Reducing your attack surface
April 9, 2019
What is an attack surface
According to OWASP, an attack surface “describes all of the different points where an attacker could get into a system, and where they could get data out”. As organizations’ infrastructure grows and becomes more complex, it can be challenging to keep up with their expanding attack surface. Exploitable vulnerabilities exist across your known infrastructure, but also extends to shadow IT – those projects and software managed outside of the IT department, the existence of which may not be known to the security team.
Only 29% of organizations believe they have sufficient visibility into their attack surface. That’s why, in our new Practical Guide to Reducing Digital Risk, we outline ways to manage and reduce the attack surface and how, by taking an outside-in perspective of the attacker, organizations can identify these untracked IT investments and significantly reduce the attack opportunities presented to an adversary.
Equifax lessons learned
The Equifax breach, which exposed over 140 million customer records, is a good example of why it’s important to get this right. Equifax reported that this breach occurred through an unpatched web application that was vulnerable to an exploit in the Apache Struts framework (CVE-2017-5638). This vulnerability had patches available for two months, and evidence of the exploitation of this weakness was widely known as many attackers had already been observed to have exploited this weakness in campaigns.
Part of the challenge for Equifax (and many other organizations) is knowing what assets exist in the IT estate in the first place. While Equifax may be an extreme example, all companies’ IT departments are playing a constant game of catch-up with their changing organizations and rarely have a complete view of what they are responsible for protecting. Shadow IT has become a very real problem for businesses globally as they grow, merge, and adapt their infrastructures. Even those that have an effective vulnerability management program experience challenges prioritizing the range of work without disrupting IT operations.
Top four types of attack surface risks
When we consider an organization’s internet-facing infrastructure, there are four main aspects of an attack surface to consider.
- Exploited Vulnerabilities. Major vulnerabilities in your infrastructure that have active exploits being used in the real world and allow for remote code execution.
- Open Ports. Exposed ports that indicate services or assets available online that may offer a route to compromising your network or pose a significant risk in being exposed.
- Certificate Issues. Expiring, revoked, insecure or vulnerable SSL certificates and configurations.
- Misconfigured File Services. Identify misconfigured devices that are exposing data on your infrastructure.
How SearchLight reduces attack surfaces
Digital Shadows SearchLight’s passive data collection has no impact on your network. By aggregating data from open sources, SearchLight gains a broader picture of your network over time. This enables you to prioritize securing your network assets that are most at risk from compromise and exploitation. We provide high priority alerts that relate to genuine threats to your network infrastructure, not a deluge of CVEs (Common Vulnerabilities and Exposures).
Free tools to get started
While nearly 60% of organizations still have no set schedule to address vulnerabilities or do not do vulnerability scans, tools are available for those who wish to start reducing their attack surface. These include:
- Look for misconfigured databases, servers, and devices with Shodan and Censys
- Check for weak or expiring certificates on your infrastructure with Testssl
- Use Paterva’s Maltego community edition, or OSINT frameworks such as Recon-ng
- Build up a view of your attack surface with Michael Bazell’s Buscador tools
You can download a copy of our Practical Guide to Reducing Digital Risk
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.