Attack Surface Management 101

(TC: 00:00:04) 

Aidan Murphy: Hello and welcome to The Dark Dive, the podcast that delves into the depths of the dark web and cyber security. My name is Aidan Murphy and I’m your host and on today’s podcast, I’m joined by no fewer than four founders, you heard that right, four founders to discuss a new topic for our podcast, attack surface management. The first pair of co-founders will...

(TC: 00:00:04) 

Aidan Murphy: Hello and welcome to The Dark Dive, the podcast that delves into the depths of the dark web and cyber security. My name is Aidan Murphy and I’m your host and on today’s podcast, I’m joined by no fewer than four founders, you heard that right, four founders to discuss a new topic for our podcast, attack surface management. The first pair of co-founders will be familiar to regular listeners of the podcast, Ben Jones, CEO of Searchlight Cyber. Hello Ben. 

(TC: 00:00:29) 

Ben Jones: Hi there. 

(TC: 00:00:29) 

Aidan Murphy: And Gareth Owenson, CTO and co-founder of Searchlight. Welcome back, Gareth. 

(TC: 00:00:33) 

Gareth Owenson: Hi there. 

(TC: 00:00:35) 

Aidan Murphy: Our second pair of co-founders are new to the podcast but are certainly the right people to talk to about this topic. Michael Gianarakis and Shubham Shah founded the attack surface management company, Assetnote, in 2018. They’re widely recognized as pioneering the term, attack surface management, as well as leading the industry in the development of attack surface management tooling. Welcome to the podcast, Michael and Shubs. 

(TC: 00:00:55) 

Michael Gianarakis: Thanks Aidan. 

(TC: 00:00:55) 

Shubham Shah: Thanks Aidan. 

(TC: 00:00:58) 

Aidan Murphy: The reason behind this embarrassment of riches is that Assetnote was recently acquired by Searchlight Cyber, bringing Michael, Shubs and their entire team within our business so for this episode I wanted to bring all the co-founders together to get their combined perspective on attack surface management. 

What do we mean when we talk about attack surface management? How does it protect companies from the kinds of threats we’ve discussed at length on this podcast? And why was acquiring an attack surface management company the next step for Searchlight Cyber. First, I want to start with Michael and Shubs and learn a little bit more about them. Shubs, I’m going to start with you if that’s alright. Am I right in saying that the origins of Assetnote actually lies in the tool that you built for bug bounties? 

(TC: 00:01:36) 

Shubham Shah: Yes, that’s right. Really early versions of Assetnote, long before it was a business that I co-founded with Michael, was essentially made to automate finding high and critical vulnerabilities inside bug bounty programs, although when we did start it off as a business, Michael and I, we did redesign it for the enterprise. 

(TC: 00:01:56) 

Aidan Murphy: Amazing. We haven’t really talked about bug bounties on this podcast at all and I think it’s a really interesting topic, and maybe just to give our listeners an idea, because that’s your background, right Shubs? You are a bug bounty hunter, quite a well established one. What is that world like? What was your day to day like? How do you make money? What are the challenges in the bug bounty world? 

(TC: 00:02:18) 

Shubham Shah: Yeah, I’m quite grateful to have bug bounties in my life and something that I found when I was around 14 years old so I’ve been doing it for a very long time now. I do recall when I was working at a fast food restaurant at the time, making $6.50 an hour and then the first vulnerability that I found in PayPal was $1500, US, and I just never showed up at that job again. It definitely did change my life and I think it has the potential to change many people’s lives but really that’s where a lot of this automation came into play, building Assetnote and the very early versions was to get to a point where we could automate a lot of the offensive security techniques for a bug bounty perspective, which then later morphed into the enterprise product. 

(TC: 00:02:59) 

Aidan Murphy: Yeah, and just to explain to people then, companies put out these bounties, presumably because they want to improve their security and it’s better then for good guys to find them and get paid for finding them rather than the bad guys to find them first. That’s a very simplistic way of explaining it but that’s the essentials. 

(TC: 00:03:18) 

Shubham Shah: Yes, that’s essentially it. There are several platforms nowadays, there’s Hacker One, Bug Crowd, Integrity and a few more as well now but they all have basically companies that sign up to these platforms and they have a program brief that explains what you can do and what you cannot do, and they scope certain-, certain severities have certain payouts so if you find a critical vulnerability, it might be within a range of $5-10,000 or whatever it may be that the program has. But yes, based on those rules, you can go and attack these companies and report these vulnerabilities directly to them, via the bug bounty platforms and depending on the criticality of the bug that you’ve submitted and whether or not it is valid, they will pay you out what they’ve said inside their scope. 

(TC: 00:04:00) 

Aidan Murphy: And like you say, so the original tool you created, it was about automating this process a bit. What was the challenge that you-, well, yes, what was the challenge you were trying to solve as a bug bounty hunter that made you develop this tool in the first place? 

