The internet is a main enabler of modern life, but it has a dark underside. Every unmanaged server, website and application possess a risk waiting to be exploited by hackers, ransomware gangs and other cyber adversaries. This blogpost explains the concept of Attack Surface Management and argues that it can be one of the most powerful (yet largely overlooked) tools in the cyber defender's toolbox. Section one presents an informal definition of Attack Surface Management and outlines its key concepts; Section two explains how organizations can manage their Attack Surface in practice; and Section three discusses the trends that have driven (and continue to drive) the pressing need for Attack Surface Management.
1. Attack Surface Management in a Nutshell
Our definition of Attack Surface Management has three key concepts: Management, vulnerabilities and online presence. We define Attack Surface Management as the process of effectively managing all the vulnerabilities that exist as a result of an organization’s online presence. The image below illustrates how everyday organizational processes give rise to digital vulnerabilities that cyber adversaries are constantly looking to exploit.
Management. Management is the process of dealing with things or people. In the context of Attack Surface Management, these “things” are vulnerabilities. Attack Surface Management guides leaders, managers, and security professionals through the steps an organization should take to secure its digital attack surface. In other words, Attack Surface Management wants to make it as easy as possible for organizations to minimize the risks associated with being connected to the internet.
Vulnerabilities. In the context of Attack Surface Management, “vulnerability” is a broad term that refers to every piece of information available over the internet that malicious cyber actors can abuse to gain unauthorized access to an organization. In this broad sense, a vulnerability is not just specific CVE, an insecure server, or an open firewall. Attack Surface Management expands the scope to also include digital artefacts not commonly associated with being a vulnerability, such as leaked e-mail addresses, usernames, passwords, login pages, phone numbers, open databases, company secrets, domain registrar information, open ports, etc. In short, a vulnerability is everything that an adversary can effectively leverage to their advantage.
Online presence. The concept of online presence is important for Attack Surface Management because it stresses that every interaction with the internet leaves a small digital footprint. The concept of online presence is naturally closely interlinked with the concept of vulnerability: Seemingly harmless interactions with the internet produce artefacts that all hackers, from amateurs to highly skilled and organized groups, can collect abuse.
Example 1: We’re hiring! Almost all job postings contain elements of information - vulnerabilities - that hackers can directly leverage in a cyberattacks. Common examples include usernames, e-mail addresses, phone numbers, IP-addresses, specific software versions, HR systems, physical addresses, full names of employees in leading positions, and much more. It is obviously crucial for organizations to make job postings public if they wish to attract the right candidates, but postings can be gold mines for cyber adversaries. And even if the job posting is taken down, it still exists on the internet. Either because it has been stored on the website it was posted to; because it has been indexed by a search engine such as Google, Yahoo or DuckDuckGo; or because it has been shared on social media platforms such as Facebook or LinkedIn. Always assume that everything posted on (or exposed to) the internet stays on the internet.
2. Managing Digital Attack Surfaces in Practice
As discussed in the previous section, Attack Surface Management covers all the digital doorways through which cyberattacks may occur: IP-addresses, e-mail address, job postings, web applications, open databases, domain registrant information, login pages, mail services, and so on. The question we turn to now is how these doorways can be managed in practice. Using organizations’ public websites as the starting point, we propose a three-step processes to manage the external attack surface:
- Uncovering internet exposure
- Reviewing individual findings and assessing the risk
- Mitigating and hardening
Uncovering internet exposure. This first step is about mapping as many internet facing systems as possible. Knowing which assets are (or have been) exposed to the internet will unveil the many possible doorways through which hackers from the outside may try to force themselves in. The step is important because we can’t manage things and assets that we don’t even know exist. Before we can begin to apply rational thinking to (potential) security problems, we must first be familiar with the entire pool of potential sources of this risk. It is no easy task, but it can and should be done. Systematically asking the following questions will get one far with respect to this first step towards practical attack surface management:
- Do we have an updated network diagram?
- Do we have an inventory or some other type of documentation of our digital assets?
- Do we actively monitor for credential leaks associated with our organization?
- Do we have any internet-facing login pages that do not require 2FA?
- Do we have strong password policies in place?
