Attack Surface Mapping and Risk Assessment- how do you look from outside?
Another type of Folly
Your attack surface is a very intangible item and scanning your network for vulnerabilities is a small part of it’s risk assessment. It is a mistake to think that your network is the total of your attack surface.
When considering where your organization is vulnerable to attack from and where you are likely to be attacked from, your physical network is only one of the battle grounds. A quick assessment may lead to you discovering a number of easy open avenues for attackers that you hadn’t considered. Let’s consider this from an outsiders perspective.
There are many ways to see your environment from the outside but we will focus on a limited point of view for simplicity.
Known Assets- If an attacker looks up your domains and associated IPs, Nameservers, TXT records etc. they will get a quick view of the surface you expect them to see as an outsider. Keeping an eye on this and what changes happen to it is step 1 of monitoring your attack surface. You can monitor your domains for NS changes or IP changes etc. If you have your own Name Servers you can monitor them for new additions on a daily basis. Has someone registered a domain you didn’t know about? What is it for?
CNAMES- the moment you include CNAMES in your monitoring you will discover that your domain is pointing at other people’s infrastructure which may or may not be under your control. This is a very risky area and is home to some very serious vulnerabilities. For example ‘dangling DNS records”‘ where the host your CNAME points at is no longer under your control. An example is someone setting up some infrastructure on Azure or AWS and pointing a subdomain at it using a CNAME record. This can lead to subdomain takeovers and we will go into this in a later dedicated blogpost.
Shadow IT- one of the things you can quickly discover with Attack Surface Mapping is when you have services you weren’t aware someone had signed up for. One example of this could be someone signing up to a SAAS service like Trello or Miro that could potentially leave some data exposed if misconfigured. These will commonly look like yourbrand.thirdpartyservice.com. This is also very useful for attackers reconning your organization as it will show many of the third party services you are using.
Rogue Assets- this is a misleading name as they are not your assets at all. This refers to malicious actors impersonating you. This could be phishing pages, or just email domains for invoice fraud. This could also be impersonations of your supply chain partners so it is a broad area to cover off. In reality you need to pick which of your supply chain partners are the highest risk. However, make no mistake, this is a very important area to cover. Business Email Compromise is one of the biggest financial losses to companies today and we see more and more innovations from the cyber crime industry for new ways to effect these types of scams.
So we have now shown different types of digital assets that need to be kept track of on an ongoing basis.
That sounds like a lot of information
Passive and Active DNS services provide the historical links between IPs and Domains. Internet scanning services like Censys and Shodan provide information about SSL Certs or IP scans. In order to do this properly, someone has to combine all of that type of information themselves. We collect all of this data ourselves and provide it in our Extended Threat Intelligence Platform.
We provide access to this information for free in our community version at https://www.silentpush.com/passive-dns-api-request . Feel free to go over there and apply for access, you can also use the API to create an automated monitoring service yourself. If you need to be able to actually monitor your infrastructure, shadow IT, Rogue infrastructure, CNAMEs vulnerable to takeover and also access all of our threat feeds, cobalt strike IPs and domains etc. Then you need to try our Enterprise product.