Dec 11 2023

How Well Do You Know Your Attack Surface? Five Tips to Reduce the Risk of Exposure

Category: Cyber Attackdisc7 @ 8:16 am

It’s no secret the attack surface is expanding at an unprecedented rate. We’ve hand-picked our top tips to reduce your exposure.

https://www.crowdstrike.com/blog/five-tips-to-shield-from-exposures/?

In an increasingly connected digital landscape, the security of your organization’s data and publicly facing assets is more critical than ever. According to the CrowdStrike 2023 Threat Hunting Report, more than 20% of all interactive intrusions are associated with the exploitation of public-facing applications. As an organization’s attack surface expands and cyberthreats proliferate, it is imperative IT and security teams take a proactive approach to safeguarding their digital footprint. This starts with implementing a strong exposure management program across the entire enterprise that drastically reduces all attack surface risks.

Do You Really Know Your Organization’s Attack Surface?

To stop an attack before it begins, you must first understand where critical exposures exist. You can think of your organization’s external attack surface as all of the doorways through which an attacker might attempt to sneak in. This includes anything from domain names, SSL certificates and protocols to operating systems, IoT devices and network services. These assets are scattered across on-premises environments, cloud environments, subsidiaries and third-party vendors, and they represent many of the easiest entry points to internal networks and the sensitive data they contain. 

Building a Successful Exposure Management Strategy with EASM

In an age where unknown entryways can lead to invaluable troves of information, external attack surface management (EASM) can find doors that may be left open. CrowdStrike Falcon® Exposure Management finds those potential access points before adversaries do. 

Our EASM technology, as part of Falcon Exposure Management, uses a proprietary engine to continuously scan the entire internet, enabling organizations to see their attack surface from an adversary’s perspective. The digital footprint of an organization is simple to generate, using only a company’s root domain. Once generated, it gives security teams a complete view of all of their internet-facing assets, including those on-premises and in the cloud. All exposed assets are automatically classified, analyzed and rated with a contextualized risk score, allowing teams to fix first what matters most.  

Reducing the size of your attack surface can minimize the risk of a breach. By following the five tips below, organizations can reduce the number of opportunities an adversary has, strengthen their cybersecurity posture and proactively  protect valuable assets from malicious actors. 

Top Tips to Reduce External Attack Surface Exposures

  1. Do not allow Remote Desktop Protocol (RDP) connections from outside your organization’s networks

There are plenty of products and open source solutions offering remote access to company resources. When RDP is opened to the internet, it is often not monitored and is susceptible to attacks.

How: 

  • Stand up a server that sits outside of your network perimeter
  • Install nmap or any other network scanner you’re comfortable with
  • Grab a list of your IP ranges
  • Set up a cron job to scan continuously for port 3389
  • Grab the logs weekly 
  • Use this list to figure out the person inside your organization who owns or is responsible for each host that has responded on port 3389
    • Clues:
      • Domain name (if applicable)
      • IPAM IP range notes
      • Login banners
  • For any hosts that MUST have RDP exposed to the internet, enable multifactor authentication (MFA), remove them from your scan script above and continue the process of scanning
  • Use Network Level Authentication, a Remote Desktop Services feature that requires a user to authenticate before connecting to the server
  1. Avoid allowing directory listing on your web servers 

Directory listings expose the server to traversal attacks and a large variety of vulnerabilities. Moreover, the web server may contain files that shouldn’t be exposed through links on the website. Ensure your server does not expose directory listings, and if it must, make sure the directories do not contain sensitive information. 

How: 

  • Stand up a server that sits outside of your network perimeter 
  • Install nmap or any other network scanner you are comfortable with
  • Grab a list of your IP ranges
  • Set up a cron job to scan continuously for open HTTP 
  • Grab the logs weekly 
  • For every host answering on an HTTP or HTTPS port, use this list as an input for your web app scanning tool of choice (such as nikto or dirsearch)
  • For any host allowing directory traversal, figure out the person inside your company who owns or is responsible for this website
    • Clues:
      • Domain name (if applicable)
      • IPAM IP range notes
      • Login banners
      • Other website info
  1. Place test environments behind a VPN 

Ensure none of your development, staging or test environments is exposed to the internet. These environments are often not well-secured and in many cases have access to restricted resources.

How: 

  • Identify all of your production environments:
    • Have a clear list of domains and IP ranges from IT admin, content delivery network providers and web application firewall providers
    • Query whois reverse search under your organization name (there are multiple vendors and open source tools for this) 
  • All other environments (domains, subdomains and machines with external-facing IPs) should be protected with a VPN and MFA
  1. Avoid hostile subdomain takeovers 

Confirm none of your subdomains is expired or points to third-party pages and accounts that no longer exist, as it might be vulnerable to hostile subdomain takeovers. If you find such subdomains, reconfigure the DNS settings or remove the DNS entry pointing to the external service.

How: 

  • Talk to your IT admin team and get access to your DNS (may be route53, may be self-hosted)
  • Do a zone transfer on all of the domains your organization owns
  • Get a list of all of your IP ranges
  • Parse the IP addresses against your known IP range list
  • For any IPs that aren’t part of your infrastructure, figure out who they belong to (whois lookup, published list of cloud provider IP ranges)
  • Determine if they are pointing at anything you know you own
  • Any unused subdomain should be retired properly:
    • Use “Null MX” record
    • Use DMARC configuration to prevent any email from being sent on behalf of the sub/domain
  1. Enforce input validation

Enforce input validation on all internal and external inputs to prevent injection attacks. Input validation best practices include: predefining input size limitation per field and type (str/int if applicable), applying maximum retries for password and user fields, and enforcing backend strict logic to prevent injections (prepared statements with parameterized queries, stored procedures, escaping all user inputs, etc.).

