Properly identifying and addressing attack surfaces requires scoping, specialization, and the help of security professionals.
In the cybersecurity world, an attack surface is any area of potential exposure to a cyber threat. A company’s attack surfaces depend on industry, size, and other variables. Properly identifying and addressing attack surfaces requires scoping, specialization, and the help of security professionals.
Starting with a security framework like NIST, COBIT, Center for Internet Security (CIS) Controls (formerly Critical Security Controls or CSC), or the Payment Card Industry Data Security Standard (PCI DSS) can help you know where to start.
In the past, when someone wanted to start a new service or create an application, they needed to have hardware. To purchase the hardware, a specific process needs to be followed. First the requisition process, multiple signatures and channels, and finally, signatures of approval.
Then the hardware must be installed and tested. Since controls are inherent, people could make sure security standards were applied, and that they were following proper processes and procedures.
Nowadays, it’s more like the Wild West. After purchase approval, anyone can hop online, visit a website, and spin up a virtual server in a matter of seconds. Whether it’s through a provider like Amazon (AWS), Digital Ocean, or Google Cloud, the process for beginning development on a machine literally only takes a few clicks.
This is why your attack surface can expand quickly if your company doesn’t have cybersecurity policies and procedures in place.
If a department says they’re going to move everything to the cloud, a cybersecurity or IT group could potentially lose a lot of visibility. With few–if any–checkpoints in the process, it would be difficult to realize the size of the attack surface. This is where things can quickly fall apart.
The modern digital attack surface is absolutely massive compared to how big it was in the past. Two important concepts when it comes to attack surfaces are one: “scope creep,” and two: “it’s turtles all the way down.” What these concepts mean is that when we start to dig into an attack surface, it’s hard to find the bottom. It can be like pulling a string on a sweater, not realizing that the string makes up the fabric of the sweater.
Businesses now have more people working from home and on top of that will need to worry about third parties’ and employees’ private networks. Many threat actors pivot from employees’ personal lives into their work lives to gain an inventory of attack surfaces. Trying to harden and secure everything an employee touches can quickly become an impossible task.
A lot of success comes down to knowing where to focus efforts; otherwise, you can end up chasing shadows and walking away from the whole thing.
Ironically, you must begin by answering the age old question–where do I begin when identifying attack surfaces?
This list of questions can help guide you as you plan what attack surface areas you will include and which ones you’ll start with:
Depending on what you’re trying to protect, you can approach your attack surfaces in any number of ways. You can approach security based on your services and products, or you can start on the network side. A good place to start is with the traditional IT components included on this list of attack surface “usual suspects:”
The attack surfaces on the list above are ones that come up often in the news. Breaches continue to have the same elements: e.g., misconfigured settings, shared credentials, outdated operating systems, firewall issues patching, or endpoints.
Decide which verticals will offer the most valuable data while threat hunting. You can find value in network traffic logs, DNS requests, or web server requests. Client side controls may not necessarily have that type of insight. Attack surfaces can get complicated, so staff constraints and budget constraints can make it difficult to find the hole to plug in your environment.
To help keep track of your attack surface, maintain a list of current hardware and services being used. Indicate whether you are actively supporting them and associated software. You should also be sure to manage user accounts and credentials. Knowing all of your systems and hardware is half the battle in deciding which verticals to consider. If you’re not collecting data in an area, now would be a good time to decide if you should.
In general, identifying attack surfaces can be done by following these seven steps:
Looking for the unusual suspects will differ depending on whether you’re looking in information technology (IT) or operations technology (OT) areas. IT areas are typically more hands-on than OT. In IT, people interact directly with hardware and networking software. OT is more representative of the processes or procedures behind things.
The systems and technologies that may be running in the background and are connected to the network are known as shadow IT/OT. Threat actors know they should target shadow IT/OT realms; this could mean HVAC systems, escalators, or elevators that were retrofitted with internet capabilities. It could mean an outdated machine running Windows XP in your environment.
Checks and balances add overhead. Depending on the main goals of an organization (e.g., time objectives, growth, deadlines, budget), people may choose to skip important steps like documentation and inventory. It takes time to track down the devices that have lapsed updates and are physically hidden away. As time goes on, a network is likely to gather more of these risky devices.
In a recent case, a client bought security cameras for their environment. Not many people know about them and the purchaser didn’t want to go through the proper VPN channel or set up access management, so these cameras were opened up to the Internet. You can find thousands of cameras like these online; no security, with a growing lack of patches and support. Devices like these often become a foot in the door for threat actors.
There are many devices that are temporary or transitional in an environment (e.g., devices associated with a contractor). You need to ask the right questions to set the right policies: Are these devices up to snuff? How do you handle third-party credentials? Does the device show up on the network? Is it included in the network map?
Enforcement comes down to following these policies. Security measures implemented at the time of installation could be completely undone if employees are not trained to follow policies.
Data storage is evolving: data lakes, data pools, and millions of records being moved into large, searchable systems. These areas show up in data breaches with increasing frequency.
See also: Webinar: Addressing Attack Surfaces at All Your Locations
Another example: good-intentioned backups. Say a user is worried, they want to make sure all their files are safe in the event it is stolen. They don’t realize the external drive needs to be encrypted. They wanted to make sure they could continue to work, but it’s easy from these things to go from well-intentioned action to something that ends up stepping on a rake.
On the topic of physical storage and security, ask yourself: How are you handling paper records? Is there dumpster diving around your business? What about unclaimed print jobs?
Some may deem identity and access management (IAM) attack surfaces as low-hanging fruit, but IAM can be difficult to manage. “Ghost account” attacks are showing up more and more. This type of attack happens when an employee is no longer with a company and their user account becomes dormant. Hackers find accounts like these (especially those with admin access) and quietly steal their credentials, move through the network, access data, and install ransomware.
Policies and procedures around IAM will go a long way in preventing Ghost attacks and other IAM attacks. Begin by questioning: If an employee leaves or passes away, how is their account handled? What kind of access did they have in the first place and was it warranted? What other systems is this account tied to?
If you can’t automate these API processes and keep them up to date, they can cause big problems. For example, TLS certificates are only valid for 90 days. Rather than manually rolling it over, push to make it short lived and rotated out. Then if it’s compromised, it will be rotated out after a certain amount of time, reducing the window of compromise.
The third-party attack surface area is massive; it can take decades to get third-party risks under control. Threat actors have even pivoted into an environment through a soda machine.
Many organizations don’t know the number of third parties in their environment. Knowing starts with a clear definition of a third party. This definition drives the requirements for the third party inventory at the service level. Within that definition, a company should come to a generally accepted definition of critical activities as: significant bank functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology).
It is important that irrespective of the control environment, if a service is designated critical, that it receives the greatest amount of oversight provided. And if too many third-party services are classified as “critical,” then it can reduce management’s ability to focus on the services that are truly the most critical.
You have many options for performing an attack surface analysis; be sure you are collecting and analyzing relevant data in your environment. Collecting from as many different relevant verticals is critical:
.svg)
