scroll it

Asset Insights: A Look into Shadow IT and Other Rogue Assets

Greg Copeland
0% read

Using a Raspberry Pi to steal 500 MB of data doesn’t sound like a major cyber event, but context is everything. The data in question came from NASA’s Jet Propulsion Lab and was transferred abroad, using an unaccounted-for device connected to NASA’s vast and complex network. 

In the era before the cloud and remote work, network security was fairly straightforward, but deep, complex networks connected to the internet have changed the narrative. It’s time to shift to the assumption that assets, known or otherwise, are not given proper scrutiny. Dynamic and lesser known assets, such as shadow IT, supply chain or unsanctioned applications, may be known to defensive Security Operations (SecOps) tools via inventory and alerts, but they aren’t always easily integrated into the offensive security testing process. 

The penetration testing and red teaming space has traditionally been siloed from the broader SecOps organization. Typically, members of the internal red team are given well-known targets to attack and report back their findings. Only these high-profile assets specified are tested, leaving other potentially vulnerable assets exposed. 

Understanding Your Attack Surface with Asset Insights

Synack Asset Insights enables better integration of offensive security testing results into SecOps processes by allowing the import of SecOps assets into the Synack Platform. Asset Insights provides an asset-centric view of items under testing that better align Synack workflows with other security tools. 

Asset Insights can also include external assets surfaced by Synack’s new Attack Surface Discovery option. Security testing is no longer siloed—it can be central to established SecOps workflows.

The story doesn’t stop there. Not every incident and asset necessarily rises to the level of needing a human-led pentest. Synack’s Asset Insights enables graduated levels of security testing with data to help customers prioritize the depth and type of offensive security testing most appropriate for particular assets.

  • Externally accessible host assets are fingerprinted providing insights into their nature such as geolocation, network provider, WHOIS and open ports. This can help triage and answer simple questions, such as “Does this asset belong to me?” and “Does it have obvious security gaps?”
  • Next, assets undergo a Synack SmartScan®, which surfaces suspected vulnerabilities, reporting back CVSS and other details to the Synack Platform. Results of these scans can be used to inform calls to action for further human-led testing.
    • Example: The above steps may show that an asset, tagged as important, is running an outdated version of Apache and suspected of being vulnerable to the Log4j exploit. Synack Red Team members conducting a targeted mission can confirm whether or not the asset is exploitable by Log4j and provide recommendations to remediate that vulnerability.
  • Lastly, assets that are determined to be critical and suspect to vulnerabilities can be placed into a queue for the Synack Red Team to conduct continuous open vulnerability discovery (aka pentesting) to confirm exploitable vulnerabilities, provide recommendations to remediate, verify patch efficacy and, with Synack Platform data, measure security posture improvement. 

Asset Insights also provides robust details of assets on the platform. Asset details are continuously updated, informing potential changes in security vulnerability and needs for new or updated security testing. 

For example, daily fingerprinting and SmartScan may flag newly opened ports which are suspected to be vulnerable, informing calls to action for testing. Records of when each asset was last tested are kept, helping to identify critical assets that are due for pentesting.

You can’t test what you don’t know about. Asset Insights expands the surface of testable assets—integrating customer data, SecOps workflows, automated scanning and Synack Red Team expertise to offer more coverage of assets at appropriate depth.