In the era of digitization and ever-changing business needs, the production environment has becomes more attractive. Multiple functions and teams within an organization can ultimately impact the way an attacker sees the organization's assets, or in other words, the external attack surface. This dramatically increases the need to define an exposure management strategy.
To keep up with business needs while effectively assessing and managing cybersecurity risk, there are two primary elements that organizations should consider regarding their external attack surface: its size and its attractiveness to attackers. While organizations are typically focused on accounting for the size of their attack surface, its attractiveness is not typically top of mind, though it may have a significant impact on risk.[1]
There is always a delicate balance between business needs and security. While there are good reasons to expose more assets to the internet (i.e., for user experience, third-party integrations, and software architecture requirements), the price is an increased attack surface. Increased connectivity ultimately means more potential breach points for an adversary.
The bigger the attack surface is, and the more assets available to the adversary's "playground," the more an organization will need to mitigate the risk of exposure. This requires carefully written policies and procedures to monitor the attack surface and protect exposed assets continuously. There are basic measures, such as routinely scanning for software vulnerabilities and patching. However, there are also configuration issues, shadow IT, leaked credentials, and access management aspects to be taken into consideration.
Analyst note: the frequency of testing and validating should at least align with the pace of change of the organization's attack surface. The more an organization makes changes to its environment, the more it needs to assess the attack surface. However, routine tests are still necessary even during periods of minimal change. While the size of the external attack surface is a well-understood indicator of cybersecurity risk, another aspect that is just as critical though more elusive to organizations today is how attractive an attack surface is to potential attackers.
When adversaries look for potential victims, they look for weaknesses. Whether it is the easiest way to compromise a particular targeted organization or the easiest targets to attack to achieve their goals, they will be attracted to indicators of potential security weak spots in external-facing assets and will prioritize their activities accordingly.
When we talk about "attractive" assets, we do not necessarily mean appealing targets, such as personal data, that can be sold on the black market. Attractions are the attributes of an asset that have the potential to be abused by adversaries. These are then marked as a potential starting point to propagate an attack.
An organization's assets may all be patched to the latest and greatest software. However, these assets might still have attractive properties. For instance, a large number of open ports increases the number of protocols that can be leveraged to propagate an attack. It is important to emphasize that attacks are not necessarily tied to a vulnerability but can be an abuse of a well-known service. Also, some specific ports can be more attractive, for example, port 22, which enables SSH access from the outside world.
Another example is a website that allows file uploads. For some organizations, this is a critical service that enables the business, but for attackers, this is a convenient way to get their foot in the door. Organizations are aware of the risk and can address it in different ways, but that doesn't change the attractiveness of this asset and its corresponding risk potential.
The main challenge with dealing with attractions is that they are moving targets. The attractions change both in their number of instances and in their severity per configuration change. To effectively assess the severity of an attraction, it is essential to understand how easy it is for an adversary to detect it during the enumeration phase and, more importantly, how easy it is to exploit it. For instance, having a VPN connection is easy to detect but difficult to exploit, and as a result, it can be a lower priority in an organization's risk management plan. On the other hand, having an online contact form is easy to detect and has high exposure levels for SQL injections and exploit vulnerabilities like Log4Shell.
Decreasing the number of attractions reduces an organization's risk, but that is not always possible. As a result, understanding the underlying risk and defining a plan to address it should be the organization's number one priority to control exposures in the external attack surface while delivering on business needs.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://thehackernews.com/2022/12/when-being-attractive-gets-risky-how.html
Comments