(TC: 00:04:13) 

Shubham Shah: Yes, it was really because at the time I was competing with bug bounty hunters quite a bit and bug bounties is a very, very competitive game. If you’re not the first to find something, you’re not going to get paid. It’s going to be marked as a duplicate. So one of the things that was really important for us at that time was being the first person to know when an asset has come online on the internet and being the first person to scan it for security issues. Some of these philosophies have really followed through in what we’ve built at Assetnote as well, given that we are the fastest ASM out there and we do discover things long before anyone else does. 

(TC: 00:04:50) 

Aidan Murphy: Brilliant, well, we’re going to come back to Assetnote and the technology, like you say, you rebuilt again, in a bit. Michael, you’re also from the world of offensive security, right? I think one of you described it as you’re kind of hackers first who learned engineering second. Can you tell us a little bit about your background before Assetnote? 

(TC: 00:05:10) 

Michael Gianarakis: Yes, definitely. So I’ve been in the offensive security space for, oh gosh, going on 17 years now almost. So quite a while, and various roles in that space so penetration testing, red teaming, doing various research, particularly in the mobile security space. I presented a bunch of research in that space. And then also into some management roles as well, so managing teams of testers, teams of red teamers, so very much from the get go in the offensive space which is very similar to the bug bounty space as well. It’s a slightly different way of getting at the same thing, basically. 

(TC: 00:05:52) 

Aidan Murphy: I don’t think I’ve ever heard you guys say but how did the two of you meet? Did you meet at, kind of like, one of these conferences or something or were you aware of each other? 

(TC: 00:05:59) 

Michael Gianarakis: Yes, so the community in Australia, the security community in Australia is very connected. It’s not necessarily small, I would say, but it’s very connected and I was presenting on some IOS application security research at a conference here in Brisbane and Shubs came up to me afterwards. He was doing a bunch of research into voicemail hacking and so he wanted to show me all these cool techniques and that’s where we first met. Then obviously from that point, you know, we saw each other conferences and other events and you know, caught up and that’s how we met and how we got to know each other. 

(TC: 00:06:36) 

Aidan Murphy: Brilliant. So then Shubs kind of creates this technology and Michael, you, at some point, decided to team up and take this on together as a business, presumably? 

(TC: 00:06:46) 

Michael Gianarakis: Yes, yes. So Shubs had created this tool. I was also involved in the bounty scene in a slightly different way. I was an investor in one of the large platforms early on so I was familiar with that space and I was familiar with the work that Shubs was doing in that space. He’d shared this tool with me and you know, it was interesting, it definitely as a very novel approach to finding vulnerabilities in large scale attack surfaces and you know, there were various discussions about commercializing it but what ultimately happened was Shubs was using this tool to find a number of vulnerabilities in very large organizations and you know, a bunch of those organizations started reaching out and saying, ‘Hey, you’re rinsing our bounty. How do you do that? We spend all this money on security testing and security products and we have our team. How are you doing that?’ And we’d explain how it would work and the general approach and the tool, and a bunch of them basically said, ‘Hey, we need something like this. If you were selling it, we’d buy it.’ That’s really what kicked off the discussions around commercializing this tool. As Shubs mentioned, it was written from the ground up at that point to make the value that we had understood and we’d experienced from a bug bounty perspective, consumable to defenders in an organization. But a lot of the DNA and the general ideas still persist to this day. 

(TC: 00:08:13) 

Aidan Murphy: It’s funny, it reminds me a lot of the Searchlight story. We’ve not talked about it so much on the podcast really. I guess it’s a very common entrepreneurial story in that you find a solution that people don’t have but Gareth, would I be right? It kind of reminds me of how you started off, kind of developing these tools for law enforcement, first of all developing this research and realizing that law enforcement could’t do it themselves, to the point where law enforcement say, ‘Well, what tools are you using and can you make them for us?’ Is that a fair description of the origins of Searchlight? 

(TC: 00:08:46) 

Gareth Owenson: Yes, I think it’s a fairly similar story, right, in the sense that you end up building something and realize that there’s a demand for it and we end up commercializing it and turning it into a product. You know, I started out as an academic doing research into the dark web and one of the things that was very clear was that law enforcement were struggling to investigate crime on the dark web and yet we collect this huge data set on stuff for the dark web, had a deep understand of how all these dark webs work and how you could go ahead and catch the criminals. But back in 2014, you know, law enforcement budget for dark web investigation at the time was pretty small but it was growing over the next few years and in around 2016 we realized that law enforcement were at the stage where they might be willing to buy products and so we set about building a product. What they really wanted was a button that said ‘solve crime’ and press the button that gives them the answer to crime, so we set out trying to build that for them over the next few years. Early on in the business we landed some large contracts with some large law enforcement agencies and that’s really how the business has grown ever since. Yes, so I think lots of similarities with many entrepreneurs I think, is that you almost stumble across the idea rather than set out with it initially. 

(TC: 00:10:00) 

Aidan Murphy: I’m sure enterprise businesses would also like a button that says, ‘stop crime’. I think that’s probably a commonality as well. So Michael and Shubs, you form this company, Assetnote. It’s very successful. I’m going to come back in a little bit to talk about why it’s so successful but right now I’m going to jump forward in time to the acquisition and pull in the Searchlight Cyber founders for their perspective. Before I do that, and just to set the scene for listeners, Michael, I’m going to do something a bit unfair here but just so everyone knows just at the most basic level what we mean when I say attack surface management, and before we start talking about the benefits of that, if you were to give a definition of ASM, as concise as you can, how would you explain it? 

