3 Steps to Managing Shadow IT Risk

How to Discover and

Prioritize the Unexpected
R ANDORI ATTACK PL ATFORM | WHITEPAPER

Randori © 2020 1
P W200624
 INTRODUCTION
R ANDORI ATTACK PL ATFORM

These days, everyone is “moving at the speed of business”. Business teams are connected in the office, on the road, and at
home. In this new decade, companies will need to execute on their shared mission—faster than ever before!

As employees embrace new tools for productivity and software development, shadow IT, technologies and applications
deployed without IT oversight, has accelerated its sprawl across the corporate network.

Shadow IT is a problem because it introduces shadow risk. Examples include unmanaged and often vulnerable assets
outside IT inventories, applications protected by weak and default credentials, misconfigured storage exposing confidential
data, and services mistakenly exposed to the internet.

Shadow risk is dangerous because it presents unexpected change and unknown risks. In most cases, it lies outside the
scope of common security tools, such as vulnerability management (VM), endpoint detection and response (EDR), and
security information and event management (SIEM).

Shadow risk expands your attack surface and can allow an opportunistic adversary to “get lucky” and bypass hardened
security boundaries, and presents a huge risk when considering focused adversaries. As unsanctioned deployments often
don’t have prevention defenses or audit logs, threat detection and response is a compounded challenge.

In this guide, we outline how you can manage shadow risk by regaining control of your attack surface. The three steps are:

1. Discover your shadow IT with an outside-in approach.

2. Prioritize this new risk by likelihood and impact.
3. Take action to remediate and report; monitor for change.

Randori © 2020 2
P W200630
W200624
 1. Discover Your Shadow IT with
1. DISCOVER YOUR SHADOW IT WITH AN OUTSIDE-IN APPROACH.

an Outside-In Approach

The average enterprise uses over 1,400 distinct cloud services—that number has tripled over the past five years.
As end-users become more distributed and empowered, shadow IT will accelerate and expand. Therefore, it can
feel like a daunting task to discover your unknowns, determine why processes weren’t followed, and remediate
your top risks.

From our experience working with some of the most secure companies in the world, we recommend a focus on
eliminating shadow risk, the byproduct of shadow IT that attackers use to gain unauthorized access. The most
cost-effective way to do this is by viewing your company like an attacker. You can do this manually using open source
tools, via service engagements, or with commercial products.

Every day, attackers scan the internet looking for open doors across windows of time. When targeting a company,
the first step is to perform reconnaissance—this will inform the best tactics, techniques, and procedures (TTP) to use.
With the same mindset, you can recon your company to identify an attacker’s most likely paths of attack. Based on
Gartner’s research, 30% of the breaches in 2020 will be due to shadow risk.

Let’s get more specific. If an attacker is coming from an external position, they aren’t going to exploit an IP address,
or a port—they are going to exploit a piece of installed software associated with your company infrastructure. This
software may be in the cloud, or on-premises.

When discovering shadow IT, your primary goal should be to identify all of your external-facing
software. We refer to these instances of software as targets, for example RDP, Drupal, or MongoDB.

The way you will discover company targets vary. One approach is by enumerating the various paths that lead
to a target. This includes finding domains, hostnames, and IP addresses linked to your company, and chasing
those breadcrumbs to build a target list. Since an attack surface is constantly changing, this must be done
repeatedly: the faster the better. And similar to the attacker, once the baseline is established, you will want to
focus on the change.

Randori © 2020 3
P W200630
W200624
 FIGURE 1. ATTACK SURFACE DISCOVERY METHODS
1. DISCOVER YOUR SHADOW IT WITH AN OUTSIDE-IN APPROACH.

TYPE OF DATA HOW IS THE DATA FOUND? WHY IS THIS USEFUL?

Domains Associated with your Whois, Google dorking This is a starting point to identify
Company authentication pages, connected
IP addresses, and netowrks.

Subdomains and Hostname Certificate Transparency Logs This can identify exposed and
Information (SSL, TLS) misconfigured assets.

Internal Assets exposed to the DNS Records, Internet Attackers search for hosts with
Internet scanners (IPv4) remote management services,
authentication pages, or open ports.

Observed Open Ports on Active recon (port scans) on Attackers can identify installed
Internet-facing Assets Internet-facing assets software or misconfigurations
on assets.

