Today, Rapid7 released our first Industry Cyber-Exposure Report, examining the overall exposure of the Fortune 500 family of companies.
The report reveals that even among very large, mature, and well-resourced organizations, we see evidence of cybersecurity basics being missed or deployed insufficiently. This hints at the complexity and breadth required for a comprehensive security program, which is a never-ending challenge in which there is always more that can be done, constrained by limited resources and time, regardless of the size of the organization. If this challenge cannot be comprehensively met by these very large, high-revenue organizations, just imagine how much worse it is for smaller organizations with far fewer resources to apply to security. Sure, you might think smaller organizations are less likely to be targeted by attackers, but that’s probably not significantly the case. For one thing, everyone is a target for so-called untargeted “drive-by” attacks or internet-wide malware infections, such as NotPetya, now officially deemed the most expensive cyberattack of all time.
In addition, many small-to-medium businesses represent a very tasty target for attackers due to their intellectual property (for example, startups with cool new technology or techniques), relationship with their customers (for example, the HVAC vendor that had access to Target’s corporate network), or involvement in processing sensitive or financial data (for example, the many law firms that handle complex mergers and acquisitions between much larger companies).
The report highlights how hard it is for all organizations to adequately address cybersecurity, and the need for greater awareness of challenges and support from business leaders.
The key findings of the research include:
- Fortune 500 companies expose an average of 500 servers or devices on the internet, with some exposing more than 2,500.
- On average, they are deploying and exposing a minimum of 5–10 known exploitable systems (e.g. SMB, Telnet).
- Two-thirds of Fortune 500 organizations have weak or nonexistent defenses against phishing, which is widely cited as being the No. 1 attack vector.
- Indicators of malware compromise abound across all sectors of the Fortune 500.
- The Technology, Retailing, and Telecommunications sectors show daily signs of ongoing compromise.
- Compromises range from company resources being co-opted into amplification denial-of-service (DoS) attacks to signs of EternalBlue-based campaigns similar to WannaCry and NotPetya.
A new report with a familiar feel
While this is the first Rapid7 Industry Cyber-Exposure Report, longtime followers of Rapid7 research may feel some familiarity already with this report, since it uses many of the techniques we employ in producing the annual National Exposure Index (NEI). Indeed, the genesis of this report came about when some economists read the NEI, then came to Rapid7 and professed an interest in a deeper dive that focuses on the U.S. economy. Of course, our research team here immediately fell in love with the idea, so we set to work.
We already had the machinery in place to suss out exposure based on attack surface using raw numbers of internet-based services, as well as the ability to tally insecure and obsolete protocols through Project Sonar. We also have a global network of honeypots scattered about the internet thanks to Project Heisenberg,so we could get a sense of not just what type of malicious traffic is floating around the internet, but also from which networks these naughty connections are coming from. Finally, we can dig through DNS TXT records to see which domains have DMARC configured, a control highlighted in the United Kingdom’s Active Cyber Defence program as one of the most effective ways to combat email spoofing used by phishers.
Connecting the dots
With all this technology in hand, the hardest part was figuring out which IP blocks were owned and operated for core business purposes by the Fortune 500. This matching ended up being a somewhat manual process with a whole bunch of data science thrown in, and is, itself, a pretty interesting sorting problem. (We’ll have another post describing our entity resolution model approach in the next day or two). Once that slog work was done, it was merely a matter of picking apart the data collected from Sonar, Heisenberg, and our DNS crawlers, and seeing what was happening in the largest, best-resourced companies in the United States.
Paper and webinar, go!
I’m really happy with how it this research project turned out, and excited to move on to other major indices of companies around the world. If you have a professional or personal interest in how U.S. companies handle their internet exposure, take a moment to grab the free report here. Reading through it, you will learn:
- The average cyber-exposure of the Fortune 500, and how this statistic relates to baseline attack surface
- Which industries are unwittingly spreading malicious traffic such as EternalBlue-based exploits and distributed denial-of-service (DDoS) amplification attacks
- The exposure inherent in relying on third-party, cloud-based services
- How far along corporate America is when it comes to DMARC-based anti-spoofing
Of course, if reading isn’t your thing, you can join the authors of the report by registering for our webcast here. We’ll discuss the findings, take on some audience questions, and share our recommendations on what IT security professionals can do to reduce their attack surface and make life on the internet safer and more stable for everyone.