(TC: 00:10:44) 

Michael Gianarakis: Yes, and we might get into this as part of the discussion but the answer to that is actually very nuanced and very difficult, right? But to try and simplify it, I would say attack surface management is less about a product and more about a way of managing exposure in your attack surface. So it has a few key characteristics in that it’s holistic and it’s continuous and it’s focused on signal. I’d say those are the key characteristics of any good ASM and it’s basically about understanding your attack surface and understanding what you’re trying to protect and then identifying exposure in that attack surface and then remediating that. So that would be the high level of it and then obviously from a product perspective we’ve built our product based on that idea that it’s a process and that it’s a practice rather than a tool and our product enables that practice so that’s how I would maybe describe it at the high level but as I’m sure we’ll get into, the ASM market has evolved significantly and there’s a lot of confusing and nuance around what ASM means but that’s what it means to us. 

(TC: 00:11:58) 

Aidan Murphy: Brilliant. That was really really helpful. So with that in mind, Ben, can I ask you why did Searchlight Cyber set out to acquire an ASM company? Why was that the next step? 

(TC: 00:12:10) 

Ben Jones: Well, to give a full answer to that question, I think it’s worth going back the origins of Dark IQ which is the Searchlight platform which was edging into this ASM space so the commercial entities asked us to be able to have access to our law enforcement data so that they could then protect themselves from oncoming threats and also be able to do research about it. The law enforcement tool is designed so that if you want to investigate more about a particular topic you go into the platform, you pull on that thread and see where it takes you. Whereas a commercial entity just wants to know everything which is relevant to them as an organization so what we did was build out the Dark IQ platform which then gathered in all of the things they could be interested in and the assets associated with the company and then returned the results based on the stuff that we found associated with that and so the idea is that they don’t have to dig around things. It’s lot more of a time saver and it just presents the things which are associated with them and then take it to the next stage in terms of what do I then need to be able to do about that. As that platform evolves we were edging more and more into this attack surface space so we were approaching it from more of a TI digital risk protection end but we were still interested in assets so the idea is that OK, if we know what your IP address is and your domains and everything are, what vulnerabilities do you then have associated with that but the techniques that we were using were pretty high noise. We were looking to try and reduce that noise and make it more relevant to the customers so we looked out into the attack surface management space and we were looking for the best of breed to then add to our best of breed dark web platform. And we came across Assetnote and we immediately then knew that this was a company that we wanted to be able to acquire and have into the platform, and it comes down to a number of things. One of the things is the high signal to noise ratio that you get from the platform and it really adds value, being able to do that so you don’t end up with alert fatigue. The other thing was the novel research that they do so it’s beyond just having a clever way of cutting through the noise of existing vulnerabilities. It’s also looking for new ones and then adding to that body of knowledge. That gives customers confidence that they know what they’re doing and that they’re going to get to see these things first, often before the criminal even sees it so it’s really powerful from that way and we met the team and the technology, and we really liked the team and we really liked the technology and so this was something which we wanted to have as part of our team and as part of our technology portfolio and so it was obvious from day one once we’d met Michael and Shubs and once we’d had a look at the tool that this was something which would really slot well into the Dark IQ platform. It doesn’t have a huge amount of overlap but it has an awful lot of complementary techniques and use cases. So it seemed to be obvious that where we were coming from ASM from a TI digital risk protection thing and moving more towards the technical side of ASM, Michael and Shubs have built a really technical side of ASM and they were actually-, some of the customers were pulling them towards the threat intelligence side of it as well. It was a point where the market was clearly converging and everybody was seeing the same thing and so it’s been an excellent purchase for us. The two things work really well together and the thesis seems to be proving out as we go. 

(TC: 00:15:39) 

Aidan Murphy: Brilliant, thanks Ben. Gareth, presumably you were part of that kind of technical assessment of Assetnote and maybe other ASM solutions. I think ben’s covered some of the key points but was there anything that stood out for you when you were checking out Assetnote? 

(TC: 00:15:52) 

