I tend to use a What ↔ Why → How format, a subset of 5W1H approach to focus on WHAT matters & WHY, before getting into the HOW. The hyperlink to this entry & others related to this series are updated @ https://jym.sg/cyber-security-in-7-weeks!
What is Attack Surface?
Every inch of that punching bag is like an Attack Surface. Attackers can “punch” systems with exposed areas (Risk Exposures). The sum of all exposed areas is known as “Attack Surface”. These exposed areas are related to the means (or methods) used by adversaries to deliver attacks. It is a vital attribute to theconditions of attacks related to Threat Accessibility.
ZERO ACCESS CONTROL (free-for-all) to (read) sensitive files that can be listed on a poorly configured web-site.
These examples are skewed towards direct access &/or delivery of attacks. Another form is the use of indirect means (aka Vectors, think of pests spreading germs & diseases) like emails, SMS & malicious web-advertisements to trick or get to victims, instead of targetting directly at system interfaces.
ℹ️
Some definitions of Attack Surface may use the phrase Attack Surface = Sum of all Attack Vectors. But unlike the earlier examples of direct weaknesses (e.g. software flaws, poor configurations…), some of these vectors are actually legit use-cases that can be abused by attackers (e.g. emails & SMS).
Quick digress, is it fair to expect users to figure such things out???
Why Attack Surface Management Matters Most?
Within my 1st part of Cyber-Defense Mental Models, I described Threat Accessibility as the “Oxygen” of attacks. The notion of DIRECT (high probability of attacks because accessible vulnerabilities & exploit-tools released for free to public) vs INDIRECT (it depends on who attacks, e.g. how deceptive the phishing contents are, whether bait taken or not…) matters because there are DIFFERENT priorities (recap Risk Exposure)!
⚡
Attack Surface Management offersquick & direct influence over the probability of attacks!
🤔
Some may ask: isn’t this Vulnerability Management?
This entry leads the reader up to HOW to experience Attack Surface (hands-on exercise) with a SINGLE VECTOR (secure shell service), so that it is easier for new comers. Complex networks have way MORE vectors.
So let’s revisit the attribute of VALUE within the condition of System Susceptibility, valuation of “assets” can be subjective because stake-holders may look at their “Crown-Jewels” to act on first (as priority due to Mental Bias) but attackers will go for low-hanging fruits (may be low priority items in stake-holders’ lists) to get into your networks sooner than you think.
Back to “Isn’t this Vulnerability Management?”, it begs the question:
❓
is having Remote-Admin Access (beyond SSH, could be RDP, Teamviewer or whatever you fancy) on Single-Factor password a “vulnerability”?
Depending on who you ask, some may say NO because it doesn’t have a CVE identifier but can it become a low-hanging fruit if let’s say, admins feel lazy & decided to use a weak password with root accounts? Most probably YES.
YOU as a defender need to DENY attackers from “Beach-Heads” (Initial Infiltration, below is a sand monument “Sands of Remembrance” at Normandy Beach) ASAP, by ZOOMing into ATTACKERS’ Point-of-View!
Back to the earlier examples, in concrete terms:
Limit access (turn on Multi-Factor Authentication) when there’s NO official patch (e.g yet to be announced flaws aka 0-days) or patch sucks (not working) instead of free-for-all access on the Internet
Patch all publicly exposed vulnerable software services first (e.g. MS-Exchange)
Replace all default passwords & remove public access to admin interfaces (not limited to web, which is why I designed the HOW portion of this entry to focus on the LINUX (the “firmware” of Cloud & IoTs) SSH (secure shell remote admin access)!
Scan your own networks for exposures like default passwords, listing & poor configurations… all the low-hanging fruits. Don’t know how? Engage licensed (←click to learn WHY there’s a need for legal frameworks) Pen-testers!
What about Cloud services!? Sorry, you clicked [i agree] to their EULA. Good luck, but you can still learn from OWASP! Kidding, I will cover some architectural approaches later lah, step-by-step leh!
How to Experience Attack Surface?
Experience Attack Surface for free (& safely) like this:
Leverging free services is a good way to make hands-on exercises more accessible, no need special or expensive labs. Adversaries are always doing that, we (as defenders) are stupid if we don’t.
SSH is the de-facto remote admin access to *nix systems. Password is also a common authentication mode. Linux is like the “firmware” of Cloud, Virtualisation, Containerization… & IoT! Hey even Microsoft embrace Linux as BFF!
This exercise will lay provide some basic experience to appreciate intermediate topics like doing away with password authentication.
Find out where are basic audit events stored (logs as in the verb to record, not trees) to observe persistent brute-force SSH authentication attempts (think Threat Capabilities).
There are hands-on exercises for Windows in other posts. To know what is going on, we need relevant data & the know-how to interpret.
How do they (attackers) figure out so quickly that your VM runs SSH?
Prepare you for intermediate topics related to Softwware Defined Perimeters & Zero-Trust Network Access (links soon → telegram group for updates).
Know that changing authentication mode is not the only way to limit access.
Can you use the SSH credentials (id + password) on any terminal that has SSH client before (& after installation of) ZeroTier?
Configure your SSH service to use private IP address allocated by ZeroTier network & review log-events again.
Ensure that your desk or laptop used for this exercise also joins the same private ZeroTier network.
What happens when you use a popular password for SSH?Once SSH service no longer “listens” on a public Internet address, what happens? (Hint: the fire blanket demo earlier)
For attackers to get into your VM with this new configuration, what do they need to do first?
