Why Attack Surface Management matters most?

Why Attack Surface Management matters most?

created time
Nov 19, 2022 01:14 AM
last update
Nov 23, 2022 05:35 AM


I tend to use a What ↔ Why → How format, a subset of 5W1H approach to focus on WHAT matters & WHY, before getting into the HOW. The hyperlink to this entry & others related to this series are updated @ https://www.jym.sg/cyber-security-in-7-weeks!

What is Attack Surface?

notion image
Every inch of that punching bag is like an Attack Surface. Attackers can “punch” systems with exposed areas (Risk Exposures). The sum of all exposed areas is known as “Attack Surface”. These exposed areas are related to the means (or methods) used by adversaries to deliver attacks. It is a vital attribute to the conditions of attacks related to Threat Accessibility.
Examples of exposures:
  • ZERO ACCESS CONTROL (free-for-all) to (read) sensitive files that can be listed on a poorly configured web-site.
These examples are skewed towards direct access &/or delivery of attacks. Another form is the use of indirect means (aka Vectors, think of pests spreading germs & diseases) like emails, SMS & malicious web-advertisements to trick or get to victims, instead of targetting directly at system interfaces.
Some definitions of Attack Surface may use the phrase Attack Surface = Sum of all Attack Vectors. But unlike the earlier examples of direct weaknesses (e.g. software flaws, poor configurations…), some of these vectors are actually legit use-cases that can be abused by attackers (e.g. emails & SMS).
notion image
Quick digress, is it fair to expect users to figure such things out???

Why Attack Surface Management Matters Most?

Within my 1st part of Cyber-Defense Mental Models, I described Threat Accessibility as the “Oxygen” of attacks. The notion of DIRECT (high probability of attacks) vs INDIRECT (it depends on who attacks) matters because there are DIFFERENT priorities (recap Risk Exposure)!
Attack Surface Management offers quick & direct influence over the probability of attacks!
notion image
Some smarty pants may ask: isn’t this Vulnerability Management?
This entry leads the reader up to HOW to experience Attack Surface (hands-on exercise) with a SINGLE VECTOR (secure shell service), so that it is easier for new comers. Complex networks have way MORE vectors.
So let’s revisit the attribute of VALUE within the condition of System Susceptibility, valuation of “assets” can be subjective because stake-holders may look at their “Crown-Jewels” to act on first (as priority due to Mental Bias) but attackers will go for low-hanging fruits (may be low priority items in stake-holders’ lists) to get into your networks sooner than you think.
Back to “Isn’t this Vulnerability Management?”, it begs the question:
is having Remote-Admin Access (beyond SSH, could be RDP, Teamviewer or whatever you fancy) on Single-Factor password a “vulnerability”?
Depending on who you ask, some may say NO because it doesn’t have a CVE identifier but can it become a low-hanging fruit if let’s say, admins feel lazy & decided to use a weak password with root accounts? Most probably YES.
When we look at it that way, Attack Surface Management is more than just a typical Scan-&-Patch exercise that most conveniently label as Vulnerability Management.
YOU as a defender need to DENY attackers from “Beach-Heads” (Initial Infiltration, below is a sand monument “Sands of Remembrance” at Normandy Beach) ASAP, by ZOOMing into ATTACKERS’ Point-of-View!
notion image
Back to the earlier examples, in concrete terms:
  • Limit access (turn on Multi-Factor Authentication) when there’s NO official patch (e.g yet to be announced flaws aka 0-days) or patch sucks (not working) instead of free-for-all access on the Internet
  • Patch all publicly exposed vulnerable software services first (e.g. MS-Exchange)
  • Replace all default passwords & remove public access to admin interfaces (not limited to web, which is why I designed the HOW portion of this entry to focus on the LINUX (the “firmware” of Cloud & IoTs) SSH (secure shell remote admin access)!
  • Scan your own networks for exposures like default passwords, listing & poor configurations… all the low-hanging fruits. Don’t know how? Engage licensed (←click to learn WHY there’s a need for legal frameworks) Pen-testers!
  • What about Cloud services!? Sorry, you clicked [i agree] to their EULA. Good luck, but you can still learn from OWASP! Kidding, I will cover some architectural approaches later lah, step-by-step leh!

How to Experience Attack Surface?

notion image
I do (no try, Yoda sayz) my best to design learning experiences that are accessible to MORE, but at the same time I don’t believe in hand-holding with step-by-step instructionals. Why? Because if I could list it out as step by step commands/codes for you to read, after which copy & paste into console to run, I might as well implement it as Infrastructure-as-Code (or conversely Pen-testing-As-Code) to automate with less human intervention!
To scale up, we need MORE people to learn & contribute reusable commands or codes (along with “blue + red = purple” testing), or compose (or harden) different functionalities with reusable sub-systems.
So the flow of how to experience Attack Surface for free (& safely) is as follows:
Learning Exercise Outline
Rationale & Food-for-Thought
Sign up free cloud-based Virtual Machines running Linux with SSH (secure shell service).
Leverging free services is a good way to make hands-on exercises more accessible, no need special or expensive labs. Adversaries are always doing that, we (as defenders) are stupid if we don’t. SSH is the de-facto remote admin access to *nix systems. Password is also a common authentication mode. Linux is like the “firmware” of Cloud, Virtualisation, Containerization… & IoT! Hey even Microsoft embrace Linux as BFF! This exercise will lay provide some basic experience to appreciate intermediate topics like doing away with password authentication.
Find out where are basic audit events stored (logs as in the verb to record, not trees) to observe persistent brute-force SSH authentication attempts (think Threat Capabilities).
Quick intro to the notion of Observability. There are hands-on exercises for Windows in other posts. To know what is going on, we need relevant data & the know-how to interpret. How do they (attackers) figure out so quickly that your VM runs SSH?
Sign up free ZeroTier Software-Defined Network Overlay.
Prepare you for intermediate topics related to Softwware Defined Perimeters & Zero-Trust Network Access (links soon → telegram group for updates). Know that changing authentication mode is not the only way to limit access. Can you use the SSH credentials (id + password) on any terminal that has SSH client before (& after installation of) ZeroTier?
Configure your SSH service to use private IP address allocated by ZeroTier network & review log-events again. Ensure that your desk or laptop used for this exercise also joins the same private ZeroTier network.
What happens when you use a popular password for SSH? Once SSH service no longer “listens” on a public Internet address, what happens? (Hint: the fire blanket demo earlier) For attackers to get into your VM with this new configuration, what do they need to do first?
I basically ported a section of Part 1 of 3 Cyber Defense Mental Models here. In an event that you get stuck or need some help, please refer to my Intern’s notes: https://jymcheong.notion.site/1d88dce61a7a4e8ba0a7635928dcc8b4?v=a93b2494e76940b9a2593bf43681a3bf