Gareth Owenson: Yes, so we’d had implementing an ASM style technology into the platform on our road map for a little while and we’d been out to the market and looked at a large number of essentially vulnerability testing companies that we may be able to either acquire or be able to integrate into the Dark IQ platform. The thing that you see with pretty much all of these platforms is they do a scan across your infrastructure and essentially check version numbers of software against the database of known CVEs and then flag those alerts up to you. What that means practically is you run a scan of the infrastructure and you get 200, 300 alerts saying that they’ve found a vulnerability and you check out 199 of them and they’re not relevant for one reason or another. Either, you know, as is common in Linux servers for example, patches get backported and so just checking the version number doesn’t tell you that the vulnerability actually exists, through to many other reasons for example that yes, OK, maybe the vulnerability exists but it requires a particular configuration or maybe the vulnerability exists but you need to be logged in to exploit it and our systems are only used by two people and we trust both of them and it’s not an urgent problem at that stage, if it requires some form of authentication. So the difference with Assetnote really was that they were focused on critical pre-auth vulnerabilities so these are vulnerabilities that can be exploited without logging in to the system and that would result in a high level of exposure in some form or another and then they were actively testing those vulnerabilities so make sure that they existed in those services and so if you got an alert from Assetnote, you know, 99% probability it was something which you needed to action and most people in the cyber security space know that you’ve got a suite of cyber security products, all of these tools are spamming alerts at you every single day and everyone that’s been on the recipient of those alerts knows that if you constantly get spammed with alerts which are high noise, you start ignoring them very quickly and not paying attention to them so having a tool which sends you alerts which are highly relevant and almost all of them you have to action is really refreshing, and it means that it’s an integral part of your suite then, it really has an impact. I think the other thing that we liked about them was they were also really focused on discovery of your assets. If you were to go back 20 years, everyone’s got a central firewall through which all of their traffic goes through. Nowadays you’ve got assets all over the internet. You know, we’ve got hundreds of servers all over the internet. They’re not all behind one firewall and keeping track of those assets, yes, you’ve had spreadsheets and tooling to try and keep track of it. What Assetnote do is proactively go out and discover those assets, including assets which you don’t necessarily know about because you’ve not been tracking them centrally. I guess the typical case or typical example for this is a developer somewhere who spun up a server to test something and hasn’t been logged centrally and you know, there’s some kind of bug associated with it, and it needs an initial penetration which you can then pivot from. Well, Assetnote go out and actively discover those assets as they’re getting put on the internet so Assetnote are scanning every hour and if one of our devs spins up an incident somewhere without permission, the chances are Assetnote will discover it within the hour and tell us about it and that’s the other thing which I really liked about it and that’s, you know, Shubs was alluding to earlier, that was one of the advantages they had with bug bounties was they were discovering these assets before anyone else and ultimately you want to discover them before the attackers, right, and get it patched. 

(TC: 00:19:24) 

Aidan Murphy: Yes, that’s really great Gareth and I can almost feel Michael ready to talk about the difference between them and these vulnerability scanners that are just finding old versions of stuff, but I’m going to hold him back for a second because first I want to ask Michael and Shubs about Searchlight, I guess. So from your perspectives, being approached for acquisition, what was it about Searchlight that I guess from your side felt like a good fit and maybe Michael, I’ll start with you. 

(TC: 00:19:51) 

Michael Gianarakis: Yes, I mean there were a number of things. We had been speaking to a number of companies around the time of the acquisition and there were a few things that really stood out with respect to Searchlight. The first, as Ben kind of alluded to earlier was the synergy between what we were doing and that was really exciting to us. As we looked to continue to develop on the concepts and the ideas that we had been developing for the last six and a half years at Assetnote and taking into new areas. The level of intelligence and Dark Web information that Searchlight has was very unique and there is a lot of potential for combining those in ways that’s really valuable to customers and supports the whole idea of what we had with Assetnote and ASM. The second thing really was just again the founders and the team. We saw a lot of cultural compatibility and similar thinking about how we approach security, about how we build out our products and about how we protect our customers and so that was really the other thing for me, that really stood out with respect to Searchlight. 

(TC: 00:21:03) 

Aidan Murphy: Brilliant, and Shubs, the same question to you. What was it from your perspective? 

(TC: 00:21:08) 

Shubham Shah: For me, you know, we really have security research at the core of our DNA at Assetnote and one thing that became clear to me, getting to learn a little bit more about Searchlight is the similarity in that. We both really do care about security research and doing good, and the research we do is often high impact and critical in multiple different areas whether it’s law enforcement or enterprise and that for me was definitely something that attracted me a lot to Searchlight. 

(TC: 00:21:34) 

Aidan Murphy: So we can now move on to talk about the ins and outs of ASM. Michael, this is a term you guys literally came up with and I’ve heard you talk a lot about the different interpretations of attack surface management that have emerged since, I guess. Some of them not necessarily in line with what you and Shubs had in mind maybe, when you kind of came up with Assetnote. Could you break down the landscape a little bit for listeners? So what do you mean by attack surface management versus maybe what some other companies mean on the market? 

(TC: 00:22:04) 

Michael Gianarakis: Yes. So when we think about security and the way that we think about security and Assetnote, is it doesn’t exist in a vacuum. It’s not on its own, it’s a reflection of the larger IT landscape and so what you’ve seen over time is various evolutions and trends in that IT landscape and that threat landscape and so there are a couple of things that were really driving what we were trying to do with Assetnote. The first is, you know, increased cloud adoption and cloud native architectures, trends like continuous deployment, DevOps, you know, blurring the line between what’s development and what’s production, heavier use of SAS and third party software in your environment and all of those kind of combine to lead to very dynamic attack surfaces and with a lot of evolution happening constantly and all the techniques for understanding the simple question of what are you trying to protect, now became a very challenging thing for customers to do and for organizations to do and so that was really, sort of, the first part of it. 

