What is a cybersecurity attack surface?
In the cybersecurity world, an attack surface is any area of potential exposure to a cyber threat. A company’s attack surfaces depend on industry, size, and other variables. Properly identifying and addressing attack surfaces requires scoping, specialization, and the help of security professionals.
Starting with a security framework like NIST, COBIT, Center for Internet Security (CIS) Controls (formerly Critical Security Controls or CSC), or the Payment Card Industry Data Security Standard (PCI DSS) can help you know where to start.
Problems with an expanded attack surface
In the past, when someone wanted to start a new service or create an application, they needed to have hardware. To purchase the hardware, a specific process needs to be followed. First the requisition process, multiple signatures and channels, and finally, signatures of approval.
Then the hardware must be installed and tested. Since controls are inherent, people could make sure security standards were applied, and that they were following proper processes and procedures.
Nowadays, it’s more like the Wild West. After purchase approval, anyone can hop online, visit a website, and spin up a virtual server in a matter of seconds. Whether it’s through a provider like Amazon (AWS), Digital Ocean, or Google Cloud, the process for beginning development on a machine literally only takes a few clicks.
This is why your attack surface can expand quickly if your company doesn’t have cybersecurity policies and procedures in place.
If a department says they’re going to move everything to the cloud, a cybersecurity or IT group could potentially lose a lot of visibility. With few–if any–checkpoints in the process, it would be difficult to realize the size of the attack surface. This is where things can quickly fall apart.
The modern digital attack surface is absolutely massive compared to how big it was in the past. Two important concepts when it comes to attack surfaces are one: “scope creep,” and two: “it’s turtles all the way down.” What these concepts mean is that when we start to dig into an attack surface, it’s hard to find the bottom. It can be like pulling a string on a sweater, not realizing that the string makes up the fabric of the sweater.
Four main areas of the attack surface include:
- Public spaces: e.g., public Wi-Fi
- Your company: corporate network
- Employee’s private network: home networks
- Business partners/clients: e.g., providers
Businesses now have more people working from home and on top of that will need to worry about third parties’ and employees’ private networks. Many threat actors pivot from employees’ personal lives into their work lives to gain an inventory of attack surfaces. Trying to harden and secure everything an employee touches can quickly become an impossible task.
A lot of success comes down to knowing where to focus efforts; otherwise, you can end up chasing shadows and walking away from the whole thing.
How to identify an attack surface
Ironically, you must begin by answering the age old question–where do I begin when identifying attack surfaces?
This list of questions can help guide you as you plan what attack surface areas you will include and which ones you’ll start with:
- Do you include anything outside of your firewall?
- Do you focus on your client facing assets or server side?
- Are you more concerned about the front end or the back end?
- Do you include your entire tech stack or select areas of focus?
- How do you account for all the unknowns in your attack surface?
- Do you perform any threat modeling or attack surface analysis?
Depending on what you’re trying to protect, you can approach your attack surfaces in any number of ways. You can approach security based on your services and products, or you can start on the network side. A good place to start is with the traditional IT components included on this list of attack surface “usual suspects:”
The attack surfaces on the list above are ones that come up often in the news. Breaches continue to have the same elements: e.g., misconfigured settings, shared credentials, outdated operating systems, firewall issues patching, or endpoints.
How to keep your attack surface small
Decide which verticals will offer the most valuable data while threat hunting. You can find value in network traffic logs, DNS requests, or web server requests. Client side controls may not necessarily have that type of insight. Attack surfaces can get complicated, so staff constraints and budget constraints can make it difficult to find the hole to plug in your environment.
To help keep track of your attack surface, maintain a list of current hardware and services being used. Indicate whether you are actively supporting them and associated software. You should also be sure to manage user accounts and credentials. Knowing all of your systems and hardware is half the battle in deciding which verticals to consider. If you’re not collecting data in an area, now would be a good time to decide if you should.
These are the five realms of risk for attack surfaces:
- Network risk: Especially internet facing. This is your exposure to the world at large. Be aware of what IP ranges and DNS names your organization may have. What ports are open and listening from the Internet? Networks create a huge potential for risk exposure.
- Systemic risks: Once someone has identified one of your services, are they going to be able to try and tamper with it in any way? Are your systems running processes they shouldn’t be or capturing any kind of information on a server? Could you be susceptible to an injection attack?
- Data risks: You may have exposed data monitoring that alerts for things like unauthorized changes. Sometimes threat actors change files en masse. Are file permissions in place? Can someone inadvertently delete information they shouldn’t be able to? What about your backups? If any of these things were to happen, is your backup process in place? Have you tested it?
- User end-group risks: Are you controlling users’ credentials? Are the users using secure credentials? Are you counting for things like potential phishing? Are you giving users the tools they need to identify the things out of place and report that?
- Other risks: Other risks may come from sources like a third party.
Identify attack surfaces at a high level
- Identify what you’re trying to protect and
- what you’re trying to protect it from.
In general, identifying attack surfaces can be done by following these seven steps:
Identifying unknown attack surfaces
Looking for the unusual suspects will differ depending on whether you’re looking in information technology (IT) or operations technology (OT) areas. IT areas are typically more hands-on than OT. In IT, people interact directly with hardware and networking software. OT is more representative of the processes or procedures behind things.
The systems and technologies that may be running in the background and are connected to the network are known as shadow IT/OT. Threat actors know they should target shadow IT/OT realms; this could mean HVAC systems, escalators, or elevators that were retrofitted with internet capabilities. It could mean an outdated machine running Windows XP in your environment.
Why is it so difficult to identify attack surfaces?
Checks and balances add overhead. Depending on the main goals of an organization (e.g., time objectives, growth, deadlines, budget), people may choose to skip important steps like documentation and inventory. It takes time to track down the devices that have lapsed updates and are physically hidden away. As time goes on, a network is likely to gather more of these risky devices.
