Attack Surface
The attack surface is the set of all vulnerability points that a malicious threat actor could exploit in an asset, system, or network.
- Minimizing the attack surface means restricting access so that only a few known endpoints, protocols/ports, and services/methods are permitted
- each must be assessed for vulnerabilities and monitored for intrusions
- to evaluate attack surface:
- consider the attributes of threat actors that pose the most risk to your organization
- From a threat actor’s perspective
- each part of the attack surface represents a potential vector for attempting an intrusion
- Minimizing attack surface means reducing the number of attack vectors
- also called hardening
- Several hardening guides are available for secure configurations of systems
- Center for Internet Security (CIS) Benchmarks
- Department of Defense’s Security Technical Implementation Guides (STIGs)
Managing Attack Surface
The overall attack surface is composed of every asset’s attack surface.
- i.e., every on-premises device, cloud resource, external service, external network, etc.
Attack surface management describes the methods used to continuously monitor an environment to quickly identify changes to its attack surface.
- e.g., locate shadow-IT, weak or default passwords, misconfigurations, missing patches, etc.
- means maintaining awareness of exposed services and ensuring they operate securely per organizational policy
- necessitates continuous discovery and evaluation
- most attack-prone area is the the edge
Passive discovery describes the methods used to identify systems, services, and protocols indirectly.
- can reveal information about:
- network-connected hosts
- communications channels
- protocols in use
- and activity patterns
Edge discovery seeks to define the “edge” of the network fully.
- composed of every device with Internet connectivity
Evaluating the Attack Surface
- security controls may not always be working
- modified or disabled during support
- incorrectly configured
- disabled as a result of some other change
- need to test and validate controls
- can perform penetration tests
- adversary emulation mimics the actions of known threat actors
- uses MITRE ATT&CK framework
- provides details on TTPs
- reward responsible disclosure of vulnerabilities
- bug bounties
Penetration Testing and Adversary Emulation
- are techniques used to assess an organization’s attack surface and identify vulnerabilities
Penetration test involves simulating an attack on an organization’s network to identify vulnerabilities and weaknesses
- goal is to:
- identify the most vulnerable components within an organization’s environment
- and determine how an attacker could exploit them
- results are used to
- prioritize risk mitigation efforts
- and reduce the attack surface
Adversary emulation involves simulating a real-world cyber attack by an actual adversary to assess an organizations defenses.
- involves more comprehensive and realistic simulation of a targeted attack
- goal:
- identify gaps and weaknesses in an organizations security infrastructure that a known threat actor typically targets
- helps improve detection and response to specific attacks associated with a threat actor
- vs the generalized attacks used in a pen test
Reducing Attack Surface
- some common methods used:
- Asset inventory
- conduct an inventory of all hardware and software assets and user accounts in the environment
- determine which are essential for business operations and which to remove
- Access control
- limit access to sensitive data and systems
- Patching and updating
- prevents attackers from exploiting known vulnerabilities
- use automated patch management systems
- Network segmentation
- segment large network into smaller subnets
- limits the impact of an attack
- Remove unnecessary components
- remove hardware and software that are not necessary
- Employee training
- raises awareness of potential risks and importance of security measures
- Asset inventory