI appeared first on NetSPI.

The past year certainly had no shortage of cybersecurity firsts. From the emergence of the MOVEit vulnerability to the wide adoption of ChatGPT and its associated security risks, nearly every industry was impacted by cyber threats. These major trends throughout the year have kept security professionals on their toes—pushing practitioners to stop playing defense against malicious actors and shift to a more proactive approach to security.  

As we look toward 2024, some aspects will remain the same, such as persistent ransomware and cloud-based attacks, as well as AI creating a larger attack vector for cybercriminals. The shift, however, will be in how the cybersecurity industry—and specifically, IT security vendors—helps customers transition to being more proactive against cyber threats. We asked our global team to weigh in on the trends they anticipate shaping the new year and what will help push the need for proactive security. Here’s what they had to say.

AI and Large Language Models (LLMs) are at the proverbial tip of the iceberg.

Vinay Anand
CPO

What we saw with AI and LLMs, and given the amount of investment that has gone into progressing this technology, I expect to see rapid innovation in all aspects of LLM usage in 2024—specifically at the foundational level, such as scale and efficiency. More importantly, we will see the emergence of very impactful use cases in industry verticals such as healthcare, learning, manufacturing, and automation.   

We will also see increased adoption of LLMs for the edge—LLMs, and AI will go where the data resides or is generated as opposed to aggregating all the data to a centralized location. This adoption will accelerate exponentially in addressing some of society’s most complex and urgent problems. Furthermore, I expect more solutions and regulations to emerge to grant organizations the confidence and guidance they need to use these powerful tools effectively and in a trustworthy manner.” 

The best security program requires a combination of purpose-built, automated technology and human intuition and intelligence.

Nabil Hannan
Field CISO

“We’re still facing a deficit of cybersecurity professionals globally. The skills shortage will ultimately be the bottleneck impacting the effectiveness of cybersecurity initiatives. Additionally, budgets and investments into proactive security training and procurement are being put on hold, so businesses, in turn, are limiting their ability to improve their cybersecurity posture. That needs to flip in 2024 as organizations that fail to keep pace with the rate of transformation in the industry will inevitably falter, as the human element is still the weakest link in today’s cyber ecosystem.”

A politically focused year will spark more nation-state attacks.

Nick Walker
Regional Director, EMEA

“As we enter 2024, notably an election year for many, political situations will likely lead to more nation-state attacks against critical and national infrastructure. A politically focused year, along with increasing usage of technologies such as Artificial Intelligence (AI), will require businesses to lean towards establishing strong and efficient spending, along with more software-based solutions that empower an ‘always on’ mindset to combat today’s threat landscape.”

Regulations will continue to progress, but insider threats remain the biggest roadblock to securing the software supply chain.

Tyler Sullivan
Senior Security Consultant

“The U.S. has made strides in cybersecurity legislation and guidance in 2023. Most notably, CISA announced its Open-Source Software (OSS) security roadmap, and the U.S. partnered with Japan, India, and Australia to strengthen software security for governments. Collaborative work like this will drive security forward for nations that may not have security maturity. 

The new SEC guidelines are essential in the evolving cybersecurity landscape. The SEC puts more pressure on organizations to create more robust security practices. Even though regulations are not always flawless, such as the guidelines requiring disclosures within four days of an incident being declared ‘material.’ This short time frame could open up loopholes regarding incident categorization; however, it’s a step in the right direction. In the new year, I would expect more urgency in legislation, including continued pressure on software suppliers themselves, to keep up with the ever-increasing risk of the software supply chain.”

Teams must keep pace with digital transformation to ensure cloud security.

Karl Fosaaen
VP of Research

“Across industries, even with workloads shifting to the cloud, organizations suffer from technical debt and improper IT team training – causing poorly implemented and architected cloud migration strategies. In 2024, IT teams will look to turn this around and keep pace with the technical skills needed to secure digital transformations. Specifically, I expect to see IT teams limit account user access to production cloud environments and monitor configurations for drift to help identify potential problems introduced with code changes.  

Every cloud provider has, more or less, experienced public difficulties with remediation efforts and patches taking a long time. I anticipate seeing organizations switch to a more flexible deployment model in the new year that allows for faster shifts between cloud providers due to security issues or unexpected changes in pricing. Microsoft’s recent ‘Secure Future Initiative’ is just the start to rebuild public trust in the cloud.”  