How: 

  • Forms fields
  • Uniform resource identifiers (URIs)
  • APIs
  • Attachments
  • And more

Bonus Tip: Continuously monitor your attack surface

Securing an expanding attack surface is challenging. The dynamic nature of most modern IT ecosystems means secure assets can suddenly become exposed unknowingly due to an error, misconfiguration or simple oversight. This category of forgotten assets can grow for many reasons: employees with revoked access, engineers with lingering cloud token permissions, or unmaintained databases that should have never been exposed in the first place. Moreover, there are instances of abandoned assets that remain unused or unclassified for extended periods, leaving IT departments without records and, consequently, unable to secure them. Regardless of their origin, these assets present significant security risks.

Having an effective exposure management program enables teams to stay vigilant and proactively  monitor and secure entire IT ecosystems, which  is essential in safeguarding an entire  attack surface. You need to add a scalable way to monitor your internet-facing assets and discover your unknown exposures and risks in real time.

Additional Resources

Mastering Attack Surface Management: A Comprehensive Guide To Learn Attack Surface Management

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Attack Surface


Mar 23 2023

Cybersecurity 101: What is Attack Surface Management?

Category: Cyber Attack,cyber securityDISC @ 9:39 am

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them.

ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge.

Understanding Attack Surface Management

Here are some key terms in ASM:

  • Attack vectors are vulnerabilities or methods threat actors use to gain unauthorized access to a network. These vulnerabilities include vectors such as malware, viruses, email attachments, pop-ups, text messages and social engineering. 
  • An attack surface is the sum of attack vectors that threat actors can potentially use in a cyberattack. In any organization, all internet-connected hardware, software and cloud assets add to the attack surface. 
  • Shadow IT is any software, hardware or computing resource being used on a company’s network without the consent or knowledge of the IT department. Quite often, shadow IT uses open-source software that is easy to exploit. 
  • Attackers use sophisticated computer programs and programming techniques to target vulnerabilities in your attack surface, like shadow IT and weak passwords. These cyber criminals launch attacks to steal sensitive data, like account login credentials and personally identifiable information (PII)

Read the Threat Index

Why is Attack Surface Management Important?

Security teams can use ASM practices and tools to prevent risks in the following ways:

  • Reduce blind spots to get a holistic view of your IT infrastructure and understand which cloud or on-premise assets are exposed to attackers.
  • Eliminate shadow IT to remove unknown open-source software (OSS) or unpatched legacy programs.
  • Minimize human error by building a security-conscious culture where people are more aware of emerging cyber threats. 
  • Prioritize your risk. You can get familiar with attack patterns and techniques that threat actors use.

How Attack Surface Management Works

There are four core processes in attack surface management: 

  1. Asset discovery is the process of automatically and continuously scanning for entry points that threat actors could attack. Assets include computers, IoT devices, databases, shadow IT and third-party SaaS apps. During this step, security teams use the following standards:
    • CVE (Common Vulnerabilities and Exposures): A list of known computer security threats that helps teams track, identify and manage potential risks.
    • CWE (Common Weakness Enumeration): A collection of standardized names and descriptions for common software weaknesses.
  2. Classification and prioritization is the process of assigning a risk score based on the probability of attackers targeting each asset. CVEs refer to actual vulnerabilities, while CWEs focus on the underlying weaknesses that may cause those vulnerabilities. After analysis, teams can categorize the risks and establish a plan of action with milestones to fix the issues.
  3. Remediation is the process of resolving vulnerabilities. You could fix issues with operating system patches, debugging application code or stronger data encryption. The team may also set new security standards and eliminate rogue assets from third-party vendors.
  4. Monitoring is the ongoing process of detecting new vulnerabilities and remediating attack vectors in real-time. The attack surface changes continuously, especially when new assets are deployed (or existing assets are deployed in new ways).  

You can learn more about the four core processes and how attack surface management works on the IBM blog. 

How to Get a Job in Attack Surface Management

Anyone who works in attack surface management must ensure the security team has the most complete picture of the organization’s attack vectors — so they can identify and combat threats that present a risk to the organization.

Hiring companies look for people with a background and qualifications in information systems or security support. The minimum expectations typically include the following:

  • Strong technical security skills
  • Strong analytical and problem-solving skills
  • Working knowledge of cyber threats, defenses and techniques
  • Working knowledge of operating systems and networking technologies
  • Proficiency in scripting languages, like Perl, Python or Shell Scripting
  • Experience with attack surface management and offensive security identity technologies.

What’s Next in Attack Surface Management?

Cyber Asset Attack Surface Management (CAASM) is an emerging technology that presents a unified view of cyber assets. This powerful technology helps cybersecurity teams understand all the systems and discover security gaps in their environment.

There is no one-size-fits-all ASM tool — security teams must consider their company’s situation and find a solution that fits their needs. 

Some key criteria include the following:

  • Easy-to-use dashboards
  • Extensive reporting features to offer actionable insights
  • Comprehensive automated discovery of digital assets (including unknown assets, like shadow IT)
  • Options for asset tagging and custom addition of new assets
  • Continuous operation with little to no user interaction
  • Collaboration options for security teams and other departments.

With a good ASM solution, your security team can get a real cyber criminal’s perspective into your attack surface. You can find, prioritize and solve security issues quickly and continuously. Ultimately, a diligent attack surface management strategy helps protect your company, employees and customers. 

Side view of young businessman using laptop in office. Male professional sitting at conference table working on laptop computer.

Operationalizing Threat Intelligence: A guide to developing and operationalizing cyber threat intelligence programs

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Attack Surface, Cyber Threat, Threat Intelligence