- Which ports are open on our internet-facing web-, mail- and database server(s)?
- Which CMS is our domain built on and is it associated with any known vulnerabilities?
- Is our DNS security good or does it allow enumeration, e.g. through zone transfers?
Unfortunately, many organizations lack the resources (time, money, technical expertise) to answer all these questions. Attack surface management platforms have specialized in this and can answer them automatically, so we recommend that you consult with a solid and trustworthy provider of attack surface management that don’t charge ridiculous amounts for their services. Webscout.io offers a free attack surface management platform that we work very hard to perfect.
Reviewing individual findings and assessing the risk. Once internet exposure has been mapped, the next step is to review and assess these findings: What constitutes a risk and what doesn’t? As outlined in section 1, risks are vulnerabilities - pieces of information that attackers can abuse to gain unauthorized access to an organization. A leaked mail, for example, poses little to no risk if all internet-facing authentication systems has 2FA enabled. However, open RDP or SMB/NetBIOS network drives (port 139/445) with anonymous login exposed to the internet would pose an extreme risk that should be dealt with immediately. A good way to assess the risk of a vulnerability is through a likelihood-impact matrix:
A likelihood-impact matrix can guide practical attack surface management because it allows efficient allocation of (scarce) resources. By assessing internet exposure through this logic, severe vulnerabilities can be dealt with first and less critical vulnerabilities can be dealt with later. The following is a simplified (yet realistic) example of what such an analysis could look like:
Once the internet exposure has been assessed, it must be communicated from the risk managers to the board of leaders who decide if it should be prioritized, and to the security professionals who are ultimately responsible for the implementation. Simplicity and ambiguity in the way findings are communicated is key. Only this way findings can be processed and dealt with by both leaders and tech professionals. Cyber security is… not easy. Presenting the identified vulnerabilities on a high technical level (or a low computational level if you are a computer scientist or an engineer) is unproductive because it fails to include all the parties that must work together to manage risk and to drive change.
Mitigating and hardening. This final step is where the identified risks and vulnerabilities are mitigated; the place where the rubber meets the road. It is important to implement the security fixes in a systematic way, one which keeps a log of important actions, patch levels and timestamps. To succeed as this, the process of mitigating and hardened the attack surface should feed directly into the broader IT asset management process. Centralizing the management of digital infrastructure ensures that key information is collected one place instead of being dispersed between different people and organizational levels. This will make it significantly easier to react efficiently to cyber incidents, especially because it allows quick onboarding of third party Incident Responders or consultants.
Finally, it should be reiterated that attack surface management is a continuous process. Each of the three steps described above should work in unison as a feedback loop where vulnerabilities are found, assessed, mitigated and reassessed in the light of new threats and vulnerabilities. This way, the internet-facing attack surface is monitored and secured before it can be exploited by attackers.
Example 2: When was email security audit? Mail systems often leak sensitive information that hackers can extract even without being logged in. This information includes (but is not limited to) e-mail addresses, security configurations and internal hostnames. Furthermore, even if the mail system has been perfectly configured with all security features enabled, employees still leak their emails by signing up to different services, re-using their credentials and falling for scams or phishing attacks. The internet floods with e-mails that should never been exposed to the internet. The key is finding these e-mails before they are exploited by hackers, and this is what Attack Surface Management specializes in. You can read more about the most effective ways that hackers gain access to mail systems in our blogpost: Password spraying: How hackers stealthily break through the doors to your kingdom.
3. Trends that Drive (and have driven) the need for Attack Surface Management
We want to argue that four broad trends in IT have driven (and continue to drive) the growing necessity of Attack Surface Management:
- The industrialization of hacking.
- The growing profitability of ransomware.
- The push towards decentralization of software and infrastructure.
- The perceived redundancy of in-house IT competences.