But then the other philosophy that we hold at Assetnote is that a list of assets is not the end in and of itself and nobody just wants the list of assets. They want to be able to do something with that, whether that’s identifying vulnerabilities and exposures that they need to fix, whether that’s utilizing that to add more understanding and contextualization to threat intelligence. They always want to do something with that and so for us, the core idea was building out a tool that would do both, and would start with a base layer of real-time asset awareness and then have that asset awareness augment and input into various exposure monitoring practices, whether it’s finding vulnerabilities or indicators of compromise, or other things. So that was really the core idea, and when it came to the term ASM, what we were really trying to achieve is, when we started out it really felt like a shift in terms of how people were approaching these challenges and you know, a lot of people would look at say, the exposure monitoring and think, ‘Oh, well that’s vulnerability management’ or they’d look at the asset discovery, ‘Oh, that’s discovery.’ It’s like, well, no, the sum of its parts is actually greater. Once it all really deeply integrates together and one feeds into the other in this continuous cycle, it’s something new and that’s really where the genesis of that term came and again, you know, as I said earlier, we see it as a practice and just a new way of managing exposure on your attack surface. 

So that was the first piece on how we came up with it, but over time, what you saw in terms of the companies that, kind of, ran with ASM and even the analyst organizations, they really narrowly defined it to be asset discovery, unfortunately, and now you’re seeing the trend kind of shift over the years where I think people are starting to catch onto the idea and some of the ideas that we had almost seven years ago, but really for a period of time it was very much very narrowly defined as asset discovery. You also saw a lot of players coming into the market saying that they do ASM and branding things as ASM but really just trying to jump onto that term. So as I mentioned earlier, I’ve been in the offensive security space for a long time and you know, I started in the 2000s and even back then every pen test consultancy had an offering that was often called something like digital footprint or external footprint, and it was basically a two-week engagement that would identify all the assets on the internet, on your perimeter and then write a report and send it to you. Then once ASM became a term that was in broader use, you’d see all the pen test companies just rename that service to attack surface management which, you know, from what we’ve described is actually very, very different to how we’ve thought about it. So what we’ve seen is as that’s evolved, you see a lot of confusion from a customer perspective where they don’t really understand what they’re getting when they reach out to an ASM vendor and more and more over the years, we hear things when customers see our product, they’ll look at it and they have this reaction of, ‘Oh, this is what I was looking for, this is what I wanted with ASM. This is what I thought it would be and what I was trying to get to and then looked at four or five other vendors and they weren’t it.’ And so I think over time it’s trending towards our ideas but you know, as I said, we’ve been doing this from the get go, basically. 

(TC: 00:26:48) 

Aidan Murphy: Yes, that makes a lot of sense. Just to make sure I’ve got it right and maybe to help listeners as well, so there is this asset discovery side so like you said, like maybe how Gareth explained as well, this kind of going out, seeing all of your infrastructure, even the parts you weren’t aware of so kind of shadow IT or things that have been spun up and not really taken down but the difference, so there are some companies doing that and then there are some companies focused on exploitability but you’re saying really the best ASM would be kind of a combination of the both, so finding assets that are out there also working out which ones are vulnerable and can they really be exploited so you can prioritize your security I guess, to focus on the most critical areas of threat. 

(TC: 00:27:34) 

Michael Gianarakis: Broadly that’s correct, although the one nuance I would say, and this is going to what Gareth mentioned earlier is I wouldn’t say the broader market is as focused on exploitability as we are. 

(TC: 00:27:44) 

Aidan Murphy: Yes. 

(TC: 00:27:45) 

Michael Gianarakis: A lot of the way that they do vulnerability management or vulnerability identification is as Gareth described. One of the things that we’ve always focused on is exploitability and the reason we identify and programmatically determine the exploitability of these issues is because it creates a direct nexus to accountability and so when you start to look at attack surface management and go back to that point of it being holistic, and you’re getting a much more complete picture of your attack surface, which these days is often larger than you would have had ten, twenty years ago. Once you’ve got that, things like noise really become a problem. It can be amplified once you’re operating at scale and so having high signal is really critical and when it comes to identifying vulnerabilities, the approach that we take of keeping that threshold of exploitability, so to speak, really pays dividends when it comes to the noise and like Gareth mentioned, alert fatigue is a problem and ultimately we feel that it reduces your overall security posture if you’re ignoring alerts because there’s just too much noise. So that would be the only nuance that I’d pull you up on. I don’t see a lot of tools in this space approach that in the same way that we do. But they do, they are broadly combining vulnerability identification nowadays with the asset discovery but it’s more along the lines of what Gareth described earlier which we feel is not really quite there and doesn’t produce the best outcomes for customers. 

(TC: 00:29:18) 

Aidan Murphy: Yes, that makes a lot of sense. I guess another differentiator from my perspective, and maybe you guys can explain this a little bit better, I might call on you, Shubs, if that’s alright, is this kind of automated element. You guys seem to be doing this very, very quickly and kind of in a continuous fashion and that seems to be a little bit different from what else was on the market. Shubs, maybe can you talk a little bit about that, I guess? This kind of, the hourly scanning and that kind of stuff. 