The year 2024 will undoubtedly be a rollercoaster for the cybersecurity industry, but we hope these insights help organizations get on the offense and remain vigilant against growing threats. Here’s to a more secure, collaborative, and proactive new year!

The post 5 Cyber Trends to Expect in 2024 appeared first on NetSPI.

It was a year that demanded resilience, adaptability, and maybe a few extra cups of coffee. But amidst the whirlwind, there were triumphs, breakthroughs, and moments of sheer celebration on our team that made this year one to remember. 

Grab a warm cup of cheer, pull up a comfy chair, and join us as we rewind the track on 2023 through our favorite team moments, the resources that helped us thrive, and a much-needed reminder that even the most fast-paced years are worth slowing down to celebrate.

Our Favorite #TeamNetSPI Moments 

Marking milestones and welcoming new furry faces was all part of an exciting 2023 for our team. 

Top Educational Resources 

Building a more secure world starts with education. Our top resources this year spanned from Blockchain to Attack Surface Management. 

1. Offensive Security Vision Report 2023 

Our top resource in 2023 was NetSPI’s Offensive Security Vision Report, a first-hand study that summarizes the top vulnerabilities by attack surface and much more.

2. 5 Blockchain Security Fundamentals Every C-Suite Needs to Know 

Dive into blockchain security! This eBook shares how major companies are using distributed ledger technology (DLT) today and the importance of security planning for blockchain operations. 

3. How to Use Attack Surface Management for Continuous Pentesting

Point in time testing is so 2023. In this article, we explain how the shift to proactive security is rooted in always-on monitoring of known and unknown internet-facing assets.  

Technical Articles the Industry Loved 

Technical articles reign supreme. Here are the top three technical articles our audience loved in 2023. 

1. Abusing Entra ID Misconfigurations to Bypass MFA

Explore Entra ID with Kyle Rozendaal. While conducting an Entra Penetration Test, we discovered a simple misconfiguration in Entra ID that allowed us to bypass MFA. 

2. Escalating Privileges with Azure Function Apps 

Dive into privilege escalation with Karl Fosaaen. See how undocumented APIs used by the Azure Function Apps Portal menu allowed for directory traversal on the Function App containers. 

3. Mistaken Identity: Extracting Managed Identity Credentials from Azure Function Apps by Karl Fosaaen

Repurposed from our DEF CON Cloud Village Talk (What the Function: A Deep Dive into Azure Function App Security), Thomas Elling and Karl Fosaaen stumbled onto an extension of the existing research in the above article, Escalating Privileges with Azure Function Apps. 

Most Listened to Podcast Episodes 

Our mics were on fire this year! Tune in as we revisit the top podcast episodes that sparked debates, hit on industry best practices, and left you wanting to hit “repeat” on cyber defense. 

Webinars that Captured Attention 

These webinars rose above the noise, giving our viewers tangible insight into NetSPI’s proactive security solutions, including Breach and Attack Simulation (BAS) and Attack Surface Management (ASM). 

1. Product Pulse: Demo of Breach and Attack Simulation (BAS)  

Hear from Spencer McClain as he guides you through our BAS platform demo and shares some of our favorite customer success stories. 

2. ASM In Action: NetSPI’s Attack Surface Management Demo 

See NetSPI’s ASM platform in action as Scott Henderson walks you through its ability to improve visibility, inventory, and understanding of known and unknown assets and exposures. 

3. Keeping Up with Medical Device Cybersecurity: Q&A with Product Security Leaders at Medtronic, Abbott, and MITRE 

Hear from medical device security leaders as they share best practices on compliance, updatability, vulnerability management, and more in this panel discussion. 

As we raise a toast to the year’s successes and lessons learned, we can’t help feeling excited about the year to come. 2024 promises to be an adventure, and NetSPI is ready to tackle the challenges in stride. 

Get our best resources hand-picked for you. Want access to proactive security insights, industry takes, and a front-row seat to our 2024 game plan? Sign up for our monthly newsletter!  

The post NetSPI [Un]Wrapped: Our Top Hits from 2023  appeared first on NetSPI.