We often get caught up in the daily shuffle and forget the basics. Attack surface analysis is one of those cyberdefense leadership basics that just does not get the attention it deserves. Let’s be very basic to start, so we can show the necessity in performing this exercise regularly.
What is attack surface analysis?
A company’s attack surface is an outlay of points of connection within the internal network and internet points, combined with the vulnerabilities, OS type, ports open, login screens available, email addresses exposed, and any other data that can be enumerated about connection points. To simplify the discussion for this article, let’s consider the above definition but apply it to the highest risk, internet-exposed systems, which would comprise the ‘external attack surface’. Our job within cybersecurity management is to protect the company from internal and external threats. External attack surfaces are usually identified by enumerating a top-level domain for all subdomains (either scripted in an automated attack or manually), and then applying enumeration techniques with a variety of tools, such as nmap. The results of this enumeration is the logical external attack surface.
In an APT group, that would most likely be the first report the whole group gathers for a discussion about. That attack surface analysis is the roadmap that the attack team would follow, according to that groups favorite techniques, tactics, and procedures. Also, the external attack surface analysis is only a small part of information that would be gathered, but a very key part for early planning. This is why it should also be a key part of routine situational risk assessments performed as part of cyberdefence.
Why do I need attack surface analysis?
If you did read the previous paragraph, the answer should be obvious, but there are some other reasons. First the obvious, and I will be clear. If that external attack surface analysis is a part of any campaign or external attack on your company, it should also be a primary of your defense!
Next, you cannot memorize all points in your attack surface, and no matter how hard he/she may try to convince you, the CIO does not know either. It is this complexity that makes it easy to forget that decommissioned server just hanging out there, unpatched and hobbling until it’s noticed by an attacker. Many arguments to this are centered on strict change management, which as we have all seen, gets totally unravelled when something doesn’t work and the business is yelling at us.
The third reason is in fact related to change management. While changes are made to systems, sometimes architectural changes are made, or fine tune changes are made that often bypass change management. Most times an attack surface analysis is the only tool cybersecurity management has to investigate and challenge potential unauthorized changes to the environment. Proactive external attack surface analysis can be another tool to hold IT accountable for the efficacy of their change processes.
Aren’t my IDS and firewall doing this already?
No. Your IDS is only looking at traffic at that point in the network, so that information would be useful for threat landscape analysis – painting a broad picture of all the threats your environment faces (and prefereably ordered by risk). An IDS would be passive and alert on scans to the attack surface. The traditional layer three firewall may be a targeted part of the attack surface, serving as a control for inbound and outbound traffic. Your firewall does nothing to enhance defensive understanding through attack surface analysis.
Let’s looking into this question a bit further. Attack surface and attack surface analysis, which is essentially an understanding of what you are defending, so by extension, is required for effective cyberdefense leadership and management. To put this point another way:
- Is your SOC responding to all alerts and surface scans?
- Is service outage so consequential that your afraid to lock down?
For most in finance, the answer is a resounding ‘No’ and ‘Yes’. Your solutions to thwart an attack are stop gaps, and do not replace practicing good risk analysis, defensive activity, and good cyber management.
There are many attack surface monitoring solutions, and many show change trends, but few are the mainstay of daily defensive cyber management. Also, many of the tools try to sell FUD (fear, uncertainty, and doubt) with their tool, so they throw in features that are irrelevant.
Just as a 16th century general would sit on a horse atop a mountain and overlook the valley he controls, cyber managers should use an external attack surface analysis to secure their environment. The general sends troops toward passes into the valley, gets coverage where rivers and tributaries come into the valley, put sentinels at external and internal overlooking peaks, and barricades the village with a good wall and security checkpoints. That last item is the last point of defense-that is your firewall and IDS.
How do I create an attack surface analysis?
I thought you would never ask! A couple months ago I created a Golang script to take a top-level domain as input, find all the subdomains, then perform an nmap scan on the TLD and subdomains. Here is the link to my Github page.
Hope this enhances your cyberdefence management.