What is Attack Surface Reduction?

Attack Surface Reduction is a powerful tool used to protect and harden environments. It’s a broad term that means many things to different people. In this case, we use the OWASP definition: “attack surface describes all of the different points where an attacker could get into a system, and where they could get data out”. Using this definition, it becomes clear that the reduction of this surface is imperative. Removal of unnecessary features is a big part of this process. Why? Because features means code, which means bugs, which means vulnerabilities, which means exploits. Exploitation of vulnerable code is not the only issue; if a feature has credentials associated with it then good credential hygiene must be applied otherwise the risk of default, weak or stolen credentials becomes a major problem. It is also a regular occurrence that features end up being misconfigured, which can also result in security issues.

When discussing modern IT environments, we typically focus on networked services such as web sites, operating systems and associated applications. However, in the modern era, we also have to deal with cloud and mobile environments. In this blog, we’ll look at how each of these conspire to increase our overall attack surface, while also outlining specific tools and measures that can be used to implement an attack surface reduction program.

Cloud

One of the biggest challenges with reducing the attack surface of cloud deployments is discovering that there is a cloud deployment at all! Often asset inventory systems are not fit for purpose, particularly when it comes to modern cloud features like AWS Lambdas or Azure functions. Development teams need to work with security teams when it comes to spinning up new cloud infrastructure. If API keys are being generated, then they need to be locked down to the minimal set of permissions required to get the job done.

Mobile

Corporate mobile phones need to be enrolled into a Mobile Device Management (MDM) system so that they can be centrally managed for patching, visibility and application of policies. Employee personal devices can be placed into an internet-only Wi-Fi network separated from the corporate IT network. This allows employees to still access personal resources while not compromising the security of the corporate IT network.

Network

The first step for reducing the network attack surface is to disable all services that are unnecessary. However, in order to do even this first step, it is necessary to know which IP addresses you own, which services are necessary for the business, which are available on these IP addresses, and so on. Many networks we see are locked down to only allow ports 80 and 443 through. Nonetheless, it’s worth keeping in mind that admin panels for Content Management Systems (CMS) are often available over these standard HTTP(S) ports and, similarly, configuration panels for network equipment like firewalls, VPNs, load balancers, etc. can be inadvertently exposed in this way too.

In situations where there is a limited number of IP addresses connecting to a particular service like a business-to-business (B2B) service or a Remote Desktop Protocol (RDP) service, then IP whitelisting can be an effective approach to reducing the attack surface. Obviously, this approach does not scale to consumer-to-business (C2B) services such as retail operations, which require open access.

It is worth considering here that although your network may be sufficiently hardened, connections into your environment from third party suppliers or partners can be a concern. The ACSC 2017 Threat Report states that: “As it has become more difficult for adversaries to directly compromise their targets, adversaries have sought secondary or tertiary access into primary targets”. It is, therefore, worth keeping in mind that an organization may be a target for the sole reason of their connectivity into other environments.

Host

For hosts, such as those running the Windows operating system, there are many built-in tools that can be used to reduce the attack surface. The “hardentools” application from Security Without Borders disables many of the risky features that are part of Microsoft Windows and Office.

Figure 1: HardenTools application used to disable risky Microsoft Windows features (Source: Security Without Borders)

The tool can be used as a standalone tool or simply as inspiration for internal Group Policy Object (GPO) or other policies that can be deployed. Some of the key features it disables are:

  • Windows Script Hosting (JavaScript & VBScript), which is often used by attackers to gain code execution in an environment.
  • Macros, OLE, ActiveX and DDE for Microsoft Office, as active content is often abused by attackers.
  • Autorun/autoplay for removal media like USB sticks. Although disabling removal media entirely is preferable, there are often cases where it is the only solution for moving files between machines.

As well as the operating system and office applications, browsers are another key attack surface. Exploit kits and other drive-by download techniques are frequently used by both opportunistic and more targeted, sophisticated groups. Browser attack surface can be reduced by the following measures:

  • Disable unnecessary browser plugins such as Adobe Flash, ActiveX controls, Oracle Java applets and Microsoft Silverlight. Most multimedia is delivered by HTML5 rather than by these other formats.
  • If there is a business requirement for a particular technology or site, then whitelisting the site or technology where appropriate reduces the amount of options that an attacker has.
  • If even this is not possible, then use click-to-play, which Google Chrome – for example – supports, where there has to be explicit user interaction in order for the attacker to gain code execution.

By keeping in mind that unnecessary features are providing more options for attackers to enter an environment, an attack surface reduction program helps to increase attacker costs by denying them the straightforward methods for achieving access. Digital Shadows (now ReliaQuest) customers will be informed by our infrastructure incidents product feature of services listening on potentially risky external ports.

To find out more about protecting and hardening your environments, listen to our recent ShadowTalk podcast: Episode 29: Reducing Your Attack Surface: From a Firehose to a Straw.

Photon logo small