In a recent case, a client bought security cameras for their environment. Not many people know about them and the purchaser didn’t want to go through the proper VPN channel or set up access management, so these cameras were opened up to the Internet. You can find thousands of cameras like these online; no security, with a growing lack of patches and support. Devices like these often become a foot in the door for threat actors.
More challenges identifying attack surfaces in shadow IT/OT areas:
- Very challenging to bridge the IT vs. OT gap
- We are in a period of amazing convergence of IT and OT
- Large variety of OT devices and systems in environment
- Keeping devices inventoried and patched is a big job
- OT systems are replacing many proprietary tools
- Adoption of IT, like open protocols and best practices, are slow
- OT “security by obscurity” is lost to more open protocols for securing networks
- OT systems are vulnerable to access from remote users, removable media and email spear phishing
- Physical plant security controlled by IP-enabled devices
The following list provides information about some attack surfaces we recommend reviewing:
There are many devices that are temporary or transitional in an environment (e.g., devices associated with a contractor). You need to ask the right questions to set the right policies: Are these devices up to snuff? How do you handle third-party credentials? Does the device show up on the network? Is it included in the network map?
Enforcement comes down to following these policies. Security measures implemented at the time of installation could be completely undone if employees are not trained to follow policies.
Data storage is evolving: data lakes, data pools, and millions of records being moved into large, searchable systems. These areas show up in data breaches with increasing frequency.
Another example: good-intentioned backups. Say a user is worried, they want to make sure all their files are safe in the event it is stolen. They don’t realize the external drive needs to be encrypted. They wanted to make sure they could continue to work, but it’s easy from these things to go from well-intentioned action to something that ends up stepping on a rake.
On the topic of physical storage and security, ask yourself: How are you handling paper records? Is there dumpster diving around your business? What about unclaimed print jobs?
Other data store attack surface concerns:
- More difficult to keep up to date with the latest patches; infrequent firmware updates
- Difficult to find if the device is affected (on the network, then off, then on again)
- Challenging from a data protection and security perspective for threat signatures
- Can use autonomous systems for data management
- User privacy concerns, small scale IoT attacks, Botnets
- Unknown repositories or distributed data stores in your environment
- Shadow IT now becomes shadow storage
- Utilized for persistently storing and managing collections
- Unknown administrative operations on the data stores
- Slightly more challenging to secure
- More than just databases: paper files, recycling bin, simple files, email storage, systems file systems
Some may deem identity and access management (IAM) attack surfaces as low-hanging fruit, but IAM can be difficult to manage. “Ghost account” attacks are showing up more and more. This type of attack happens when an employee is no longer with a company and their user account becomes dormant. Hackers find accounts like these (especially those with admin access) and quietly steal their credentials, move through the network, access data, and install ransomware.
Policies and procedures around IAM will go a long way in preventing Ghost attacks and other IAM attacks. Begin by questioning: If an employee leaves or passes away, how is their account handled? What kind of access did they have in the first place and was it warranted? What other systems is this account tied to?
Securing identity and access management is challenging due to a few reasons:
- Difficult to secure the human element
- Perfect complex storm: Business needs and objectives means keeping the doors open
- Complexity comes from users wanting simplicity, shared accounts, static posture, authentication strength, environmental variables, budget, and staff
API programming adds in another layer of complexity and security considerations. Some areas to look at include:
- Content Validation: URL validation, varying JSON/XML schemes, signatures, lack of malware scanning
- Identity Enforcement Concerns: Content based access control issues as well as authentication to authorization, OAuth SAML
- SSL Issues: Weak ciphers, no 2-Way authentication, PRNG or weak TLS
- PKI Concerns: Key generation, CSRs, cert-chain validation or CRLs
If you can’t automate these API processes and keep them up to date, they can cause big problems. For example, TLS certificates are only valid for 90 days. Rather than manually rolling it over, push to make it short lived and rotated out. Then if it’s compromised, it will be rotated out after a certain amount of time, reducing the window of compromise.
The third-party attack surface area is massive; it can take decades to get third-party risks under control. Threat actors have even pivoted into an environment through a soda machine.
Many organizations don’t know the number of third parties in their environment. Knowing starts with a clear definition of a third party. This definition drives the requirements for the third party inventory at the service level. Within that definition, a company should come to a generally accepted definition of critical activities as: significant bank functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology).
It is important that irrespective of the control environment, if a service is designated critical, that it receives the greatest amount of oversight provided. And if too many third-party services are classified as “critical,” then it can reduce management’s ability to focus on the services that are truly the most critical.
What can you do to address attack surfaces now?
- Start with education; governing bodies like OWASP, ISO, COBIT are great starting points.
- Decide on a threat model and attack surface analysis plan/tool.
- Develop a strategic and tactical attack surface analysis plan.
- Remember the attack surface is huge, so include in your threat modeling on-premise infrastructure, databases, network devices, cloud, big data, mobile, DevOps, containers, third parties, offsite services, etc.
- Bring on a partner to address attack surfaces.
You have many options for performing an attack surface analysis; be sure you are collecting and analyzing relevant data in your environment. Collecting from as many different relevant verticals is critical:
- Firewall settings
- System services
- System logs
- COM objects
- Network ports
Matt Heffelfinger–"Heff" is preferred–is a Utah based cybersecurity professional and serves as SecurityMetrics Director of SIEM Operations. His primary wheelhouse includes leading the SecurityMetrics Security Operations Center (SOC) and Threat Intelligence Teams for multiple clients both in the USA and globally. With over 15 years of global cybersecurity experience, his career stops include Caesars Entertainment, TJX, Inc., General Electric, NBC Television and the Las Vegas Sands Corp.