The Attack Surface is Foundational Knowledge

Foundational knowledge is information, or a skillset, generally accepted as essential to understanding more advanced cognitive subjects or performing increasingly sophisticated processes. As a simple example, learning basic addition is necessary before taking on multiplication. Familiarity with the fundamentals of TCP/IP is necessary before grasping how ACLs and network firewalls work. And in a tremendous number of IT or information security best-practices, efficacy is reliant or greatly benefitted by beginning with a company’s attack surface map.

Vulnerability Management / Patch Management: Focuses on identifying and patching vulnerabilities before an adversary identifies and exploits them. An attack surface map is necessary to ensure that every Internet-connected asset is scanned, otherwise vulnerabilities will be missed and exploited due to a lack of scanning (See 2017 Equifax Breach).

The same rationale is true for penetration-testing. The very first thing any expert will do is perform in-depth reconnaissance on the target – typically dedicating a significant amount of their time on the engagement to this process. It’s difficult to verify results of a vulnerability management program or penetration-test without evidence that everything was scanned or tested.

TLS Certificate Management: TLS certificate expiration or certificate errors of any kind often lead to a kind of self-imposed denial-of-service. A company may also have a policy to support minimum TLS key length, protocol version, or have a preferred Certificate Authority. The only way to ensure these potential IT fire drill issues don’t occur is by having an attack surface map containing a list of all Internet-connected assets supporting TLS–but also a list of assets that do not support TLS and should.

Mergers & Acquisition: During an M&A process, it’s helpful for the buyer and seller to have an accurate understanding of the IT infrastructure (i.e., attack surface) to estimate value and account for risks to that value. Should one side have more knowledge of the attack surface than the other, it causes a situation of information asymmetry where one side will have an advantage during negotiations.

Due to confidentiality concerns, the IT department and IT security team will often be completely unaware that an M&A process is in the works, perhaps right up until the company-wide announcement. At that point, there will be a rush to figure out what was just acquired, what the [unknown] risks are, if and how IT integration will take place, etc. All of these require fast access to an attack surface map as the first step.

Third-Party Risk Management: Third-party risk management is the process of identifying, assessing and controlling the risks throughout the lifecycle of a business third-party relationship. Third-parties may include hosting providers, software vendors, security service providers, business services vendors, and more. Each of these represent potential risks to the core business in terms of the data they hold and have access to, as well as the system up-time. Before entering a relationship with a third-party, it’s common to perform a risk assessment on their software or environment. And in doing so, an accurate attack surface map of the third-party is the only way to provide risk assurance.

Government Regulation & Company Policy: Varied government regulations and company policies establish controls over the geography of where assets are hosted, the companies to host or not host with, encryption controls (i.e., TLS), authentication controls (i.e., MFA support), the setting of cookies (i.e., GDPR), technology platform and software standardization, branding display, copyright & privacy policy notices, accessibility requirements, and more. All of these first require an attack surface map, and the map to kept updated to identify monitor for violations.

Network Segmentation & Endpoint Protection: Network segmentation is an architectural approach to divide a larger network into many smaller and logically separated subnets. For example, there is usually no need to have the public web servers on the same network as the internal corporate office environment. Network segmentation enables more fine grain control over the flow of traffic between subnets to minimize and isolate risk. Endpoint protection is an approach to specifically protect an individual computer or device on the network. Such devices typically include, but not limited to, servers, laptops, tablets, mobile phones, Websites Internet-of-things devices, and other wireless devices. Both practices require beginning with an attack surface map, otherwise networks will be missed, and endpoints will go undefended.

Threat Modeling: Threat modeling focuses on identifying and prioritizing potential threats to Internet-connected devices, entire networks, and complex systems of software. Once identified, potential security controls can be modelled in to mitigate the potential threats. In order to use the Threat Model, and model accurately, it is first necessary to create an attack surface map of the entire system.

Threat Hunting: Threat hunting is defined as proactively searching for undetected threats across a company’s attack surface – threats missed by existing security controls. Obviously, the only way to start threat hunting is to begin with an attack surface map for where the threats might be located.

Attack Surface Reduction: Often the fastest, easiest, highly effective, and zero-cost ways to dramatically improve security can be achieved by simply reducing unnecessary attack surface. An adversary is unable to hack something that doesn’t exist. The average company commonly will possess a significant number of Internet-facing development, staging, and QA environments. They may even have hostnames indicating what they’re used for. In addition, it’s also typical to find long unused legacy systems, prehistoric marketing promotional websites, forgotten demo deployments, commercial products previously used for something important, and who knows what else. Such Internet-connected assets are frequently not looked after, or even known about, by the security team, yet remain open and attractive for exploitation.

Unless these assets are in active use and need to be exposed to the public Internet, position them behind a perimeter firewall – thereby reducing necessary attack surface. And if these assets are found to no longer be in use at all or should NOT be in use, they can be decommissioned. Press the power button, pull the network cord, remove it from the rack, etc. Doing so has an added benefit of cost savings. The finance department always appreciates eliminating wasteful spending.

 

Post by Jeremiah Grossman

December 30, 2020