In today’s digital landscape, understanding your organization’s attack surface is crucial for maintaining robust cybersecurity. To effectively manage and mitigate the cyber-risks hiding in modern attack surfaces, it’s important to adopt an attacker-centric approach.
In this article, we will be diving deeper into a company’s attack surface, what might have been forgotten and overlooked during the day-to-day rush and how cybersecurity professionals can regain the momentum and overview with the help of external attack surface management tools.
What makes up your organizations attack surface?
Security specialists generally define the attack surface as the sum of all possible points in a system or network where attacks can be launched against. In other words, it can be described as the sum of all potential attack vectors. On the other hand, those responsible for security in companies need a concept that helps them to defend their networks.
We recommend an approach that starts with the attacker (known attack methods, known or exploited vulnerabilities, etc.) and prioritizes the threats with the highest risk to the company. To make the determination easier and more systematic, you can also divide the elements of your attack surface into suitable categories.
A useful initial subdivision of relevant points of attack – from the perspective of attackers – would be as follows:
- Online accessible points of attack (e.g. weak or compromised passwords, vulnerabilities in software or communication protocols, configuration errors, exploitable servers)
- Points of attack for social engineering (employees with special privileges, permissions or information)
- Starting points for supply chain attacks (e.g. update processes)
- Points of attack that require physical access to hardware (e.g. USB sticks with keyloggers and malware, penetration into unsecured guest Wi-Fi networks).
- Potential cyber risks that were previously unknown or threats that are emerging even before assets associated with the company are affected.
The first area – the totality of online accessible points of attack – is also referred to as the external attack surface. The external attack surface is the most complex part – this is not to say that the other elements are less important – especially the employees are an essential factor in attack surface management. However, the external attack surface is characterized by the fact that its management can be largely automated with the help of AI, Threat Intelligence and data.
Figure 1: Which domains should be managed by you and which could be potential phishing or domain-squatting attempts?
Uncovering and mapping the external attack surface
Now that we have defined the most important elements that make up a company’s (external) threat landscape, we can look at how you can determine your own threat landscape and reduce it in a targeted manner.
However, it is not easy to grasp the external threat landscape as a ‘totality of accessible points of attack online’ because there are numerous areas to consider. Ultimately, this is about all possible external security threats – ranging from stolen credentials to incorrectly configured servers for e-mail, DNS, your website or databases, weak encryption, problematic SSL certificates or misconfigurations in cloud services, to inadequately secured personal data or faulty cookie policies.
The real problem, however, is not that so many areas are affected or that there are so many potential points of attack. No, the main problem is that many IT vulnerabilities in companies are unknown to the security team. Server configurations are not documented, orphaned accounts or websites and services that are no longer used are forgotten, or internal IT processes are not adhered to. Often, it is also not known whether the latest versions of operating systems and applications are really running everywhere and whether relevant security updates have been properly installed. Furthermore, new software vulnerabilities are discovered and exploited every day; without tools, it is virtually impossible to stay up to date and ahead of possible attackers!
Figure 2: Keep an overview of you attack surface!
So-called shadow IT is something to keep in mind as well. This refers to software, SaaS services, servers or hardware that has been procured and connected to the company network without the knowledge or oversight of the IT department. These can then offer unsecured and unmonitored access points to the company network and data.
Last but not least, connected external systems, such as those of suppliers or subsidiaries, should be considered as part of the attack surface these days as well – and hardly any security manager has a complete overview of these.
In short – You can’t protect what you don’t know about!
Mapping and analyzing the attack surface with EASM tools
The first task of attack surface management is to gain a complete overview of your IT landscape, the IT assets it contains, and the potential vulnerabilities connected to them. Nowadays, such an assessment can only be carried out with the help of specialized tools like the Outpost24 EASM platform.
Those EASM tools help you identify and assess all the assets associated with your business and their vulnerabilities. To do this, the Outpost24 EASM platform, for example, continuously scans all your company’s IT assets that are connected to the Internet. These IT assets include hardware and software systems, data and services (such as websites, file shares, access points, APIs, login pages, etc.), as well as all information about them that could be important to you or attackers (from IP addresses, security headers and DNS records).
When collecting these assets, most platforms follow a so-called ‘zero-knowledge approach’. This means that you do not have to provide any information except for a starting point like an IP address or domain. The platform will then crawl, and scan all connected and possibly related assets passively.
Due to the ‘zero knowledge approach’ mentioned above, EASM-Tools do not rely on you having an accurate CMDB or other inventories, which sets them apart from classical vulnerability management solutions. That is why Outpost24 EASM continuously monitors your attack surface, automatically detecting changes and new domains, thus keeping the central asset inventory up to date and your security team one step ahead of possible attackers.
