Table of Contents
In September 2017, the world saw one of the worst data breaches in history. Equifax Inc. - one of the three largest consumer credit reporting agencies in the world - announced a data breach that compromised the personal information of 147 million people. The information compromised included first and last names, Social Security numbers, birth dates, addresses, and in some instances, driver's license numbers and credit card numbers. Dealing with this incident cost Equifax a staggering $1.4 billion+ in legal fees. The incident came in as one of the most critical reminders of a simple fact when it comes to modern cybersecurity – a slight lapse in monitoring your attack surface could cause immense damage to your organization.
What is attack surface?
Your attack surface is the sum of all internet-facing digital assets, hardware, software, and applications that can be exploited to carry out cyber-attacks. Potential security risk loopholes exist across cloud, network, and on-premises. The smaller your attack surface, the stronger your security. Your attack surface can include: Known assets: website, servers, firewalls, endpoints, storage, and apps (cloud and on-premises) Unknown assets: abandoned and orphaned sites, domains, servers, and IT infrastructure. IoT (Internet of Things) devices: point-of-sale devices, physical security equipment (locks, cameras, alarms, and more), and Brandjacked assets: typo-squatted domains, lookalike domains, and apps Vendors and services: verified and unauthenticated access to assets gained by third-party and fourth-party services Dark-web artifacts: assets, email database, and data records exposed in the hidden corners of dark web Because of the ongoing shift towards digital transformation, the size of the attack surface has grown immensely. So much so that the IT teams struggle to map the exact size of the attack surface, and thereby in keeping themselves secure. As estimated by Gartner, by 2020, 30% of data breaches occurred due to Shadow IT assets or vulnerabilities in your undocumented attack surface. These numbers are set to increase with the adoption of digital transformation. As such, the need for efficient attack surface management is higher than ever before. A robust attack surface management solution helps you get an extensive attack surface analysis and helps you reduce risk. Jon Oltsik, the ESG senior principal analyst and fellow, puts it best: "You can't manage what you can't measure. By discovering and monitoring these assets, security professionals can then find the 'path of least resistance' those hackers may use as a doorway to penetrate corporate networks and commence a cyber-attack. Armed with this intelligence, security teams can close the gaps, fine-tune security controls, and develop countermeasures." Let us dive in further.
What to protect in your attack surface?
Malicious actors continually hunt for ways to break into your organization. It is essential to know everything that can add to your attack surface. Find all the ways that your infrastructure is exposed and vulnerable to attack, and then prioritize activities that help make that attack surface smaller. Here are some key categories of digital assets you need to protect:
► Website (domain, and sub-domains), services, and APIs
► Email addresses found in breached databases
► Open or misconfigured ports, email servers, database
► Expiring or abandoned certificates
► Vulnerability exposures
► Public cloud storage and code repositories such as GitHub, BitBucket, and GitLab
► Abandoned servers, sites, domains, pages
► Asset access to third-party and fourth-party vendors
This seems obvious, right? However, a report shared by Security Magazine shows that even the most prominent companies do not know what they are dealing with. Here are some key insights:
- 68% of organizations surveyed experienced an attack that originated from an unmanaged or poorly managed company asset.
- A whopping 98% of organizations said that testing is a top 10 security issue, while only 43% admitted to regular pen-testing.
- 50% of organizations do not include SaaS (software as a service) applications and public cloud workloads in their attack surface.
How to map your attack surface?
Comprehensive attack surface evaluation and analysis can help you create your parameters and limit the opportunities available to cybercriminals.
Here is how to map your attack surface once you have planned and scoped out your organizational perimeter.
Steps to map your attack surface:
Step #1: Perform application discovery
The first step is application discovery that understands what critical web apps you own and where they are exposed. This can be impossible due to the significant amount of shadow IT in large organizations. So, instead of bombarding your team with false positives, it is a far more reasonable approach to focus on business-critical web apps and assessing their risk level first.
Step #2: Check code usage
Some code languages are more exposed than others, and as new versions are released, this will organically fix the issues. Using insecure and old code to develop your website will lead to a host of easily exploitable vulnerabilities for hackers to take advantage of.
Step #3: Identify page distribution
The more pages your website has, the more risks there are. As such, all pages must be found, and vulnerabilities need to be uncovered at all levels. Access to specific actions or pages can be restricted using user levels set up by the administrator. This could be critical in keeping the bad guys out.
Step #4: Input Vectors
Having too many input fields in your web applications exposes you the risk of an XSS attack. Find the number of input vectors in your attack surface and the assess their criticality and risk.
Step #5: Active Contents
Step #6: Cookie Usage
Cookies are necessary for real-time application security, which it achieves by monitoring session activity and keeping malicious actors away from the unauthorized zones.
