Shubham Mittal
Shubham Mittal
Head of Research. #defensive #offensive #osint

Redefining Assets - A Modern Perspective

As per Investopedia, investing and financial education website, an asset is anything of value or a resource of value that can be converted into cash and is owned by individuals, companies, or governments. For a company, an asset might generate revenue, or a company might benefit in some way from owning or using the asset.

There are of course different categories of assets, e.g. financial assets, fixed assets, tangible assets, and intangible assets. Talking in terms of technology however, it is important to understand that, with rapid advancements, the kind of things which fall under the definition of an asset has always been evolving. For example, the kind of assets we think of earlier were Server Rooms, Servers, Hard Disks, Routers, Switches, Websites, etc.


With time, this evolved and organizations started including Laptops, Mobile Devices, Tablets, Data Devices, etc. in their asset inventories. With Bring your own device (BYOD) and later bring your own technology (BYOT), employees started plugging their technology to the organization ecosystem. Although the technology did not become part of the asset list, yet it many scenarios it had some level of organization data access or storage.


Down the line, intangible assets became an indispensable part of our lives so they were required to be tracked, indexed and hence Software Devices, Domain names, Patents, IP Address, etc. made it to asset inventories.


Now all of these things have some monetary value involved as some kind of transaction takes place for acquiring and maintaining access to these assets. In other words, if there is a loss in terms of access to these objects, it has a potential monetary loss attached to it.

Now comes the interesting part. With recent advancements in cloud and DevOps, a whole new class of intangible assets has emerged, which go underrated as no transaction is required for acquiring them. There is no direct monetary valuation to such assets either, however, if these are lost, or not taken care of, can cause a devaluation of the organization or an individual.

Examples?

Social Media Accounts, Source Code Repositories, Relevant Dumped Passwords, Cloud Storage objects (Buckets, Blobs, Spaces, etc.), Elastic IP Addresses, API Keys and Credentials and a lot more.


These kind of assets are generally not on the list, and even if they are, they are never a security priority, as the financial impact they carry cannot be articulated directly. However, there have been many cases when such assets have caused catastrophic damages to the organizations in terms of their Data loss, or Goodwill. Considering many recent breaches and data exposures, the primary reason has not been 0-day exploits or state-sponsored attacks but misconfigured public assets with no active monitoring for misconfigurations and leakages.

Examples?

Social Media Accounts. Let’s say you have a Facebook page with more than 1 Million followers, or if you have a twitter account with more than 50k followers. Your organization’s public source code repository having millions of lines of code? Your Youtube account? Do you consider these as an asset? Well, most of the organizations don’t. What if an attacker gains access to any one of these accounts and posts a news about losses to be announced just before your quarterly results, causing market panic and drop in shares value, does that puts a tangible value to these assets?

We believe that the conventional asset definition and (mis)management is one of the primary reasons of successful breaches. When it comes to security, an asset should include anything and everything an organization and its entities has their data on (knowingly or unknowingly). The scope of asset ownership could differ, but it does not limit the attack surface, for example if an organization puts out open source code on Github, they are not the owner of Github but only of the data they put under their repositories.

In a scenario reported on HackerOne, where the organization’s secret has been put on their Github account, it posed a threat equal or more than running a vulnerable service.

There are multiple such scenarios which can have a direct impact on the overall security of an organization and hence its business.

The only pragmatic solution to this problem is continuous discovery, monitoring, management and alerting of assets an organization owns across different service providers. This includes assets within cloud computing platforms, code version control services, social media accounts, data centers, or wherever the organization data could reside. Followed by locating any leaked information associated with the assets using Open Source Intelligence (OSINT) and then running modern security checks on these assets in a continuous cycle. To Summarise we have created this infographic clearly outlining the approach.


We, at RedhuntLabs are very passionate about solving real world problems and challenging ourselves with the unknowns. To extend this we have decided to take a shot at solving this exact problem of discovering, monitoring, managing and alerting about such a diversified collection of assets. The product as part of our endeavor is called ‘nVadr’, a SaaS based asset discovery and continuous monitoring offering.

Awesome Asset Discovery - GitHub Release

Also, to facilitate research around this area, we are releasing an Awesome Asset Discovery https://github.com/redhuntlabs/Awesome-Asset-Discovery repository, which is a list of curated resources for Asset Discovery. These resources can help during scoping / asset discovery phase of any security assessment engagement.

We welcome suggestions and contributions from the community in terms of resources as well as new categories.

References
1
Asset Definition: https://www.investopedia.com/terms/a/asset.asp