RiskSense Attack Surface Validation for IoT Systems 2018 RiskSense, Inc.
Surfacing Double Exposure Risks Changing Times and Assessment Focus Our view of security assessments has changed. There is diminishing value in the way we used to select providers since we are now driving business growth through IoT projects. We needed to move beyond a typical assessment to one that challenged my development team from code review to creating exploits. Industrial Manufacturer creating IoT solutions. There are too many elements in the IoT systems today that can expose business and the ecosystem of users or entities that they touch. These systems may change frequently or are designed for decades of use, like connected building technologies. Before launching this new initiative, our customer needed to know the most likely attack scenarios and help them define priorities for remediation. RiskSense analysts provided the thoroughness and rigor that they hadn t experienced with other providers. They appreciated the modern way RiskSense delivered findings as they were found. Under pressure to get to market, they were able to keep their timelines and address vulnerabilities they had not considered in the design process. Assessment reports quickly lose value, however the RiskSense Security Score and active findings within the RiskSense platform were referenced helping the team to continuously improve their process and design. The RiskSense Attack Surface Validation for Internet of Things (IoT) Systems provides discovery of exposure for organizations delivering and incorporating IoT into their business operations. Going beyond the penetration testing IoT devices themselves, RiskSense thoroughly reviews the development, code, environments, and processes used from end-to-end. Our security experts have the deepest knowledge and experience with IoT systems. Interconnected networks, vendors, platforms, programmable interfaces, and protocols, all contribute to vulnerabilities within an IoT system creating double exposure business risk. RiskSense Attack Surface Validation for IoT systems and manufacturers covers interconnected vulnerability insight for: Connected Operations where operational technology and Information technology domains now cross-over for near-zero downtime efficiency with integrated supply chain partners Remote Operations asset management, logistic and quality tracking, update and control of devices in the field and on the move, open to network impacts or physical tampering Predictive Maintenance enhanced services for remote high-value equipment, integrated building technologies, and widely deployed connected control devices Analytics and Telemetry data-driven business innovations Unlike others, RiskSense does not take months to deliver results. Engage with our experts as they progress through the phases of their assessment. As vulnerabilities are found our team discloses the details and priorities for remediation through our easy to access platform. They also ensure that you have the details to reproduce the vulnerabilities and understand the scope of risk exposure. The RiskSense Attack Surface Validation for IoT Systems provides: Identification of vulnerabilities and the various paths and tactics that could be used by adversaries to compromise or subvert Threat intelligence mining to elevate the most likely attack scenarios Penetration testing to verify vulnerabilities, elimination of false-positives through automated testing and manual expert-driven investigations Immediate access to findings as they become available. All relevant documentation, including automated and manual scanning details and technical configuration information is delivered through the RiskSense platform Recommendations for the remediation of identified security gaps and vulnerabilities Executive level reports that provide an overall exposure health score, very much like a credit score, that can be used to benchmark improvements over multiple engagements as major changes or updates are developed Page 1
Methodology RiskSense performs attack surface validation for IoT systems for organizations ranging from specialized manufacturers to Fortune 500 corporations. The RiskSense attack surface methodology is continuously updated to align with the latest industry information and attack trends. Our methodology is comprised of five distinct phases: 1. Information Gathering Data Aggregation Threat Correlation Exploit Documentation Infiltration Vector Lateral Kill Chain Vulnerability Prioritization Remediation Playbooks Cyber Risk Quantification 4. Attack Validation Device Documentation Source Code Web Interface Network Architecture Network IP Addresses 2. Usage Patterns 5. Reporting Exploit Development Vulnerability Exploitation Attack Vectors Code Execution Data Injection and Manipulation Data Exfiltration Phase 1: Information Gathering: Analysts perform in-depth information gathering to obtain a holistic view of the IoT system. This includes, but is not limited to, the following elements: policies and procedures, source code, design specifications, network architecture, web application interfaces, and ranges of IP addresses and device environments. Phase 2: Usage Patterns: Analysts design tests to demonstrate and