Why Out-of-Scope Assets are Prime Targets for Attackers

By Marcos Lira

By Marcos Lira, Lead Sales Engineer at Halo Security

Nearly 10 years ago, Mark Zuckerberg pivoted away from a phrase he coined: “Move fast and break things.” Silicon Valley is largely still living by that mantra. Competitive pressures have pushed organizations to build and deliver products and services faster and closer to their customers.

But too often the risks associated with this rapid pace have left organizations exposed to too many connections gone forgotten, unmanaged, or misconfigured. These assets eventually drift to what is considered “out-of-scope” for testing and monitoring.

“Out-of-scope” assets are the assets that security teams neglect. These are generally considered non-critical, but the risk of chained attacks stemming from issues like subdomain takeovers make it more essential than ever to monitor and secure the full attack surface. ESG Research says 69% of organizations have suffered a cyberattack that began with the exploitation of an unknown, unmanaged, or misconfigured internet-facing asset. Some common examples we see include:

  • Third-party marketing and support platforms (like HubSpot or Zendesk)
  • Subsidiary and legacy environments
  • Development and staging environments
  • Internal and partner tools
  • Vanity domains and forgotten projects

While these aren’t generally the most critical assets, if these are exposed to the internet, they are easily available to attack by threat actors.

Unfortunately, this means that an organization’s internet-facing attack surface has only grown in complexity and is ever-expanding. There are new assets, new libraries, new code, and the likelihood of new vulnerabilities increases. In reality, there’s no such thing as “in-scope” or “out-of-scope” for an attacker that might be licking their chops seeing just how vulnerable their target is.

These types of assets broaden an organization’s attack surface and can introduce critical vulnerabilities that slip through the cracks. Sometimes those awareness gaps stem from ongoing staff shortages, the sheer number of vulnerabilities to manage, or alert fatigue.

To understand what you need to protect, let’s look at the attacker’s playbook, identify your true attack surface, and what can be done to protect it.

How attackers think

The stock image of a nefarious actor sitting behind a laptop wearing a hooded sweatshirt as they aim to take down the largest organizations doesn’t properly paint the picture. Attackers don’t discriminate; they are equal opportunists that will find the easiest way to infiltrate a target and hop around until they find what’s most valuable.

Often, it’s the “out-of-scope” assets that are most vulnerable and attackers count on them for the easiest entrance into your organization. These attackers hack for fun, learn from their community, and leverage vulnerability disclosures from bug bounty programs to worm their way in.

Attackers are as agile as NFL running backs; they can cut, pivot, sidestep defenses, and even audible to pull off their breaches. A study by the University of Maryland found that malicious attackers have an increased skill in vulnerability detection because of the wide array of networks and software they target. Their playbook may start with a subdomain takeover and ultimately compromise a primary target.

What your attack surface truly looks like

In the JPMorgan Chase case, it was an exposed database from an acquired subsidiary that was compromised, ultimately resulting in 83 million accounts being exposed. This is a common pain point for organizations. In order to understand your attack surface, you need visibility and most organizations don’t have enough.

According to a report from Trend Micro, 62% of IT security decision-makers admit to having blind spots that weaken their security posture and 73% are concerned about the size of their digital attack surface. It can grow unwieldy as more assets that you didn’t build in-house get added. Most of these third-party connections come via domain name system (DNS) canonical name (CNAME) records or application programming interface (API) calls.

Many security teams think by using a third-party asset, like software as a service (SaaS) or infrastructure as a service (IaaS), they are transferring risk. They’re simply not. If you’re using it, you’re responsible for it. Consider the 2019 Capital One breach, the company tried to pass the responsibility to a weakness within the AWS infrastructure. Unfortunately for Capital One, the courts sided with AWS that it was the bank’s responsibility to ultimately protect its customer data. Public cloud providers have a similar policy with shared responsibility. While the cloud provider is responsible for the infrastructure of what it offers, any data you add or configurations you make are on you.

The common misconception about risk is often made obvious by bug bounty programs. Security teams may direct ethical hackers to only look for solutions in a certain area, ignoring others they believe to be “out of scope.” When attackers read about these bug bounties — which they commonly do — they know exactly where security teams aren’t looking and know just where to strike.

What can be done

Organizations should carefully consider the entirety of their internet-exposed infrastructure and regularly assess each asset for security gaps. The interconnectedness of “non-critical” and “critical” assets is difficult to avoid, so we can’t ignore “non-critical” or “out-of-scope” assets anymore.

This may mean a more comprehensive assessment of your attack surface, but it’s a worthwhile investment. Attackers are becoming more creative and finding new paths to your most valuable assets. Even if you consider certain data, applications, or repositories to be “out-of-scope,” it could be those forgotten resources that do far worse than break as you move quickly; they could be holding the door open for an attack.


No posts to display