The industrialization of hacking. Back in the day, the stereotypical idea of a cyber adversary was a lonely and obese cellar dweller who shitposts on 4chan, defaces websites and participates in DDoS-attacks under the banner of Anonymous. While this class of adversary still exists, he is by no means the biggest threat (unless you make him really angry). The current threat environment is characterized by much scarier forces. State-funded hacker groups spend millions on zero-day exploit development; organized networks of cyber criminals crawl the internet for vulnerabilities; and devasting ransomware groups continue to evolve and wreck havoc. Hacking has reached a stage and scale where the question is no longer “if” a vulnerability will be exploited but rather “when” and “at what cost”. In this threat environment, the key to success is to NOT be the lowest hanging fruit. Contrary to popular belief, organizations can achieve this relatively easily just by following basic IT security principles and by actively managing their attack surface. Think of a group of rabbits (organizations) jumping into the Nile (the internet). The bleeding animals (i.e. the lowest hanging fruit) will be shredded by piranhas and the healthy animals will make it. Integrate Attack Surface Management into your security risk auditing today. And don’t jump into unfamiliar waters if you are wounded.
The profitability of ransomware. It is no secret that ransomware is a growing threat to every organization with systems exposed to the internet. Going after everything from Fortune 50 companies such as Maersk to public service organizations schools and hospitals, ransomware gangs are cruel and indiscriminate. With the profitability sometimes amounting to hundreds of millions of US dollars in victim payouts with little to no risk of repercussions, nothing suggests that the threat from ransomware should decrease. In an excellent blogpost (https://blogs.microsoft.com/on-the-issues/2021/07/20/the-growing-threat-of-ransomware/), Microsoft describes in detail why ransomware is on the rise and what organization can do to secure themselves. In this post, Microsoft identifies the following attack flow that describes how almost all ransomware infections happen:
Notice on the far left in the figure above how all three categories of initial access – RDP brute force, vulnerable internet-facing systems and Weak application settings – are actually the centre of focus for Attack Surface Management. Attack Surface Management scans your IP-addresses to see if your organization has RDP exposed to the internet and alerts you if you do; Attack Surface Management finds, maps and prioritizes vulnerabilities in your internet-facing systems; and Attack Surface Management fuzz your web application for commonly exploited vulnerabilities.
The push towards decentralization of software and infrastructure. It is almost a law of nature that when organizations grow and become more complex, so does their digital infrastructure. The past decade has been characterized by a trend towards decentralization of data and digital systems which has been convenient for managers under the false impression that responsibility is outsourced in the same process, but this is a dangerous misconception. Not once has outsourcing been a legitimate excuse for the loss of sensitive customer data. “It wasn’t our fault; it was our cloud provider in Bangladesh” simply doesn’t hold from an accountability and PR perspective. Incidents like these will always damage a brand so instead of closing their eyes, organizations should focus more on not falling victim to these attacks in the first place. Some examples of the push towards decentralization of software and infrastructure include:
- The growing popularity of Cloud-based services.
- The rise of Software as a Service (SaaS).
- The outsourcing of cyber security.
- The outsourcing of (ISO) compliance measures such as event and network logging.
We are not advising against the use of these technologies. As a matter of fact, we endorse it. We know very well that everyone cannot be an expert at everything, so sometimes it pays to leave it to the experts. And here at Webscout, we are experts in the field of Attack Surface Management.
The perceived redundancy of in-house IT competences. The trend toward decentralization has given rise to another misconception that in-house IT competences are no longer necessary. “Why do we need network administrators if we don’t have any on-prem digital infrastructure?” is the question that many managers have asked themselves; either as an excuse to cut expenses on IT folks or to cover up for the fact that they fail to attract people with tech skills. Either way, we argue that in-house IT-competences are as important as ever, and this is not just a biased opinion because we are nerds ourselves. From a security perspective, there must be someone with technical expertise to both implement new security measures and to maintain existing ones. Additionally, in-house IT security can ensure that management doesn’t buy into snake oil in the procurement process and that valuable new cyber security techniques, such as Attack Surface Management, can be brought to the intention of leadership.
This blogpost has defined Attack Surface Management as the process of effectively managing all the vulnerabilities that exist as a result of an organization’s online presence. By finding, assessing and securing the vulnerabilities associated with an organization’s online presence, Attack Surface Management can significantly lower the risk of cyberattacks.
Thank you for reading. Stay safe!
About the author
Jonathan A. (@deadsyn_), founder of webscout.io.