In 2020, the cybersecurity world watched as one of my former employers became the victim of a significant ransomware attack. The company, a major cloud-based software provider serving the nonprofit, education, and healthcare sectors, was entrusted with a vast amount of sensitive data from numerous clients, including prominent organizations such as the American Civil Liberties Union, Human Rights Watch, and the University of London.
As an employee there at the time, the breach hit especially close to home, and its far-reaching consequences have often made me wonder whether a solution like SixMap could have prevented it.
The Attack
In May 2020, attackers breached the corporate network and exfiltrated a subset of data from a self-hosted environment. The stolen information, which included sensitive details like Social Security and bank account numbers, belonged to donors, students, and patients of the organization’s clients.
My former employer decided to pay a ransom, but the fallout was extensive, leading to legal action and forcing its clients to notify their constituents, which caused a significant loss of trust.
The Challenges
During my time at the organization that later fell victim to ransomware, we underwent significant growth through the acquisition of numerous software providers. This strategy, while broadening its offerings, led to a sprawling and intricate infrastructure.
For instance, my team joined the organization after our previous company was acquired. That previous company, in turn, had itself made several acquisitions prior to being acquired by the organization that ultimately suffered the ransomware attack. These multiple layers of acquisitions meant the parent organization often had to maintain legacy infrastructure while determining how to integrate the systems it inherited.
Since the exact details of the breach were never made public, I can only speculate from my perspective as a non-security employee that this complexity was the root cause of the security gap. Attackers understand that the “path of least resistance” is often in these overlooked legacy corners, where environments are undergoing integration and may not receive the same level of scrutiny as core platforms.
SixMap’s Solution
The challenges my former employer faced are unfortunately not unique, which is why it’s worth considering how a solution with an outside-in perspective could have prevented the attack.
Organization Mapping
SixMap’s exposure management process begins with organization mapping, which meticulously identifies all of an organization’s subsidiaries and legal entities. By understanding the full corporate tree, SixMap can uncover potentially overlooked infrastructure that isn’t centrally managed or monitored.
In the case of my former employer, this organization mapping procedure may have exposed the self-hosted environment that ultimately proved vulnerable and led to a damaging attack.
Host Discovery
SixMap’s host discovery process uses every legal entity identified as an initial starting point. This broad-scope approach results in a more accurate and more complete asset inventory. Other solutions on the market may fail to detect a large share of digital assets because they begin the discovery process with a narrower view, focused only on the parent company.
In addition, SixMap uses a proprietary algorithm called 6Gen to discover all hosts across the IPv4 and IPv6 address spaces. 6Gen uses a technique known as computational mapping to statistically forecast which IP addresses will have live hosts — and which IP addresses will not. Using additional data points, such as WHOIS and DNS records, SixMap creates a full inventory of all the IPs and domains that belong to the organization, across all legal entities globally.
Exposure Assessment
After creating the comprehensive organizational and the asset inventory, SixMap completes a thorough reconnaissance of the organization’s entire external-facing digital estate. This reconnaissance includes inspecting all 65,535 ports across each active IPv4 and IPv6 address to determine which ports are open and what services are running on them.
Prioritized Vulnerability Detection
SixMap then analyzes the data from its assessments to identify and prioritize vulnerabilities. The SixMap solution matches service information with publicly disclosed security vulnerabilities. From there, SixMap determines the severity and likelihood of exploitation for each vulnerability and checks for any intelligence that suggests attackers have actively exploited it in the wild.
With this level of visibility, SixMap could have highlighted critical risks in my former employer’s self-hosted environment, ensuring that outdated or unnecessary services with exposed ports received immediate attention.
A Cautionary Tale and the Path Forward
The damaging ransomware attack on my former employer underscores the urgent need for organizations with complex infrastructures to adopt solutions that provide a comprehensive and continuous view of their external exposure. While it’s impossible to say for sure that a solution like SixMap would have stopped the 2020 ransomware attack, its approach to attack surface management and vulnerability discovery could have significantly enhanced my former employer’s defenses and reduced the chances of a major incident.
