A while back we talked about the concept of OSINT, and how important it is to the infosec industry.
We've also written about the Top 20 OSINT tools, along with port scanning and general reconnaissance tools. We've shared on these subjects to enlighten those who perform security research to defend company software and servers, as well as penetration testers working within red teams.
A key concept related to OSINT, and part of the reason why web software gets hacked, is the so-called "attack surface."
For this blog post, we'll explore what an attack surface is, and share some valuable attack software analysis tools along with tips to help you reduce the attack surface area of your company.
- What is an attack surface?
- Types of attack surfaces
- How can I reduce the attack surface?
- Attack surface tools
- Final thoughts
What is an attack surface?
What does "attack surface" mean? Here at SecurityTrails we see the attack surface as the entire network and software environment that is exposed to remote or local attacks. For others, it's the sum of compromised points—although that's not really the attack surface, but the attack vectors.
In simple words: an attack surface refers to all the ways your apps can possibly be exploited by attackers. This includes not only software, operating systems, network services and protocols but also domain names and SSL certificates.
A classic example to help illustrate the concept of attack surface is your business's physical office. What's the attack surface of your local office?
The answer is simple: doors, windows, safe boxes, etc. What about your home? Even simpler: front and back door, windows, garage door, climbable trees or tables, etc.
The difference between detecting a breach in your home and a breach in your company's online attack surface can be characterized by the size of the area, and its inclusion of multiple complex areas to explore.
In your home, you'd clearly notice if someone had broken a window, or forced open the door. It's even easier if you have a home alarm system that notifies you immediately.
However, due to the large number of network, software, protocols and services running within an online company, detecting what part of the attack surface was the origin of the breach or intrusion can be difficult, even with a solid IDS in place, application firewalls and notification alerts. Most of the time, it may pass unnoticed.
Types of attack surfaces
There are two main types of attack surfaces that can affect any company:
Digital attack surface
Today, it's easier to hack digitally than to break into a digital fortress like a datacenter by just walking there.
The Internet offers many different ways to crack systems and obtain access to unauthorized areas—the bad guys have been doing this for decades. In the same way, white hat blue teams and red teams use penetration testing against many different attack surface areas.
One of the most popular types of attack surfaces is the digital variety. Every computer connected to the Internet is exposed to remote attacks, and in a similar way, local networks can still leave their own digital attack surfaces exposed even if they aren't connected.
This attack surface, as we mentioned before, includes software applications, networks, ports, operating system services, web and desktop applications and more. In other words, everything running on the digital side of any company.
Physical attack surface
On the other hand, the physical attack surface includes everything related to hardware and physical devices; here we're talking about routers, switches, tower or rack servers, desktop computers, notebooks, tablets and mobile phones, TVs, printers, USB ports, surveillance cameras, etc.
Once the attacker has gained access to the physical device, he'll try to explore the systems and networks where the device is connected, in order to:
- Create a digital map of all the network, ports and services
- Inspect the source code of the running software, if found
- Check the running databases and the information stored there
- Upload virus, malware or backdoors to infect the operating system
- Crack login credentials to gain access to privileged areas
- Copy sensitive information to removable devices or send it to remote servers
While most offices now use such protective measures as biometric access control systems, access control cards and door locking to avoid tailgating and pretexting social techniques, most of the time an attacker doesn't have to be inside the physical place/office to take control of a physical device. The human factor is often the weakest point of any cybersecurity system. This is why social engineering or rogue employees can be the open door to unauthorized access from the outside.
How can I reduce the attack surface?
There are several ways to reduce the attack surface. Let's take a look at some of the more popular methods.
The digital side
The digital attack surface is the easiest to find and explore. Let's explore the best attack surface reduction strategies?
Less code, less software attack surface
When you reduce the code you're running in your desktop, server or cloud instance, you're reducing the number of possibilities for entry points to be discovered and later exploited.
Turn off, disable or remove unnecessary software features, and simplify your code. Fewer codes also means fewer software bugs and vulnerabilities, and at the end of the day, that's equal to fewer security risks overall.
Remove unnecessary OS software and services
Cleaning up the OS includes removing unnecessary functions, applications and system tools.
Do you really need a printing service running if you don't use a printer? What about that MYSQL server running on the 3306 port? Do you really need it if you don't host any databases? And is that Adobe suite required if you don't work with any PDF files?
Remember to install only the applications that are strictly necessary for your employees' daily work, and disable all unused protocols or services. The same advice goes for servers.
Inspect your domain, IPs and DNS zones
Using the SecurityTrails DNS toolkit is one of the easiest ways you can audit all your IP address space, DNS zones and domain name public information.
Our passive DNS database and API can be queried to get a complete report of your DNS records. This is particularly useful for reviewing how much data you're exposing to the Internet.
Our DNS records include not only present DNS information, but also the historical DNS data that is often used to discover hidden areas of your network infrastructure.
