Vulnerability management best practice is focused on addressing specific vulnerabilities through CVEs. Public exposure calls for attack surface reduction.
- 7 minutes read - 1463 words
Spending time outside in -26 degrees centigrade is an experience, which makes
you observant of exposure to the elements. Even more so, when you are standing
on the bank of the Kemijoki river with your camera gear in tow and:
the moisture rising from the flowing water is freezing over your face, gear
the bitter cold is biting into your core despite your gazillion
layers of clothing.
I remember struggling to steady my hands in order to secure my camera on a
tripod and trying to find the mental fortitude to take my time in framing the
exposures properly. Through my pictures of the scene, I wanted to convey the
harsh reality of the wintry landscape in front of me.
What can the Arctic teach us about external attack surface management?
Looking at the Jätkänkynttilä bridge, I could not but marvel the solidity of
its structure, which since 1989 has stood the test of time and harsh elements
in this city situated at the Arctic Circle in Finland.
In Finland, exposure to elements places special importance on building solid
structures, as the built structures need to survive freezing temperatures, wind,
moisture, being covered in heavy snow and whatever else mother nature keeps
throwing at us all year around.
In a way for us, exposure to elements is a concrete thing you can measure
with your senses. If a structure is well built, it will not crumble away within
a couple of years of its completion. In addition, maintenance or lack thereof
will mean that even a solid structure shall meet its end well before its allotted
Vulnerabilities, Weaknesses and Exposures
The Internet is a harsh environment in its own right. Anything exposed to it
must be ready to withstand whatever the miscreants happen to throw at it.
Exposing a port or a service to the Internet means public exposure of that
service. The automated scanners of the Internet, both malicious and benign,
will find it and what follows will depend on how well you have planned ahead
for the test of time.
Moreover, maintenance is as important a topic as the one I detailed above
related to maintaining physical structures in a harsh natural environment. Once
a weakness or a vulnerability is discovered, it will be exploited for money,
information, access or control. The Internet will not care if you didn’t know
Vulnerability Management Best Practice
Even if vulnerability management best practice advises us to patch our systems
regularly, configuration management is an equally important topic and often an
overlooked one – at least when it comes to knowing your external attack
In other words, vulnerability management is very focused on patching known
vulnerabilities and bad configurations are harder to spot, especially since they
often fall to the firewall or security team to figure out. Bad configurations
rarely merit CVEs either, even if the E stands for Exposures.
What is common weakness enumeration?
If CVEs detail vulnerabilities in specific software, CWEs approach this
problem from a functional perspective. In other words, CWEs enumerate common
weaknesses found in implementations, be they in hardware or software. The main
shortcoming for this approach, however, is that it lacks context and there is no
open catalog that would map a specific exposure to a functional weakness.
Consequently, what would be needed is a project that:
systematically references these exposures against the CWE
names the affected products and configurations
gives advice on how to validate them
and ultimately how to fix them.
The above of course is mere conjecture, since no such public project exists, but the
point I am driving at is that looking only at CVEs in vulnerability management,
will leave you half-blind to your public exposure as a whole.
Alternatively, the CVE project could start referencing exposures with CVEs as
well. I know it is easier said than done, but the need is there.
External Attack Surface Discovery
External attack surface discovery is a broad topic, which looks at public
exposure from the attacker’s point of view. Any system or service, which you
have not deployed with the needs of the Internet in mind, is going to increase
your external attack surface, be it a web service or an application in a mobile
In other words, your attack surface increases when your organization places
systems or services on the Internet, which:
lack good basic security controls
or are not intended to be Internet facing frontend services in the first place.
Below, I will exhibit a couple of examples related to public exposure in
practice, which also exemplify the need for external attack surface management.
Exhibit #1: Publicly Exposed MySQL Backends
If you have a MySQL database directly exposed to the Internet, the easy fix
would be to make the database service communicate only with the frontend and not
the whole Internet at large.
This sounds like a no-brainer, but in reality at any given time there are
roughly three million publicly exposed MySQL database backends on
They cannot all be test servers, right?
Exhibit #2: Poor RDP Management as a Ransomware Precursor
A practical example of a ransomware precursor service is Remote Desktop
Protocol, RDP, which especially during the pandemic has been a handy way to
access your desktop remotely. Even if you think you’re safe, since you have kept
your machine up-to-date and no known vulnerabilities affect the exposed RDP
service itself, ransomware gangs are finding it an easy entry
vector through leaked user credentials or by conducting brute-force attacks.
Slightly north of three million seems to be the magic number for publicly
exposed RDP services as well.
Exhibit #3: Solarwinds Orion Supply Chain Attack
Earlier, I’ve written about external attack surface analysis using
Solarwinds, the company, as an example. In that post I focused on looking at the
external attack surface of the company itself, since they were in the headlines
for serving as a supply chain attack vector through the software they sell to
This example in turn, is looking at the publicly exposed Solarwinds Orion
servers themselves over time. What still surprises me is that the numbers have
not gone down, even after all the public exposure the supply chain attack and
its consequences have had in the news. In a sense, it highlights what I stated
above about the need for CVEs with reference to exposures or lack thereof.
Be that as it may, a cool thousand seems to be the steady number of publicly
exposed Solarwinds Orion servers on a monthly basis.
From Public Exposure to Attack Surface Reduction
If there is one take away from this post, it is that we need to move away from
being passive targets to actively reducing our attack surface.
Most people recognize vulnerability and configuration management as important
topics, but it seems the topics need more emphasis in practice – as exhibited
by my research data above.
Offensive or Defensive Cyber Security?
For a long time, the industry has been paying a lot of attention to offensive
cyber security and it is somehow viewed as more valuable than steadily
maintaining robust services in the harsh environment called the Internet.
Attack surface reduction does depend on the attacker mindset, but instead of
glorifying the exploit, we must be more focused on understanding and defusing the
What I’m driving at, is that discovery mostly helps the attacker unless
vulnerability disclosure and remediation is handled responsibly, systematically
Protection Against Ransomware
In a sense, ransomware is a good indicator on how well an organization’s
investment in cybersecurity is working out in practice. Threat actors do not
need to spend big bucks on zero days, if they can just buy access to your RDP
service and take it from there.
Strictly speaking, the best protection against ransomware is to minimize your
external attack surface, so that the attackers go elsewhere.
Quoting Jim Butcher:
You don’t have to run faster than the bear to get away. You just have to run
faster than the guy next to you.
In closing, I hope you enjoyed this brief tour on public exposure, which serves
as the inaugural post for this blog about defensive cyber security.
Short Author Bio
Lari Huttunen is a polyglot linguist with an avid interest in defensive cyber
security. He’s been working in the field since late 1990s and in his current
role since 2007 (Codenomicon - Synopsys - Arctic Security). On social media, you
will find him on Twitter.