During this process, you will identify company IP addresses, hostnames, and software services accessible from
the public internet. If you have exposed databases, weak authentication pages, or misconfigured assets, then
this introduces risk from opportunistic and targeted attackers alike.

In short, the first step is visibility: discover your company attack surface, monitor for change, and compare
findings against your existing security stack.

Randori © 2020 4
P W200630
W200624
 2. Prioritize your discovered targets by
2. PRIORITIZE YOUR DISCOVERED TARGETS BY LIKELIHOOD X IMPACT.

likelihood × impact.

In Step 1, we focused on defining and tracking your attack surface over time. Depending on the size of your
organization, you may find anything from a handful to hundreds of targets. Common things we discover include
outdated servers, dangling domains, exposed software databases, and in one case, an internet connected aquarium.

Today’s security teams already have more vulnerabilities than can be managed from known assets alone; this
discovery adds new workload to an already burdened process. A prioritization framework, based on the attacker’s
mindset, can help guide where to take action.

Risk is traditionally defined as Likelihood × Impact. This formula can be used to prioritize your targets by risk.
Likelihood should identify the targets most likely to elicit action from an attacker—your most tempting targets.
Any shadow IT discovered in Step 1 is directly exposed to the internet. For any external attacker, this represents a
greater likelihood of attack than any asset behind your VPN and firewall. When determining likelihood, we suggest
considering weakness, enumerability, and as your program matures, applicability, research potential, and post-
exploitation potential.

FIGURE 2. EXAMPLE DISCOVERED TARGETS

Randori © 2020 5
P W200630
W200624
 LIKELIHOOD FACTORS
2. PRIORITIZE YOUR DISCOVERED TARGETS BY LIKELIHOOD X IMPACT.

1. WEAKNESS FIGURE 3. LOOKING FROM THE OUTSIDE-IN

How can the service be attacked, and are exploits

readily available? If there’s a public exploit for a
particular vulnerability (e.g. Metasploit module, code
repository, or sometimes even a pastebin snippet), that
greatly lowers the barrier to entry for attacks.

2. ENUMERABILITY

From an external position, can an attacker readily

identify the service, its version, and configuration?
Depending on the service and its deployment, a
webserver target could show anything from Apache
Unknown to Apache 2.4.33 or perhaps no server
information could be discerned at all. The more
information an attacker can discover, the more
precise they can be with their attack.

3. APPLICABILITY, RESEARCH POTENTIAL, POST-EXPLOITATION POTENIAL

These factors consider how an attacker assesses and prioritizes targets.

a. Is this service commonly seen in the wild? Common services, such as Exim SMTPd, Drupal, and Apache, have a
higher likelihood of being attacked by opportunistic and widespread campaigns.

b. Is the service readily available for vulnerability research? If the service has high impact weaknesses, and can be
readily researched (e.g. open source or easily accessible commercial software), then it presents a higher risk profile.

c. If the service is compromised, what are potential next steps? For example, would an attacker have access to an
underlying Windows/Mac/Linux machine, or a more specialized operating system? Against common attacks, an
endpoint detection & response (EDR) agent on the underlying asset can provide defense-in-depth and incident
response telemetry. Against advanced and persistent threat actors, services deployed on proprietary and obscure
hardware become more dangerous, as your team likely has limited visibility into exploitation, persistence, and next
steps if the service is compromised.
 
 

Randori © 2020 6
P W200630
W200624
 IMPACT FACTORS
2. PRIORITIZE YOUR DISCOVERED TARGETS BY LIKELIHOOD X IMPACT.

The other half of the equation is Impact, which can be thought of as, “If this software or underlying asset is
compromised, how much closer is an attacker to our company’s most valuable data (crown jewels)?” Two factors to
consider are criticality and cost of breach.

4. CRITICALITY

Does this target represent a security boundary? Would successful compromise bring an attacker closer to
crown jewels? For example, VPN and firewall services should be prioritized, as successful breach of these
boundaries likely brings an attacker closer to your sensitive data. Criticality can be used to identify important
choke points that need to be monitored for anomalous behavior.