Browsing popular historical records such as A, AAAA, MX, NS, SOA and TXT types is easy, as you can see in the following video:
Scan your network ports
Scanning the open ports in your public IP addresses is often the first thing attackers do when performing infosec reconnaissance on any target.
Luckily, there are many ways for you to stay one step ahead of your attackers. And your best bet is to begin auditing your network ports before they do.
While using the Nmap top-ports option is really useful for auditing your port exposure, this activity can be done using different port scanners such as Unicornscan, Angry IP Scanner, or Netcat as well.
Create a subdomain map
In other occasions, our subdomain scanner tools can help you in your subdomain enumeration tasks, as it can make it easier for you to detect and find unused subdomains, old-unpatched software, and even help to detect stale DNS records.
SurfaceBrowser™, our enterprise-grade all in one product, can be really helpful if you need to discover, export and download your entire subdomain map, as you can see in the following video:
Analyze your SSL certificates
People often see SSL certificates as a way to prove a website is secure, but that can be a big mistake..
How hardened are your SSL certificates? Are you keeping your SSL chains complete and well-secured? Are you using strong cipher suites? These are basic questions that all developers, system administrators and technical managers should ask themselves more often. Additional information can be found in our article: Is SSL a really sign of security?
But SSL security doesn't end up in your hardening, chain and overall security score. You also need to consider the data you're exposing to the public.
Have you ever thought about your SSL certificate expiration and validity? Your attack surface includes all your SSL certificates—valid, active and expired ones, too.
Of course, the bad guys can explore such public information. So, keep in mind that while SSL certificates are good for encrypting your information…not having a thorough audit or control over them can lead to some of your worst nightmares.
Segmentate your network
Keeping all your assets within a single network is often one of the biggest mistakes you can make.Splitting and segmenting your network is one of the easiest ways to reduce your attack surface.
This will help increase your network barriers and at the same time help you gain better and more effective server or desktop controls over all machines connected to the network.
Audit your software, network and traffic
Auditing your software is one of the oldest known tactics for keeping your attack surface reduced. This will help detect misconfigurations and outdated software, test the security system, and keep users' activity under control.
Analyzing the network, protocols and OS services, as well as current and past traffic over the network is a great way to detect factors that could expose your attack surface even more.
Log analysis plays a critical role when it comes to reducing your attack surface. Also, running scheduled audits on overlooked services (such as the DNS service) can help keep your exposure under control, as we covered in our previous article: Why should I perform a DNS audit?
The human side
The physical attack surface involves the world we live in, making its biggest component none other than the human being.
As we've said before, company staff is often one of the weakest links in the cybersecurity chain of your online business.
Let's see what can be done to avoid exposing your physical attack surface as much as possible:
Train all your employees to avoid getting tricked by social engineering calls or phishing emails. These are two of the most common ways to sabotage networks, routers and other physical hardware, most of the time allowed by your own human capital.
While nothing can prevent rogue employees from pilfering sensitive information about your company (including email or user logins), human resource and hiring departments do have psychological tests in hand for screening applicants. These tests may reveal the true nature (including many unconscious aspects) of the people in line to work with your team.
Teaching your employees correct policies concerning the use of unknown and unauthorized devices in the office can help reduce baiting attacks as well.
There are more social engineering techniques we'll explore in future posts. Fortunately, all of them rely on following company-based security practices and constant employee education.
Attack surface tools
While some offline and online vulnerability scanning tools are considered by a few infosec professionals as attack surface tools, there are some specific tools built for surface attack analysis:
OWASP Attack Surface Detector: this OWASP tool is a powerful application that can help you not only reveal your true attack surface, but also uncover weak web application endpoints, accepted parameters and type of data accepted. It also provides a useful attack probability calculation against your attack surface, giving you a pretty accurate idea of the amount of exposure your apps are getting. This tool is available in the form of a CLI-based utility, as well as a plugin to the OWASP ZAP and PortSwigger Burp Suite. It allows you to export the results in JSON-like files from the command line interface.
Sandbox Attack Surface Analysis Tools: Google's attack surface tool is a useful utility built for Windows users. It helps Windows-based users unveil the real attack surface of your OS, services and web applications running on the Microsoft platforms. l After performing a deep-level analysis of Windows OS, it will extract as much information as possible for you to evaluate the size of your attack surface. Some of the objects inspected by this tool include files, registry, network stack, ports, running processes, as well as NT system calls and objects.
Today we discovered that we all have an attack surface area exposed to the Internet. So what are you doing to reduce risks on both the digital and the human side?
Are you a security researcher working on a blue or red team? In both cases, we can help you discover the attack surface of any company in the world.
Start researching for penetration testing purposes or to reduce the attack surface of your own company today: Book a SurfaceBrowser™ demo with our sales team to discover our powerful all-in-one passive reconnaissance toolkit.