In the era of digitization and ever-changing business needs, the production environment has become a living organism. Multiple functions and teams within an organization can ultimately impact the way an attacker sees the organization’s assets, or in other words, the external attack surface. This dramatically increases the need to define an exposure management strategy.
To keep up with business needs while effectively assessing and managing cybersecurity risk, there are two primary elements that organizations should consider regarding their external attack surface: its size and its attractiveness to attackers. While organizations are typically focused on accounting for the size of their attack surface, its attractiveness is not typically top of mind, though it may have a significant impact on risk.
Attack Surface Size
How many assets are accessible from the outside world?
There is a delicate balance between business needs and security. While there are good reasons to expose more assets to the internet (i.e., for user experience, third-party integrations, and software architecture requirements), the price is an increased attack surface. Increased connectivity ultimately means more potential breach points for an adversary.
The bigger the attack surface is, and the more assets available to the adversary’s “playground,” the more an organization will need to mitigate the risk of exposure. This requires carefully crafted policies and procedures to monitor the attack surface and protect exposed assets continuously. Of course, there are basic measures, such as routinely scanning for software vulnerabilities and patching. However, there are also configuration issues, shadow IT, leaked credentials, and access management aspects to be taken into consideration.
An important note: the frequency of testing and validating should at least align with the pace of change of the organization’s attack surface. The more an organization makes changes to its environment, the more it needs to assess the attack surface. However, routine tests are still necessary even during periods of minimal change.
Attack Surface Attractiveness
While the size of the external attack surface is a well-understood indicator of cybersecurity risk, another aspect that is just as critical – though more elusive to organizations today – is how attractive an attack surface is to potential attackers.
When adversaries look for potential victims, they look for the lowest-hanging fruit. Whether it’s the easiest way to compromise a particular targeted organization or the easiest targets to attack to achieve their goals, they will be attracted to indicators of potential security weak spots in external-facing assets and will prioritize their activities accordingly.
When we talk about “attractive” assets, we don’t necessarily mean appealing targets, such as personal data, that can be sold on the black market. Attractions are the attributes of an asset that have the potential to be abused by adversaries. These are then marked as a potential starting point to propagate an attack.
An organization’s assets may all be patched to the latest and greatest software. However, these assets might still have attractive properties. For instance, a large number of open ports increases the number of protocols that can be leveraged to propagate an attack. It is important to emphasize that attacks are not necessarily tied to a vulnerability but can be an abuse of a well-known service. A good example of that can be found in this blog post from Pentera Labs describing how to abuse the PsExec utility. Also, some specific ports can be more attractive, for example, port 22, which enables SSH access from the outside world.
Another example is a website that allows file uploads. For some organizations, this is a critical service that enables the business, but for attackers, this is a convenient way to get their foot in the door. Organizations are well aware of the risk and can address it in different ways, but that doesn’t change the attractiveness of this asset and its corresponding risk potential.
The main challenge with dealing with attractions is that they are moving targets. The attractions change both in their number of instances and in their severity per configuration change.
To effectively assess the severity of an attraction, it is essential to understand how easy it is for an adversary to detect it during the enumeration phase and, more importantly, how easy it is to exploit it. For instance, having a VPN connection is easy to detect but difficult to exploit, and as a result, it can be a lower priority in an organization’s risk management plan. On the other hand, having an online contact form is easy to detect and has high exposure levels for SQL injections and exploit vulnerabilities like Log4Shell.
Decreasing the number of attractions reduces an organization’s risk, but that is not always possible. As a result, understanding the underlying risk and defining a plan to address it should be the organization’s number one priority to control exposures in the external attack surface while delivering on business needs.