enterprise security

SecurityTrails Blog · Jul 14 · by Gianni Perez

Guide and Enrich Red Team Operations with Attack Surface Intelligence

Reading time: 7 minutes
Listen to this article

One of the many cognitive spaces where cybersecurity practitioners often like to boast of ingenuity lies in the realm of adversarial emulation.

Alas, these suppositions are as endless as our willingness to sacrificially assert that what we don’t understand can’t possibly take place or, at least, is not likely to. In our defense, of course, there are leading contributors to the compounding effect of misplaced attack surface assessment strategies, for example, over any resulting security incident—the somewhat vast architectural complexities and the nuances of software design (to name just two)—however, there are methods in place to contend with the challenges.

More specifically, red-teaming weighs heavily on the impact that cyber threats may pose to organizations. Red teams are flexible, adaptive groups of attack-oriented individuals, with enough insight into risk verticals, whose purpose is to test and validate existing controls in a manner that is both structured and repeatable. The red teamers’ role in cybersecurity cannot be over-emphasized, as they extend the detection engineering domain well beyond the baked-in protections enforced by any available endpoint solutions or even ad-hoc threat hunting. Unapologetically, they transform uncertainty into knowledge.

Over the last few years, certain Attack Surface Intelligence (ASI) strategies debatably place red teamers at the forefront of a constant refinement process that seeks to expel any ambiguities by leveraging the information readily at hand. In other words, ASI platforms can quickly help shape and guide red team efforts, and even influence entire projects, in the pursuit to identify, classify, and monitor areas of significant exposure leading to potential exploitation.

In this blog post, we’ll explore SecurityTrails’ very own ASI ecosystem as we center on red-team-like approaches to the phenomenon of asset discovery and similar practices. In short, we’ll apply baseline operational principles akin to those commonly found in accepted RT-TTP’s (Red Teaming Tools, Techniques, and Practices), judiciously chosen to find initial targets of interest without incurring the penalty of time spent on manual tasks that obviate proper visibility.

How ASI guides and enriches red team operations

In the world of layered security, asset discovery and vulnerability assessment are two sides of the same coin. Approaches to the former are almost always juxtaposed with pentesting activities that rely on a handful of disparate tools and methodologies to accomplish a rather simple objective: to cover as much “digital ground” as possible in the least amount of time, hopefully gaining enough insight in the process as to translate vulnerabilities into tangible risks.

Enrichment in ASI comes in the form of prescriptive operations that group critical entry points into manageable categories. From a red teamer’s perspective, it is quite intuitive to see what the target topology may look like:

  • Web forms (mainly those that entail some sort of admin interface)
  • Exposed databases and similar transactional engines
  • Files, directories, blobs, and other storage substrata
  • APIs
  • Encryption keys
  • Load-balancing and WAF architectures
  • Security monitoring dashboards and similar portals
  • Open ports

With ASI tools, this process is gracefully reduced. For instance, port scanning, which normally requires Nmap or a similar application, would be a de facto feature of any mature ASI offering. The same goes for service identification, acquisitions and mergers, IP ranges, subnets, certificate information, etc.; at the root of all this is the understanding of what constitutes an attack surface.

Proof of principle

To put things in perspective, let’s reduce the scope of our discussion to ACME Corp; a fictitious entity with sufficient internet presence to allow us to explore many, if not all, of the above conditions.

Adding a new project to ASI is as easy as entering the company name to start populating the summary window with pertinent data:

Proof of principle

As a result, you can easily visualize the total number of subdomains, IP addresses, and also recent activity on assets added to the infrastructure involved with a day-by-day graphical calendar, so you can easily identify when changes have been made.

Total number of subdomains

ASI’s feature-rich summary dashboards also include dev and staging subdomains, and there’s no telling whether they extend the attack surface or not, but chances are they do. Subdomains that belong to such categories are notoriously prone to misconfigurations and overall poor administrative oversight, resulting in a substandard set of system protections (all in the name of agility) that fall outside the purview of many day-to-day security operations.

Another aspect that bears the mark of passive intelligence is the ability to pinpoint network services in the shape of open ports, looking for exposed technologies such as vulnerable web applications, employee portals, or even entire databases, to name a few.

Legacy systems

Pinpoint network services

Once again, port 3306 (MySQL) shows up in this list, along with additional ports of interest such as 21 (FTP) and 22 (SSH). This allows red teamers to deliberately target these endpoints, as much of the guesswork has already been removed from the mix to begin with.

Deliberately target endpoints

Poorly-configured VPNs, or VPNs that employ cryptographically-weak protocols or scant access management controls, are particularly susceptible to hacking practices and frequently hobnob to exacerbate privacy concerns. Reportedly, VPNs are a breeding ground for a number of attack vectors and brute-force attempts given certain circumstances: all it takes is the presence of a default login and the rest is history. In ASI, VPN endpoints can be identified like so:

Poorly-configured VPNs, or VPNs that employ cryptographically-weak protocols

Broadly speaking, ASI’s time-saving affordances allow red teamers to conduct deeper inspections and contextualize any potential evidence rapidly and effectively. Take last summer’s T-Mobile attack which involved a vulnerable router leveraged by a malicious actor to gain access to a testing environment and ultimately, customer data—red teams understand that the sum of all paths leading to an objective like this begins with proper assessment and discovery; two areas where ASI applications recognizably excel at.

In red team parlance, hopping from one system to the next is only a matter of finding a weak spot anywhere within this conglomerate from which to launch a series of carefully-planned attacks, netting sufficient credentials and high-privilege accounts along the way until complete access has been obtained.

Lastly, this is particularly true when legacy systems are involved; the same principle applies to M&A activity that may encapsulate years’ worth of unattended CVEs and over-exposed technology responsible for the lion’s share of breach scenarios throughout the years.

Legacy systems - M&A activity

ASI makes this a seamless task by providing a one-of-a-kind view into any Risks associated with any of your digital assets. Viewed collectively using our most popular feature, Risk Rules, it is now entirely possible to put the kibosh on attackers seeking to exploit areas of unintended exposure by leveraging a complete view of risk factors broken down by severity levels and scores.

Risk rules

As seen below, individual hosts with the highest collective risk scores are prioritized and displayed to spur, hopefully, immediate action; this is proactive attack surface monitoring at its best, with the burgeoning remediation work that follows made altogether so much simpler and effective:

Prioritizing individual hosts with the highest collective risk scores

Closing thoughts

By now, the execution of red-teaming activities should be a prevailing endeavor in your organization. Red teams, by their capacity to understand and replicate adversarial behavior, can uncover a passel of exposures well beyond those envisaged by any pentesting framework. When it comes to the infrastructure under scrutiny, this can effectively disclose enhanced detection opportunities for blue teamers and network defenders in general, seeking to identify a wider assortment of systemic exposures.

As more and more businesses establish or relocate critical assets to the cloud, it is self-evident that greater awareness is needed to visibly understand the expanding scope. Modeling a complex adversary, however, is no easy feat—from recon stage to final analysis, the task is always ladened with evolving complexities.

That is why tools like ASI can simplify aspects like target provisioning without the need to incur alternate forms of scanning. Similar compelling stripes include the identification of data and functions whose disclosure may result in severe privacy implications.

Gianni Perez Blog Author
GIANNI PEREZ

Gianni is a technical writer at SecurityTrails and adjunct college cybersecurity instructor with over two decades of infosec experience. He knows firsthand the demands security professionals face, and draws upon his knowledge of IT systems - from administration and software dev, as well as automation, to provide valuable security insights that make a real difference.

X