Johnathan Wilkes, Palo Alto Networks

Internet exposures are often created unintentionally, and they leave organizations vulnerable to a variety of cyberattacks. In recent years, there has been an unprecedented increase in the use of automation by adversaries for reconnaissance and exploitation. While sophisticated attackers continue using automation to scan the internet for vulnerabilities in order to actively exploit them, how about using it to not only monitor your organization’s attack surface, but actively remediating publicly exposed assets and cloud misconfigurations? One of the biggest offenders (increasing with the demands for telework and cloud computing) is the Remote Desktop Protocol (RDP), which has been determined to be the most utilized initial attack vector for ransomware gangs. With the average cost of a successful ransomware attack totaling over $300k, even a small misconfiguration can become something that all enterprises want to avoid and mitigate as soon as possible. Defensive automation combined with active remediation can be a first necessary step for organizations to prevent such inevitable configuration slips becoming hundreds of thousands of dollars of damage and headline news.

Talk outline
External Attack Surface Management (EASM) is the process of continuously identifying, monitoring and managing all internet-connected assets for potential attack vectors, exposures and risks. However, an ASM solution and attack surface management plan are only parts of the whole equation, because after the exposures have been determined, remediation needs to be prompt and swift. Remember that every second a critical exposure, like RDP open to the internet, is out there, is another opportunity for it to be used as a ransomware attack vector that can cost your organization hundreds of thousands of dollars. Therefore, automation that can collect more information on a vulnerability, notify the right asset owners, and implement remediation as fast as possible should be available to a SOC for easy deployment.

Automated incident response is complicated to create, implement, and execute. It requires several tasks including collection of information about an asset, determining the potential service owner, sending a notification to the service owner, and creating a run book. It is challenging to build such automation as the APIs for product change, credentials need to be securely stored and shared, and true alert triggers should be generated with minimal latency. In this talk, I will present an automation solution that overcomes these challenges and helps an organization remediate the unexpected exposure of assets (e.g., RDP) to the internet.

Speaker's Biography

  • Johnathan Wilkes is a Security Architect with Palo Alto Networks
  • He has worked at Palo Alto Networks for over 2 years
  • Before automating Attack Surface Management remediation, he assisted a state government automate their security operations center
  • He has been helping enterprise and government customers with security and network automation for over 8 years

View More Papers

A Systematic Study of the Consistency of Two-Factor Authentication...

Sanam Ghorbani Lyastani (CISPA Helmholtz Center for Information Security, Saarland University), Michael Backes (CISPA Helmholtz Center for Information Security), Sven Bugiel (CISPA Helmholtz Center for Information Security)

Read More

An OS-agnostic Approach to Memory Forensics

Andrea Oliveri (EURECOM), Matteo Dell'Amico (University of Genoa), Davide Balzarotti (EURECOM)

Read More

Transforming Raw Authentication Logs into Interpretable Events

Seth Hastings, Tyler Moore, Corey Bolger, Philip Schumway (University of Tulsa)

Read More

Folk Models of Misinformation on Social Media

Filipo Sharevski (DePaul University), Amy Devine (DePaul University), Emma Pieroni (DePaul University), Peter Jachim (DePaul University)

Read More