One of the key challenges facing any growing organization is maintaining oversight over all assets connected to the business, wherever they lay. As an organization’s digital footprint expands, so too does their attack surface, making a comprehensive risk-based security strategy inextricable from broader asset management initiatives.
To further the ability for every organization to action a defense-in-depth strategy, Bugcrowd is excited to announce the latest crowd-powered product to join the Crowdcontrol stack — Attack Surface Management (ASM). This risk-based asset discovery, mapping, and prioritization solution is designed to provide customers visibility across all of their publicly facing assets, help them make informed decisions about uncovered assets, and migrate priority findings to active security testing programs.
Identifying and understanding the unknown is something many researchers already do as part of their default methodology — finding and attacking the less-tested and more vulnerable hosts and components that nobody else is addressing or exploiting. This offering leverages the creative genius of the crowd to (a) help companies identify their unknown attack surface, (b) provide more crowdsourced opportunities to the Crowd, and c) expand assets under coverage through incentivized testing programs like Bug Bounty and Next Gen Pen Test.
The Role of the Researcher
In the ever-changing world of company mergers, acquisitions, and cloud-based solutions it’s increasingly hard to keep an eye on what belongs to an organization, or what might be related, but still has the potential to cause reputational damage, if (or when) breached. Traditionally, software-based scanners and automated tooling can identify many of the main assets of a company, but as attack surfaces grow, shadow or legacy IT assets can become difficult to track. Just like scanners often miss the most insidious vulnerabilities, asset discovery tools often miss many of the more complex connections between unknown assets. We believe those solutions are best used as inputs to the creative process, rather than ends in and of themselves. This is where researchers enter the equation!
Every security researcher knows that all too often when performing initial recon on a target, domains believed to be connected to the organization may surface, but fall out of scope. Similarly, we know many researchers enjoy and are particularly skilled at this type of discovery. Bugcrowd has invested in this opportunity by launching Attack Surface Management — a solution powered by a mix of human ingenuity, platform-powered workflows, and contextual data from over 1200 managed programs.
How It Works
As with many of our programs today, Bugcrowd will identify the right researchers for ASM engagements based on skill, trust, experience, availability, preference, and many other attributes. Once researchers have been briefed and enabled, hunting begins! Researchers who participate in Attack Surface Management engagements will be given a grant amount to participate, and rewarded with additional payment according to a competitive rank model to report as many assets as they can find. This model gives you and your crowd comrades the chance to define the new landscape of known attack surface. The results from all participating researchers are then aggregated by Bugcrowd, for attribution and prioritization exercises which are detailed below.
Researchers are allowed to bring all of their personal recon tools and methods to these engagements, provided they are passive, as active testing and exploitation is not in-scope for ASM unless requested by the program owner in combination with a Bug Bounty or Next Gen Pen Test solution. When considering tooling, bear in mind that we’re looking for non-obvious connections — the sorts of things that a scanner might miss!
Many asset discovery solutions fail at understanding the relationship between assets and true owners, resulting in excessive noise and false positives. Conversely, we know that the typical researcher methodology involves a series of step-wise pivots from known baselines to reach previously unknown assets, making attribution much more reliable. This is why we believe researcher feedback during the attribution process is critical.
While program owners may have the lion’s share of contextual information with regard to asset priority, researchers carry a unique, and equally valuable perspective — that of an asset’s “attack-ability.” Researchers are invited to provide input around the likelihood that this belongs to the client, as well as how vulnerable it is as assessed during passive exploration. Researchers should think of this the same way they might when deciding which assets would be most worthy of their time during the recon phase of Bug Bounty or Next Gen Pen Test. What makes an asset appear to be worth more exploration? Less? Bugcrowd then aggregates this information and combines it with anonymized program data accumulated over the lifetime of Bugcrowd’s history to assert what we believe to be the most organic measure of real risk possible.
While uncovered assets may turn out to be things that the organization wishes (or believed to already be!) decommissioned, we also anticipate that many assets will be rolled into new or existing Bug Bounty or Next Gen Pen Test programs, complete with the ability to dig deeper into prioritized vulnerabilities.
While everything researchers identify in an ASM engagement may not fall within testing scope immediately, by bringing light to those assets, researchers are helping us redefine the way organizations think about security at scale. We believe we are on the precipice of complete revolution in the way organizations view risk-based vulnerability management. We have the utmost confidence in researchers’ abilities to help progress this mission, with out of the box methodologies, human ingenuity, and dogged determination.
Thank you for taking the time to read this post! If you are a researcher interested in these engagements, please drop a line introducing yourself via the Fast Track link. If you have completed this form in the past, but would like to participate in ASM specifically, we would love to hear from you at firstname.lastname@example.org! Happy hunting!