(TC: 00:29:45) 

Shubham Shah: Yes, absolutely. I think that to reach the cadence that we have at Assetnote is a very difficult engineering task, especially when you’re scaling up to the number of assets that we have across all of our customers. What we found over the last six and a half, seven years, is I think primarily the reason why other competitors haven’t gone to this level of scaling is it is actually really, really difficult to do this in a reliable manner at this scale. We seem to have started off with that from the very beginning, maybe it was our naivety that we didn’t realize how difficult it would end up being but we were able to implement this and over the years we have optimized for this, in such a way that I think for competitors to do anything similar to this would be a huge jump to what they normally do. And yes, as we’ve mentioned several times on this podcast, there is a really big importance in terms of how quickly we discover not knowing the assets, but also do an exposure scan on those assets as soon as we’ve discovered them. What we’re seeing these days is attackers and threat actors are becoming much much faster at weaponizing end days and zero dates as they come out. You know, a really good example is the Clop ransomware group with the MOVEit vulnerabilities which was zero days at the time and then recently, the Cleo vulnerabilities which are also zero dates. What we try and protect our customers from at Assetnote is really those unknown threats alongside with all the threats that we may already have catalogued. In many cases, our zero day research really comes into play as well but at the base of this and basically at the center of this, it’s really strong automation and engineering that allows us to not only discover the assets within that hour but also scan them from an exposure perspective within that same hour. 

(TC: 00:31:29) 

Michael Gianarakis: The one thing I’ll add to that, how the scale and the speed that we operate, and just to clarify, we do everything in our platform on an hourly basis. Nobody in the market does that as quickly as we do. But when you think about the practical outcomes of that for an organization, if you think what they’re trying to achieve ultimately is not necessarily just prevention of exposure, right? Obviously they’re focused on that and they are putting a lot of effort into that but mature organizations will understand that there will be exposures that are introduced into their attack surface and so what they are really trying to achieve is minimizing that mean time of exposure. So if you think about the life cycle of a particular exposure, it’s from the point that it gets identified, then there’s a level of triage and analysis to say, hey this is something that we want to then go fix, then there’s the remediation and then there’s often a validation to make sure that the fix is applied correctly. So that whole period of time is contributing to your mean time of exposure, and what we really want to do at Assetnote is assist customers in their goal of reducing that by removing lag that comes from tools so if you’ve got a tool that’s only doing scanning and discovery on a weekly basis, or even a daily basis, you’re already introducing a delay into that time frame and you’re increasing your mean time of exposure simply by the choice of tool that you have and the capability of that tool. So for us, doing that in near real time the discovery is basically instant and then because of the signal that we spoke about, the triage is also reduced. You don’t need to do that. We have a lot of customers, particularity our tech customers, that pipe the output of Assetnote straight to their engineers to fix. They don’t even have to look at it and they tell us that we’re one of the only tools that they have that they can do that with and it’s because of the signal, so again you’re reducing now that overhead on the security team and the time it takes to do that and really, at the end of the day, the only thing that’s contributing to your mean time of exposure is how quickly you can remediate it. Recently there was a customer of ours that had one of our zero days, found it in the platform and within 21 minutes they had remediated that with our mitigation that we had and they came to us really proud, that was a new record that they set for how quickly they were able to do that. And that’s really what organizations are trying to do and that’s really where the value is in terms of the speed and the scaled. It’s not just, I mean it is a difficult engineering challenge as Shubs mentioned, but it’s not for the sake of it. It does produce real valuable outcomes for organizations on the other side of it. 

(TC: 00:34:09) 

Aidan Murphy: Yes, I can imagine a lot of security professionals, sitting there listening to this, thinking that 21 minutes is quite incredible because, as you say, it’s always kind of a race for time, right, between you and anyone looking to exploit it. Am I right in thinking the other thing about that short window is that you pick up on assets. I think you called them ephemeral assets. Is that the right term? That are kind of spun up and might go down and if you’re only scanning daily or weekly, you might even miss that the asset was exposed if you’re not scanning regularly. 

(TC: 00:34:38) 

Michael Gianarakis: Yes, absolutely, and we’ve done some research in the past to show some examples of ephemeral vulnerabilities but again, going back to the point that I mentioned earlier about security not existing in a vacuum, it’s a function of the broader practices in the IT landscape. You know, often what you’ll see is a lot of automation and a lot of rapid evolution of the attack surface so you’ll see often assets that are being deployed automatically for a short period of time and then being spun down but that happening on a regular basis and often what can happen, if there’s a problem with that automation or if that’s introducing an exposure, if you’re not monitoring in realtime, you miss that. But attackers more and more are looking for that, and they’re looking for any angle that they can to get in and exploit your weaknesses and so you completely lose visibility of that if you’re not monitoring quick enough. 

(TC: 00:35:32) 

Aidan Murphy: This element that we’ve talked about a few times I really wanted to come back to which is the vulnerability research that you guys do. Shubs, I think you’re the right man to talk to about this. So Gareth mentioned a little bit about the types of vulnerabilities that you focused on so these kind of pre-auth vulnerabilities, how does the research element fit into what Assetnote does? How does it kind of fit into the platform and what role does it play for your customers? 