Now that you have gone through all these steps, you will need to correlate the results obtained in a way that best suits your risk posture. Some of the factors to keep in mind are:
- Criticality: Check if the asset in question business-critical and can harm your organization and revenues if attacked. Defining these weak points will help you understand the business criticality level of the application.
- Update Frequency: Not all applications are updated regularly and stay static with little intervention. Some need dynamic maintenance, making them more vulnerable with time. Finding the update frequency of applications will help figure out the risk more accurately.
When you consider all these factors, you will get a proper blueprint of your attack surface, giving you a gauge of your overall weaknesses and risk score. Now you can decide to shut down an app if it is no longer being used or focus your vulnerability assessment and remediation efforts on the areas that pose the highest risk for your organizations.
Once you have mapped your attack surface and found the high-risk areas, you must focus on entry points such as interfaces wherein your system allows for anonymous and public access. You could be exposed to the following:
- Network-facing code
- Web forms
- Files from outside your network
- Interfaces that are backward-compatible with other systems
- Custom APIs.
- Security code dealing with cryptography, authentication, authorization, etc.
Operational controls like network firewalls and application firewalls and intrusion detection systems can help you immensely here. Maintaining multiple versions of an application and leaving features redundant, leaving old backup copies, and unused code increases your attack surface significantly.
Keep your actual attack surface close to your theoretical version by keeping control over your source code and exercising robust change management. h3
How can real-time visibility protect your attack surface?
If you cannot see chinks in your armor, you will not be able to manage it. Legacy strategies like audits and pen tests tend tmiss the vulnerabilities that crawl up across your dynamic threat landscape. This is where real-time visibility comes in – to give you around-the-clock monitoring, completely hands-off. Real-time visibility into your attack surface helps you in the following ways:
- It eliminates the need for new scans
A lot can change within a matter of few hours in your threat landscape. Having a static risk assessment program could make you miss serious vulnerabilities that might crop up any time in your attack surface. Getting prompt and updated intel without requiring any news scans could save you the crucial time to find your adversaries.
- It improves time to respond and remediate
A real-time visibility into your attack surface means you plug the holes in your bucket well before the risk is exploited and leads to major losses. Mitigating risk at the time ensures you have enhanced productivity, reliable security operations, and a higher ROI (return on investments) eventually. Advanced attack surface management offered by Netenrich brings in threat correlation capability enabling proactive risk management. By drawing on the latest threat intelligence it helps you predict attacks even before they occur. Such intelligence allows you to focus more on corrective measures instead of research.
- It ensures consistent, complete, and updated security
To have a consistently robust security posture, you need to manage and resolve threats at the speed they arise. A real-time visibility ensures you take prompt action as when something needs your attention such as changes to critical assets, expiring or expired certificates, brand impersonation incidents, third-party risk, and more. A real-time attack surface view is an excellent tool to ensure you have a 360° view for an easy and always-on monitoring.
Companies these days are spending millions of dollars across a wide range of solutions but struggle to gain even limited visibility into their entire attack surface. Turns out, often, these organizations focus only on assets that they already know exist. As such, most of them do not even have an estimate of how their attack surface looks like.
What is Attack Surface Intelligence?
Attack Surface Intelligence (ASI) lets you find and act fast to fix hidden risks across your digital exposure on domains, certificates, open ports, vulnerabilities, misconfigurations, and more. ASI helps start-ups, mid-markets, and enterprises, too, demystify security beyond the perimeter with enterprise-grade outside-in security delivered via Netenrich’s human-machine outcomes platform.
So far, we have talked about the “WHAT” of ASI. Let us now look at the “WHY.”
ASI ensues zero-effort onboarding. You can start with your e-mail address to see your attack surface in near-real-time. Bring in your CMDB (Configuration management databases) data, plug in your cloud instances, and ensure you are always ahead of hackers in watching—and managing—your attack surface.
#2 Zero Downtime
ASI continuously and non-intrusively scans your attack surface to discover publicly exposed digital footprint, unlike point-in-time exercises like pen tests and Red Teams and bubbles up those that need your immediate attention.
#3 Proprietary threat intel
Leverage our global threat intelligence, built ground up to work natively with our security products and solutions like ASI and ISOC (Intelligent SOC), to prioritize risks and stay ahead of threat actors in your industry and geography.
#4 Collaborative risk mitigation
Fix risks right now with our bench of CyberSec experts via chat, e-mail, and phone. Put effective security controls in place and scale your Security Operations with our ISOC solution at a fraction of the cost to run your own.
Getting started with Attack Surface Intelligence
To experience the advantage of continuous coverage, try Netenrich ASI free for 30 days. You can do so by signing up right here. By doing so, you will get:
- An attack surface scan,
- Access to ASI’s intelligence portal and dashboards, and
- Expert analyst insights to address your most critical risks first.
Discover the full power of Netenrich’s Threat + Attack Surface Intelligence.