Hunting ‘unknown-unknowns’ in your attack surface

Ever lost sleep over possible hidden attack routes lurking in your organization’s attack surface? You’re not alone. The concept of ‘unknown-unknowns’ is a recurring nightmare for many IT professionals – but there are ways to mitigate the risks. We’ll explore the problem of unknown-unknowns and provide some practical strategies to help your organization uncover these hidden threats.  

What’s an unknown-unknown?  

An ‘unknown-unknown’ refers to a risk or threat that’s not only unrecognized to an organization but also currently invisible to their security and IT teams. It represents a blind spot in the organization’s understanding of its attack surface and potential vulnerabilities. These unknown-unknowns can arise in various ways, such as through unmanaged or unaccounted-for infrastructure, shadow IT, or overlooked assets within the extended network.  

They can also be introduced through well-meaning actions. For example, developers provisioning cloud resources without involving the right teams, meaning the resources aren’t accounted for in the organization’s security measures. The challenge with unknown-unknowns is that they’re not even on the radar of security teams, who are almost always busy dealing with the problems they actually are aware of. This makes unknown-unknowns ripe for exploitation by threat actors as entry points into a network. 

How attackers exploit unknown-unknowns  

Unknown-unknowns offer attackers unguarded entry points into an organization’s network. Since these risks aren’t accounted for by security teams, they offer prime opportunities to gain an initial foothold in an organization’s infrastructure if attackers can find them first. From there, they can leverage these unknown vulnerabilities or unmanaged assets to gain unauthorized access, exfiltrate sensitive data, disrupt operations, or carry out other malicious activities. 

Attackers are aware of the types of overlooked assets that can help them. For example, a forgotten or unpatched server that’s still connected to the network but not actively monitored or maintained. Similarly, shadow IT resources, such as unauthorized cloud instances or unapproved applications, can introduce unknown vulnerabilities that attackers can exploit. 

Unknown-unknowns can also arise from third-party suppliers or business partners that aren’t properly accounted for in the organization’s security measures. If these external entities have weak security practices or are compromised, they can serve as a gateway for attackers. 

Close the visibility gap with EASM 

External Attack Surface Management (EASM) helps organizations address unknown-unknowns by focusing on the external-facing part of their infrastructure. EASM tools continuously scan and monitor public-facing assets, such as domain names, IP addresses, and other internet-exposed resources. This gives organizations with the means to actively discover, monitor, and manage their external attack surface, reducing the potential for unknown-unknowns. 

Here are five ways an EASM solutions such as Outpost24’s Sweepatic can specifically help with finding and remediating unknown risks: 

Discovering unknown assets
EASM tools give comprehensive visibility into all of an organization’s public-facing assets, including those that may have been overlooked or forgotten. This lets security teams identify assets that aren’t accounted for in the organization’s official records. They can get a visual view of their attack surface in the form of a network graph, displaying how seed domains, subdomains, IP addresses, subnets, DNS records, and locations are linked.  

Example of a network graph from Outpost24’s Sweepatic EASM solution 

Continuous monitoring
Using an EASM tool lets security teams continuously search for new assets, changes in configurations, and potential vulnerabilities. This ongoing monitoring ensures that any new or unaccounted-for assets are promptly identified and can be assessed for potential risks. Having continuous and automatic monitoring in place makes it simple to track assets across your whole attack surface over time.  

Risk scoring and prioritization
It can be a challenge to know what problems to prioritize. EASM tools provide risk scoring or ratings for all assets, helping organizations prioritize their remediation efforts based on the level of risk. Critical and high-severity findings can be addressed immediately, while lower-priority items can be managed over time. 

Example of a risk-scoring dashboard from Outpost24’s Sweepatic EASM solution 

Consolidation and removal
The added visibility from an EASM tool can help organizations to consolidate their cloud providers and remove unnecessary or unauthorized assets. For example, with so many modern applications being cloud-based, we often see attack surfaces swarmed with various different cloud providers. A tool like Outpost24’s Sweepatic shows you the outlier cloud providers and internet-facing assets linked to them – you can then save money by consolidating or removing them. This will also reduce potential attack vectors. 

Integration with risk management tools
If you already have existing risk management processes and workflows, it’s easy to integrate EASM tools. The information collected through EASM can be incorporated into your organization’s overall risk assessment and mitigation strategies. This ensures that unknown-unknowns are being considered alongside known risks and vulnerabilities. 

Map your attack surface today  

What does your online footprint look like from the outside? Oupost24’s Sweepatic solution shows the interconnectivity in your online infrastructure and displays how your internet-facing assets are related. This allows you to discover outliers, to consolidate your cloud providers and to see where your assets are located in the world. Then if vulnerabilities are discovered in your attack surface, you can take steps to remediate.  

Analyze and clean up your attack surface, making it lean and unattractive to cyber attackers. Get in touch and we’ll map your attack surface for free today

About the Author

Marcus White Cybersecurity Specialist, Outpost24

Marcus is an Outpost24 cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.