(TC: 00:35:58) 

Shubham Shah: Yes, the research element is probably one of the things that I’m most proud about at Assetnote and what we’ve built there, basically, and based on everything we’re seeing in the wild nowadays, our hypothesis was correct. We started Assetnote, where we understood that there is a serious lack of due diligence done on many different products that are deployed across our enterprise networks, most companies don’t have resources for a dedicated security research team to just pick apart these products that are sitting under attack surface day in, day out. What we’ve done at Assetnote is we have built the best in class security research team that can reverse engineer pretty much any software that’s sitting on an external perimeter in order to discover critical pre-authentication vulnerabilities and really this focus that we have on this critical pre-authentication vulnerabilities space is primarily to have the most impact as possible, in terms of protecting our customers and enterprises in general. Really what we’re seeing in the wild is all these ransomware groups are using the same pre-authentication critical vulnerabilities in order to compromise enterprise networks and what we’re trying to do and what we have done successfully is give all of our enterprise customers early notification of the zero days on their attack surface long before they’re even exploited by any threat actor. 

(TC: 00:37:19) 

Aidan Murphy: Yes, so you focus on these pre-auth vulnerabilities like you say, so basically if you find them they are generally quite critical, I think I have also heard you talk about the fact that you focus on enterprise software so you’re not finding these vulnerabilities in niche software that a small amount of companies are using. You’re looking at really big popular products. Is that right? 

(TC: 00:37:40) 

Shubham Shah: Yes, that’s right and as time has gone on, our security research team has had a much bigger appetite to look at even more complex and even larger products. As you would have seen, we did a lot of work on Service Now last year and almost every one of our customers was affected by that research, as you know, these days almost every enterprise customer has some sort of Service Now instance up on the internet. So yes, we do have a very big appetite and we do look at the biggest enterprise products, really we also analyze a lot of the products that are across our customers’ attack surfaces so there is a lot of intelligence and analytics that goes behind what we focus our time on, understanding exactly what technologies have been ran by the customers of our attack surface management platform. As we already have all of that information and we already collect all the technologies across all of our customers, so we are in one of the best positions to understand exactly what software is going to be impactful from a security research perspective. 

(TC: 00:38:35) 

Aidan Murphy: Yes, that makes a lot of sense. So you find these vulnerabilities and then like you say, you alert your customers and I think just to give listeners an idea of what that means, this is often long before, like a public CV E is released or a patch is released, you’re alerting your customers as you find it, when you disclose to the vendor, right? So this is ahead of when they will be able to find out about it from public information. 

(TC: 00:38:59) 

Shubham Shah: Yes, that’s correct, but there is a little bit of a nuance here. We don’t just alert our customers about the vulnerability without giving them any real solution to deal with that vulnerability. We often come up with custom mitigations which sometimes, believe it or not, coming up with a custom mitigation can sometimes take longer than finding the vulnerability itself. But what we do essentially is we provide our customers a way to mitigate these vulnerabilities, these zero days, long before there is some sort of public patch available. So yes, we definitely go the extra mile in that case as well. 

(TC: 00:39:33) 

Aidan Murphy: Yes, that obviously is a critical part of it, definitely worth calling out and I think going back to full circle from where started, Michael, I think I’ve actually heard you talk about the fact that sometimes your tool is now kind of out-competing bug bounty hunters, right? Like you’re getting bug bounty hunters complaining that you’ve found some of these vulnerabilities before they did and then they’re not going to get paid out on their bug bounties. 

(TC: 00:39:57) 

Michael Gianarakis: Yes. It’s sometimes interesting to get those messages but we’ve had, because of the scale that we go at and the speed that we go at, when it comes to our exposure monitoring, and the nature of the kinds of issues that we’re looking for, we often hear from our customers things like the findings that we get from Assetnote are closer to what we get out of our bounty program than say a legacy vulnerability scanner, and because we’re going so fast, we’ll often beat them to the punch and as Shubs mentioned, it’s a pretty cutthroat game in the bounty space and if you’re not first then you don’t get paid and so unfortunately for these guys, they were second to us and then they’ll hit us up and complain a little bit. But from a customer perspective it’s obviously a great outcome. 

(TC: 00:40:43) 

Aidan Murphy: Yes, of course. Shubs, is there an example of one of these vulnerabilities that you’ve found? I mean it doesn’t have to be a recent one. You know, maybe the Service Now one or even further back. Just to give an idea of the kind of vulnerabilities that you’re finding, and I guess the software that you’re finding in them. Is there a big example in your mind of one of the biggest pieces of research that you guys undertook? 

(TC: 00:41:06) 

Shubham Shah: Yes. I think the site Service Now, one of the other really big pieces of research our team undertook was with Citrix. Citrix is a really heavily used software. It’s pretty much across every large enterprise you can think of, used for different things like VPNs and RDP functionality and single sign on in some ways, but it is a very, very popular enterprise software. A couple of years ago, our research team uncovered what we dubbed Citrix bleed which essential leak memory from Citrix and this memory would often contain session token that would allow you to log in to Citrix as one of the legitimate users of the Citrix machine, and essentially this issue was quite severe and it’s quite critical, almost affected very Citrix instance on the internet. Citrix is probably one of the most widely deployed software that there is. The important part of this was that the CVE for this vulnerability was released but no one had figured out what the actual POC was and no one understood the impact of it, actually the whole infra-sec industry was sleeping on it. When we came across it, we immediately recognized how critical it was and we spent probably a couple days to understand exactly how to reproduce the issue, given that Citrix is quite a complex software but we were the first to uncover exactly what the proof of concept was, to write about it as well as provide our customers with the check long before it exploited in the wild. 