Figure 3: Do you know all the assets connected to your company and how they are connected to each other?
Security analysis of the attack surface
The next EASM stage also resembles how hackers operate: Today’s hackers are highly organized and have powerful tools at their disposal, which they use in the first phase of an attack (the reconnaissance phase) to identify possible vulnerabilities and attack points based on the data collected about a potential victim’s network.
Outpost24 EASM likewise performs an automated security analysis of the asset inventory data for potential vulnerabilities, looking for:
- Software vulnerabilities based on the detected version information
- Unsafe email configuration settings, such as missing or incorrect SPF, DMARC and DKIM settings
- Unencrypted login pages that allow password theft
- Stolen login credentials
- Weak encryption, such as using outdated and insecure SSL/TLS encryption protocols
- Unsecured DNS implementations that don’t support DNS SEC
- Unnecessary exposed services
- Potentially dangerous remote management protocols (e.g. Telnet, RDP & VNC)
- Unmodified default installations, such as a web server displaying a default page after initial installation
- Error codes, for example 404 and 5xx status codes in HTTP server responses, indicating outdated or misconfigured websites or web servers
- IP blacklisting and reputation issues
- Phishing & cybersquatting websites, i.e. similar websites that misuse your brand
- Whispers and mentions of your company’s assets, brand, data, etc. on the dark web
Assessment and Reporting
The larger the IT landscape and thus the potential attack surface, the more confusing the analysis results can be. That’s why EASM platforms offer a range of features for assessing the security posture of your attack surface and, of course, the success of your remediation efforts.
Particularly useful: the ‘attack surface scoring’. Outpost24’s EASM for example uses the attack surface score to calculate a grade (from A to F) for your attack surface, which in turn is derived from scores for seven security areas or ‘dimensions’ (more information: What is your attack surface score?):
1. Vulnerabilities: Are software versions with known security vulnerabilities being used?
2. Configuration: Are all IT resources configured according to security best practices?
3. Exposed services: Are services accessible that should perhaps not be openly accessible?
4. Encryption: Is effective encryption and certificates implemented everywhere, or are there gaps?
5. Reputation: Are assets on external spam and block lists? This can affect services and communication measures.
6. Hygiene: Are systems unnecessarily online that could provide attackers with helpful information, for example, by pointing out outdated or poorly maintained systems – such as error codes, outdated year dates or default CMS start pages? In contrast to configuration errors, hygiene issues have a lower priority (do not pose a direct cyber risk) and are given a lower weighting when determining the Attack Surface Score.
7. Threat Intelligence: Has information like credentials, your company’s confidential information, source code, etc. traded, sold or discussed on the dark web?
Figure 4: A dark web mention that requires further investigation
The overall and partial scores of the attack surface show you the threat status both of your IT as a whole and of the areas where the greatest need for action exists. An interactive dashboard should be available for this purpose, providing you with a visual overview of your attack surface and serving as an efficient reporting tool. This way, you can use EASM to improve your score step by step, reduce your attack surface and make your company less and less attractive and more resilient to cyber-attacks.
Risk-based prioritisation of countermeasures
Knowing your weak points is the first step towards taking effective precautions. However, the number of findings can quickly become overwhelming, especially when the attack surface is extensive. So where do you even begin?
Generally, you should prioritize those countermeasures that reduce existing risks as much as possible with the least amount of effort. The risk associated with a specific successful attack increases with its probability of occurrence and potential damage. That is why the first thing to do is to eliminate those points of attack that enable direct attacks on critical systems and data, such as exposed services without adequate protection (login protection, encryption), leaked login data or software vulnerabilities that are already being actively exploited by threat actors – possibly in a campaign that is currently running. At the same time, measures that can be implemented quickly and easily should be higher up on the priority list – for example, taking exposed hosts or services that do not need to be online offline immediately.
The mapping, monitoring and scoring features of EASM platforms provide helpful pointers for this prioritization. The rule of thumb is the worse the score in a particular area, the more urgent the possible need for action. It also makes sense to combine EASM with risk-based vulnerability management. EASM helps to identify so far unknown assets so that they can be included in more detailed scans as part of your VM process in the future.
Conclusion
Your attack surface is constantly changing – new IT assets are added, configurations change, new vulnerabilities are discovered, and new threats emerge. EASM helps you keep pace with these developments and effectively minimize your attack surface.
Find out how Outpost24 External Attack Surface Management can help your IT security and get an initial free assessment of your attack surface:
