An interview with Jeff Foley, ZeroFox’s VP of Attack Surface Protection
When Jeff Foley first started supporting companies outside the defense industry, he saw a major gap: businesses had no idea how exposed their assets were to cyber attackers. So, he set out to solve that and created an open-source solution, Project Amass, which has become the de facto open-source attack surface mapping tool used by thousands of security professionals around the world. Now, Jeff has joined ZeroFox, bringing his expertise and passion for helping businesses understand their IT assets exposed on the Internet.
We sat down with Jeff to learn about his background and what drives him as an innovator.
Q: Tell us a little bit about your background and how you got where you are today.
JF: When I was in university, I originally wanted to be a chemist, but then changed my focus to computer programming and telecommunications, due to my interest in the Internet. I got a job as a network admin at my university, and automated all of our tasks, causing me to tell my boss I was bored and needed something to do. He proposed that I automate the detection of security policy violations as well. From there, I was able to see a major gap and helped create a security system for the university that would help find people who were abusing the network.
I first started writing code, because it allowed me to reach across the planet; I was in love. I had respect for the power that it creates and the threat it posed. So after university, I supported the United States Air Force Research Laboratory, developing cyber warfare capabilities. After that, I worked in several sectors, including financial, energy, and internet security, and they all had one thing in common: they weren’t aware of how many assets they had exposed and vulnerable on the Internet. I even did an audit of a major social media company and found huge vulnerabilities they didn’t even know about. When I was 15-17 years in my career, I thought someone must have wrapped their arms around that problem. The military did, but the commercial world didn’t. So I created Project Amass to answer that need.
Q: Tell us a little bit about Project Amass.
JF: At first, I created the Amass project for me to collect data. Then I released the project to the public in 2017 to give people an open-source turnkey solution to understanding their exposure on the Internet. HD Moore, founder of another huge open-source security tool, tweeted about the Amass project and it created an explosion of interest. But what’s interesting about the Amass Project is it goes back to things I did even when I was at University.
It's fair to say that what caused me to create the Amass project and step up was created through experience on the battlefield. Corporations try to understand themselves and their own battle space. They invest so much into threat intelligence and vulnerability management, but I was still able to find assets they were leaving around and publicly reachable by threat actors. When I discovered that this lack of visibility was not the exception, but was the norm, that’s when I realized I needed to do something about this. I was surprised that someone hadn’t already taken care of this, but it turned out that everyone was either ignoring this or was already aware of the problem and unsure what to do about it.
Q: What do you think companies need to know to protect themselves across the attack surface?
JF: The adversary is continually looking at which target they’ll attack next. For five years, I’ve been preaching this: You should have better visibility on your attack surface than the adversaries do. Companies need to have complete visibility on themselves so they can see what attackers see and where these adversaries are most likely to attack next – this could be through an asset, vulnerability, person, etc. You must be able to leverage this visibility before an attacker can.
Just because things have always been done one way doesn’t mean it has to stay that way. The attack surface can be more manageable, but you just have to use the same tricks and techniques attackers are using, only against yourself, so you can see your organization through the “attacker’s lens.” What would they see as the most attractive target? Then you’ll find the low-hanging fruit and be able to tighten your protection first. This is how you truly perform risk prioritization on your assets exposed on the Internet.
Unfortunately, many businesses and cybersecurity providers don’t have functions or even services to address this. What they do have are vulnerability management programs, things they know about that are out there. But if something gets outside of their asset inventory of known knowns, that program won't find it. Then the unknown assets will sit, won't be fixed, wont meet requirements or remain compliant. It will sit until an attacker finds it and leverages it for their own purposes.
Q: It sounds like your goals with Project Amass are just like the ZeroFox mission.
JF: Exactly, which is why I am so excited to be here. In the past, everything was based on firewalls and blocks, but now people realize we can't block everything. Rather, we tend to watch what's happening and identify inappropriate behavior. The Amass Project provides the tools you need to monitor your exposure on the Internet. It allows you to be alerted to newly discovered assets and to track assets over time. It’s an external cybersecurity problem. Which makes it relevant for ZeroFox’s mission of external cybersecurity, and it’s the problem I’ve been working to solve for years, and now I get to apply my knowledge and expertise to deliver new innovative solutions to many organizations across the globe and protect their external attack surfaces.
Q: We are so glad you’re here! On a lighter note, what is one fun fact about Jeff Foley that people might be surprised to learn?
JF: Ah that’s a tough one! People might be interested to learn that I am also a professor, because my academic mentors did so much to aid me when starting my career, and I attempt to return that to today’s students attempting to enter into a cybersecurity occupation.
And, in my spare time I enjoy experimenting with new blends of coffee, spending time with my wife and four children (and two dogs!), and giving back to the information security community.