(TC: 00:42:33) 

Aidan Murphy: Wow, yes, I mean that’s a huge one I think a lot of our listeners will have heard of so that’s a brilliant example. Thanks Shubs. At the risk of making a terrible joke, I think we’re just scratching the surface of this topic but I think it’s kind of really fertile ground for future episodes and I hope we’ll be able to have you, Michael and Shubs back on to talk maybe about some of these vulnerabilities or go into a little bit more depth into this attack surface management realm. I just wanted to wrap up maybe with some advice for listeners. If there’s anything they’re going to take away from this podcast, what do you think they should be taking away? Ben and Gareth, I might call on you first. Maybe Ben, if you want to jump in? Is there anything that you think the listeners should be taking away as a kind of key message from this? 

(TC: 00:43:22) 

Ben Jones: Yes, I think the key message is that you need to look at your attack surface from a hacker’s point of view and so that includes vulnerabilities you have within the system. It includes maybe breached machines or other things which are beyond your level of control and outside your visibility. Having some way of constantly scanning what vulnerabilities are out there in terms of your attack surface whether that’s via employees or via technical means, monitor that as frequently as you can and then do something about it and so obviously my piece of advice is to use a tool, Dark IQ and an ASM to go out and do that on your behalf because as a human, that’s going to be extremely difficult to do. 

(TC: 00:44:10) 

Aidan Murphy: Brilliant, thanks Ben. Gareth, from your perspective is there anything that listeners should take away from this episode? 

(TC: 00:44:16) 

Gareth Owenson: Yes, I guess nowadays your infrastructure is out there. You don’t have one entry point into your network. You’ve got assets all over the place. No matter how good your asset tracking processes are internally, you’re always going to miss stuff, regardless of how mature things are and so you need tooling which is scaling the internet, looking for those assets and checking to see whether they are vulnerable and I think the tool which Assetnote have built really gives you something which does that, not only quickly but in a low noise way, where you can really trust the results and take action quickly. 

(TC: 00:44:53) 

Aidan Murphy: I think this question just gets harder and harder as I make more people answer it so for Michael and Shubs I might slightly re frame it. You’re the experts in this so is there anything that you think, when you first had these initial conversations with the companies and maybe they’re not as familiar with attack surface management or they’ve been using other tools that aren’t quite the same as what you guys do, is there anything that you say to them that changes their perspective on things and I guess communicating to this audience of listeners, is there anything you’d want to communicate to them that maybe they haven’t thought about around this topic? Michael, you look ready to jump in. 

(TC: 00:45:29) 

Michael Gianarakis: Yes, and you know, obviously echoing everything that Ben and Gareth said around understanding what you have to protect is a very foundational thing to do but the one thing I would add is maybe just to go a little bit further on what I was talking about earlier and I think the right way to think about this is not to think about this in terms of tools or lists of assets. It’s really to think about it as a practice. How am I going to understand the make-up of my attack surface? How am I going to identify exposures in that attack surface and how am I going to manage the remediation of those exposures and mitigate the risks? And really, regardless of tools, regardless of products, what you really want to be doing is putting into practice systems and approaches to help you achieve those outcomes and so really for me, I think the biggest part of ASM is really the M part, the management part and that’s often what gets overlooked. Everybody looks at the asset side or they look at the security side but really it’s about what you do with those and having a clear process in place and clear practice in place to effectively manage these exposures so my advice would be to start thinking about it in those terms, rather than thinking about it in just tools and what the tool gives me. 

(TC: 00:46:53) 

Aidan Murphy: That’s really brilliant advice and Shubs, from your perspective, is there anything you would add on there to what Michael said? 

(TC: 00:47:00) 

Shubham Shah: Yes, I just think that we’re seeing, you know, these days we’re seeing more and more threat actors use zero days and really compromise enterprises through threats that enterprises had no idea existed. There are no CVEs available for them. These are truly unique cutting edge zero days that are being used so for me I think one of the things that is quite unique about us is that we can provide protection against that and that’s really something that we excel at. 

(TC: 00:47:25) 

Aidan Murphy: Amazing, thank you all. That’s exactly a good note to draw a line under this episode of the Dark Dive, a big thank you to Ben, Gareth, Michael and Shubs for joining me. Please follow us for free on Apple Podcasts, Spotify, YouTube or whatever podcast app you use. It’s fair to say that each of my guests today will be making a return appearance at some point, although probably not all together, so if you have any questions for us or a topic you’d like us to cover, please get in touch with us through the contact details in the show notes. You will also be able to find out more information on both Assetnote and Searchlight Cyber there. Until next time, stay safe.