5. COST OF COMPROMISE

What is the cost associated with compromise of the device? Does this represent a path forward into the
business? Does this directly result in a disruption of service or breach of data? How many additional pivots
are required from this point of presence to access crown jewels? Between your website, customer data, and
trade secrets, you can quantify impact. This will inform remediation priority as well as a broader defense-in-
depth and detection & response strategy. If you perform red team assessments, your high-impact assets
should align with bounty objectives.

With this criteria, you can prioritize if newly discovered shadow IT is actually a problem for your organization.
If Marketing is using a new set of productivity tools, but compromise of the data and service do not result in
meaningful business impact, then it may be an acceptable risk. If that same service is used to house and analyze
customer data, then that may warrant faster action to reduce risk.

Applying the attacker’s mindset to your perimeter will reveal interesting findings and misconfigurations.
Specifically, you can reveal exposed services and business applications that will draw their attention. This
includes authenticated services without 2-factor, pages with outdated copyright, applications that are brand
new, applications that are really old, and applications that didn’t get enough care (e.g. a custom app that is of
poor quality).

Attack surface management tools can screenshot images of any found pages for faster triage, and apply
analytics to scout and tag tempting targets. The easier it is for you to slice and dice your attack surface, the
faster you can reduce your risk.

Randori © 2020 7
P W200630
W200624
 3. Take action to remediate the report;
3. TAKE ACTION TO REMEDIATE THE REPORT; MONITOR FOR CHANGE.

monitor for change.

At this point, all that’s left is to take action, and remediate that exposed shadow risk. While it sounds simple, this can
include but is not limited to patching, updating configurations, adding two-factor authentication, or shutting down the
service. The most successful teams build this into a continuous process. For example,

DAILY Scan for change on the company’s internet perimeter.

WEEKLY Hunt across discovered targets; prioritize top targets & plan into patching cycles.

MONTHLY Plan & execute larger remediation & resilience projects with broader teams; report on progress.

Our most important takeaway is to make this a continuous process. If you’ve ever been responsible for internet-facing
systems, you know that it can be mere seconds before basic attacks and probing begins. Focused attackers sit on your
environment and wait for a mistake. Opportunistic attackers are constantly trolling. When you proactively manage your
attack surface, you strengthen your program by eliminating easy ways for an attacker to bypass your defenses.

If you’re interested in a commercial tool that automates attack surface management, get
a Recon report of your organization here. Only an email address is needed to get started.

Randori © 2020 8
P W200630
W200624
 CONCLUSION
R ANDORI ATTACK PL ATFORM

Dealing with shadow IT can feel like a challenge, but you can measurably reduce your risk by automating the process
and making it continuous. First, build a process to discover and continuously monitor your shadow IT. Then, quantify
your shadow risk based on Likelihood and Impact, taking into account your threat profile and what matters most to your
business. Finally, prioritize, remediate, and continue to monitor for change.

The best way to quickly understand your attack surface is to view and hunt across your network like an attacker. If time is of
the essence, this can be done at low cost using automated solutions. By discovering your unknowns and monitoring your
internet-perimeter, you can find shadow IT, quantify its risk, and take action.

HOW RANDORI CAN HELP

R ANDORI ATTACK
R ANDORI RECON

UNDERSTAND YOUR PUT YOUR TEAM

ATTACK SURFACE TO THE TEST

Just as attackers surveil organizations to find
weak points, Randori starts with black box
reconnaissance. Working off of a single email
address, Recon identifies your company’s
Internet-facing assets and highlights your
most tempting targets to an attacker.
There is nothing to deploy or configure. As
your perimeter evolves, you’ll be alerted to
important changes.
Establish an automated red team capability
to safely validate your security investments
and quantify risk. Define objectives and scope,
and Randori Attack will execute a customized
campaign to exercise your defenses and
strengthen your security program. You get
visibility into the actions, tactics and techniques
used to achieve objectives, so you can test

Randori is your trusted adversary. Our Attack Platform empowers organizations with a continuous and automated red
team experience they can use to assess their real-world security. By mirroring today’s adversaries, we help security teams
identify gaps, demonstrate effectiveness, and get better over time. Headquartered in Waltham, MA, with offices in Denver,
CO, the company is backed by .406 Ventures, Accomplice, Harmony Partners and Legion Capital.

Randori © 2020 2
9
P W200630
W200624