then alter intended functionality and usage of the target systems. The following is done during this phase: Part I: Analysts will simulate intended and normal functionality of the IoT system for observations Part II: Detailed packet capture, while simulating intended functionality, is used to observe the normal communication paths and baseline behavior Part III: Fuzz Testing, a software technique to discover coding errors and security vulnerabilities is initiated. Unusual data formats, volume, and other unexpected scenarios are used to make the system perform in unintended ways Phase 3: Attack Surface Enumeration: RiskSense analysts will enumerate the attack surface of the devices, software, and networks utilized in the IoT system. Simulate Intended Functionality of Test Device Packet Capture Normal Communication Paths Perform Fuzz Testing Software Attack Surface Web Application User Interfaces Access Controls URL Crawling/Spidering Business Logic Identification Identification of Input Vectors and Reflection 3. Attack Surface Enumeration Network Attack Surface Target IP Address Operating System Versions Ports, Protocols, Services Device: Operating system, ports, protocols, services, and channels and specific design and architectural elements Software: The software environment, interfaces, web applications, and tools available to authorized users that may be used to perform intended and unintended functions within the IoT environment Network: The environment and communication with accessible routers, switches, servers, laptops, and other communicating or controlling entities Phase 4: Attack Validation: Information collected from the previous phases are used in developing exploits and penetration tests. From configuration review and source code analysis tests are created with an adversarial intent to gain unauthorized access or control within the IoT system. Target elements will be tested for privilege escalation with analysts who try to escalate access levels through the identification of misconfigurations, missing critical patches, and weak security processes. They will attempt to perform a lateral attack and gain access to sensitive data, re-direct control, and other risks that can be harmful. The deepest possible analysis is conducted, utilizing publicly available tools coupled with RiskSense innovations, to identify as many vulnerabilities as possible. Page 2
Phase 5: Reporting: All evidence from the previous testing phases in the form of screenshots, requests, responses, and commands used are collected and made available. Findings report details the exploited vulnerabilities, their severity and recommendations for remediation. Enhanced Value with Modern Delivery of Results RiskSense Attack Surface Validation for IoT Systems leverages the RiskSense platform as a key component of the service and value we provide to clients. The experience allows clients to begin to take remediation steps even before the full assessment has been completed. It s recommended for IoT manufacturers, or soon to launch IoT initiatives within corporations, to have this service performed during the quality assurance cycle allowing time to take actions to mitigate cyber risk exposure. As with other assessments a yearly review or reassessment when major architectural changes occur should be performed. Our clients benefit from the standardized risk profile security score, allowing them to baseline and measure improvements upon subsequent Attack Validation services. A Clinical Analysis Results from the Attack Surface Enumeration and Validation are delivered through the RiskSense platform, customers see the progression and depth of coverage this service provides. Findings and associated data are passed into the platform, quickly identifying all of the relevant vulnerabilities with risk ranking and remediation recommendations. Our clients receive their IoT System Security Posture Report through the platform allowing them to produce.pdf reports on demand, but also on specific focus areas. Page 3
About RiskSense RiskSense, Inc. provides vulnerability prioritization and management to measure and control cybersecurity risk. The cloud-based RiskSense platform uses a foundation of risk-based scoring, analytics, and technology-accelerated pen testing to identify critical security weaknesses with corresponding remediation action plans, dramatically improving security and IT team efficiency and effectiveness. The RiskSense Platform embodies the expertise and intimate knowledge gained from real world experience in defending critical networks from the world s most dangerous cyber adversaries. As part of a team that collaborated with the U.S. Department of Defense and U.S. Intelligence Community, RiskSense founders developed Computational Analysis of Cyber Terrorism against the U.S. (CACTUS), Support Vectors Intrusion Detection, Behavior Risk Analysis of Vicious Executables (BRAVE), and the Strike Team Program. RiskSense Platform the industry s most comprehensive, risk-based vulnerability prioritization and management platform. Contact us today to learn more about risksense RiskSense, Inc. +1 844.234.RISK +1 505.217.9422 www@risksense.com CONTACT US SCHEDULE A DEMO READ OUR BLOG SB_RSASVIoTSystems_10192018