Friday, May 13, 2022

An Introduction To External Attack Surface Management

In the past year or two I have been learning a lot about External Attack Surface Management and I wanted to share some of my knowledge. As a short introduction, what is an Attack Surface? Imagine you lived in a house with lots of valuables and you were in a bad neighborhood. You would probably lock your doors and windows at all times, and have additional layers of security like a barbed wire fence and an alarm system. In this scenario, the attack surface would be any point of entry a burglar could use to gain access to your valuables. A clever burglar would find a weakness in the fence, and test all of the doors and windows to find the easiest way inside.

To verify that you are secure, you could test your defenses by trying to break in yourself, or hire a professional to do it for you on a regular basis. What if you had thousands of windows and doors opening and closing regularly, and you were in a neighborhood where all of your neighbors are burglars? This is closer to the reality faced in the internet world.

A house with many doors. Source

An insecure computer plugged directly into the internet with no firewall can be compromised in seconds. So how do you monitor your attack surface? The first step is to inventory everything that is internet facing. Find every IP Address, Root Domain, and Subdomain you own. If you have access to your DNS registrar you can obtain a source of truth list of every configured DNS record. If you don't, you can use the same techniques used by Bug Bounty hunters and use subdomain enumeration tools like Amass, subfinder, and massdns. This inventory of assets will likely change over time, so it would be a good idea to run automation that updates the inventory as new assets are deployed and old ones are decommissioned.

The second step is to do a use your inventory list and run a simple port scan with a tool like nmap, masscan, or naabu to see what ports and services are open to the public internet. For the best results this port scan should be done from a dedicated server. This is like testing to see if your doors and windows are unlocked and what's behind them. The port scan should return some results with fingerprint data that gives you an idea what may be behind each open port.

If it's an SSH, FTP, or Telnet service, try to connect with a client to see if it lets you try to login with a username and password. You can also often see the version of the service running and do an internet search for known vulnerabilities.

If it's a web server, you can try to load it in your browser, or use a tool like httpx to see what information is available. Try to connect using HTTP and HTTPS, and if you can connect using HTTPS take a look at the SSL Certificate to learn more about the service. There are some great command line tools for parsing SSL Certificate data such as SSL Checker and some more mentioned by Jason Haddix in his recent Tool Time video discussing SSL Certificate Parsers. Explore the web server in depth to gain an understanding of what it's used for. Review the HTML and Javascript source code. Does it have any login forms where a username and password could be used? Does it reveal any information that shouldn't be public? Does it have any known vulnerabilities that could be exploited? Can you do Content Discovery to find hidden content?

For other open ports you will need to do some research to better understand what service is listening and what risk that could present by remaining publicly exposed.

As a general rule of thumb, you want to reduce your attack surface to improve your security posture, or in other words, the less doors and windows you have to lock, the less likely you are to lose your valuables. When you find an open port and service, you should ask yourself if you really want that to remain public, or if it should be hidden from public view. If you want to hide it from public view you will need to identify where it is hosted, and change the firewall settings to only allow access from specific management IPs, or close the port entirely. If it's an old and unmaintained asset, consider decommissioning it to save money and reduce your attack surface.

If you discover new assets are regularly deployed in an insecure state, identify who is deploying those assets and get to know more about their needs and processes. They may not know that the new servers they deployed all had a web server with an admin login page exposed on port 8000. Work with them to improve their processes so they are less likely to expose a risk to the environment in the future.

The steps here can all be automated, and depending on your budget, you can build a solution yourself or you can pay a third party to do it for you. Here is a nice list of free and premium solutions.

This is a high level introduction to the world of External Attack Surface Management, or as it is also known, simply "recon". I hope someone has found this information useful, have a great weekend everyone!

No comments:

Post a Comment