Risky Bulletin Episode Summary
Title: Sponsored: runZero on Inside-Out Attack Surface Management
Host: Kathleen Campano
Guest: HD Moore, Founder and CEO of runZero
Release Date: January 26, 2025
Introduction to runZero and Asset Management Challenges
In this episode of Risky Bulletin, Kathleen Campano interviews cybersecurity luminary HD Moore, the founder and CEO of runZero. The discussion centers around the pivotal role of asset inventory and network visibility in modern cybersecurity strategies.
HD Moore opens the conversation by challenging the common perception that asset inventory and discovery are "closed cases." He emphasizes the ongoing complexities in managing assets and exposures within dynamic network environments.
“It’s asset inventory that’s the challenge as much as it’s exposure management that’s the real challenge.”
— HD Moore [00:39]
The Complexity of Asset Inventory and Exposure Management
HD Moore elaborates on the difficulties organizations face in maintaining accurate asset inventories. He points out that many companies have ceased running regular scans, relying instead on endpoint agents to report assets. This approach often results in significant gaps in visibility.
“They’re not looking for networks they don't know about... it misses a huge portion of their estate.”
— HD Moore [00:39]
Furthermore, Moore highlights the complications of tracking externally exposed assets across multiple geographical locations, cloud providers, and through various access methods like VPNs.
runZero’s Solution: Inside-Out Attack Surface Management
runZero addresses these challenges by providing comprehensive asset inventory and exposure management. Moore describes how runZero initially focused on internal visibility, discovering networks and devices that existing tools often overlook. Over time, runZero has expanded its capabilities to include passive discovery and integrations with various systems.
A key innovation introduced by runZero is Inside-Out Attack Surface Management, which leverages detailed internal asset information to identify external exposures.
“We use detailed information about your internal assets to figure out which of those are exposed externally.”
— HD Moore [01:44]
Technical Approach: Fingerprinting and Exposure Detection
Moore delves into the technical mechanisms behind runZero’s approach. The company employs extensive fingerprinting techniques to uniquely identify devices and services. By analyzing factors such as public keys, SH host keys, TLS certificates, and MAC addresses, runZero can detect whether internal assets are inadvertently exposed to the internet.
“We spend a lot of time doing fingerprinting... if you find what should be the internal server outside of the Internet, you've got a problem.”
— HD Moore [01:47]
This method ensures high accuracy in detection, minimizing false positives by confirming direct exposures or issues with shared cryptographic keys.
Common Findings and Exposure Types
HD Moore shares insights into the most prevalent types of exposures identified by runZero. Contrary to initial expectations, many exposures are legitimate, such as backend web servers behind firewalls. However, runZero also uncovers unintended exposures, including:
- Forgotten VPN Appliances: Devices like Apollo Alto firewalls connected to unknown IP ranges.
- Mobile Broadband Adapters: Laptops with cellular modems exposing IPv6 addresses via RDP, SSH, etc.
“The big one is knowing what internal device it goes with... you already know exactly where to start.”
— HD Moore [05:49]
Alerting and Customer Support
Upon detecting an exposure, runZero generates priority alerts for customers. These alerts are enriched with contextual information, linking external endpoints to internal assets and providing actionable insights. This approach streamlines the remediation process by eliminating the need for extensive hunting across the network.
“We attach a vulnerability record to the asset... they already know exactly where to start.”
— HD Moore [04:45]
Beyond False Positives: Enhanced Security Insights
Customers appreciate runZero’s ability to provide precise alerts with minimal false positives. The system not only flags exposures but also identifies the internal context, such as the responsible administrator, network details, and whether the asset has endpoint detection and response (EDR) installed.
“We already have all that other context about the asset so that when you go to Azure, remediate the issue, you’re not hunting for it across your environment.”
— HD Moore [05:49]
This comprehensive approach enhances the effectiveness of existing external attack surface management tools by bridging the internal-external visibility gap.
Continuous Monitoring and Proactive Management
The conversation shifts to the importance of continuous monitoring. Moore explains that runZero allows organizations to set alerts for specific devices or configurations, ensuring that any unauthorized changes or exposures are promptly detected.
“If there's a type of device that you want to keep an eye on... flag it, alert me.”
— HD Moore [06:47]
This capability is particularly useful for identifying leftover or decommissioned devices that may pose security risks if forgotten.
Deployment Insights and Early Findings
Having rolled out runZero’s scanning capabilities two months prior, Moore shares initial observations. Out of a sample set of 10 million devices, approximately 50,000 were found to have some form of exposure. While many were expected, such as backend web servers, runZero also identified unexpected issues like:
- Cloned Certificates: Instances where the same TLS certificate was used across multiple devices, indicating potential cloning or vendor hard-coding of cryptographic keys.
- Inconsistent Configurations: Cases where administrators repurposed certificates across different services, leading to confusion and potential security gaps.
“There’s a leftover Apollo Alto Networks firewall... they think it’s totally offline and they forget one somewhere.”
— HD Moore [07:34]
These findings underscore the necessity of robust asset and exposure management practices.
Applicability to Cloud Environments
HD Moore confirms that runZero’s solutions are equally effective in cloud environments. Whether assets reside within on-premises networks or cloud virtual private clouds (VPCs), runZero can validate security configurations and uncover exposures.
“It doesn’t matter where it is... we can help you identify what is the internal side of that exposure.”
— HD Moore [09:25]
This versatility ensures that organizations leveraging cloud infrastructures can maintain comprehensive security oversight.
Conclusion
The episode highlights the critical importance of inside-out attack surface management in today’s complex and dynamic network landscapes. runZero, under HD Moore’s leadership, offers a sophisticated solution that not only enhances asset inventory accuracy but also provides actionable insights into external exposures. By bridging the gap between internal asset visibility and external threat landscapes, runZero empowers organizations to proactively secure their environments against evolving cyber threats.
Notable Quotes:
“It’s asset inventory that’s the challenge as much as it’s exposure management that’s the real challenge.”
— HD Moore [00:39]
“We use detailed information about your internal assets to figure out which of those are exposed externally.”
— HD Moore [01:44]
“If there's a type of device that you want to keep an eye on... flag it, alert me.”
— HD Moore [06:47]
“We already have all that other context about the asset so that when you go to Azure, remediate the issue, you’re not hunting for it across your environment.”
— HD Moore [05:49]