What can the Arctic teach us about external attack surface management?
Spending time outside in -26 degrees centigrade is an experience, which makes you observant of exposure to the elements. Even more so, when you are standing on the bank of the Kemijoki river with your camera gear in tow and:
- the moisture rising from the flowing water is freezing over your face, gear and clothes
- the bitter cold is biting into your core despite your gazillion layers of clothing.
I remember struggling to steady my hands in order to secure my camera on a tripod and trying to find the mental fortitude to take my time in framing the exposures properly. Through my pictures of the scene, I wanted to convey the harsh reality of the wintry landscape in front of me.
Looking at the Jätkänkynttilä bridge, I could not but marvel the solidity of its structure, which since 1989 has stood the test of time and harsh elements in this city situated at the Arctic Circle in Finland. In Finland, exposure to elements places special importance on building solid structures, as the built structures need to survive freezing temperatures, wind, moisture, being covered in heavy snow and whatever else mother nature keeps throwing at us all year around. In a way for us, exposure to elements is a concrete thing you can measure with your senses. If a structure is well built, it will not crumble away within a couple of years of its completion. In addition, maintenance or lack thereof will mean that even a solid structure shall meet its end well before its allotted time.
Vulnerabilities, Weaknesses and Exposures
The Internet is a harsh environment in its own right. Anything exposed to it must be ready to withstand whatever the miscreants happen to throw at it. Exposing a port or a service to the Internet means public exposure of that service. The automated scanners of the Internet, both malicious and benign, will find it and what follows will depend on how well you have planned ahead for the test of time. Moreover, maintenance is as important a topic as the one I detailed above related to maintaining physical structures in a harsh natural environment. Once a weakness or a vulnerability is discovered, it will be exploited for money, information, access or control. The Internet will not care if you didn’t know about it.
Vulnerability Management Best Practice
Even if vulnerability management best practice advises us to patch our systems regularly, configuration management is an equally important topic and often an overlooked one – at least when it comes to knowing your external attack surface. In other words, vulnerability management is very focused on patching known vulnerabilities and bad configurations are harder to spot, especially since they often fall to the firewall or security team to figure out. Bad configurations rarely merit CVEs either, even if the E stands for Exposures.
What is common weakness enumeration?
If CVEs detail vulnerabilities in specific software, CWEs approach this problem from a functional perspective. In other words, CWEs enumerate common weaknesses found in implementations, be they in hardware or software. The main shortcoming for this approach, however, is that it lacks context and there is no open catalog that would map a specific exposure to a functional weakness.
Consequently, what would be needed is a project that:
- systematically references these exposures against the CWE
- names the affected products and configurations
- gives advice on how to validate them
- and ultimately how to fix them.
The above of course is mere conjecture, since no such public project exists, but the point I am driving at is that looking only at CVEs in vulnerability management, will leave you half-blind to your public exposure as a whole. Alternatively, the CVE project could start referencing exposures with CVEs as well. I know it is easier said than done, but the need is there.
External Attack Surface Discovery
External attack surface discovery is a broad topic, which looks at public exposure from the attacker’s point of view. Any system or service, which you have not deployed with the needs of the Internet in mind, is going to increase your external attack surface, be it a web service or an application in a mobile app store.
In other words, your attack surface increases when your organization places systems or services on the Internet, which:
- lack good basic security controls
- or are not intended to be Internet facing frontend services in the first place.
Below, I will exhibit a couple of examples related to public exposure in practice, which also exemplify the need for external attack surface management.
Exhibit #1: Publicly Exposed MySQL Backends
If you have a MySQL database directly exposed to the Internet, the easy fix would be to make the database service communicate only with the frontend and not the whole Internet at large. This sounds like a no-brainer, but in reality at any given time there are roughly three million publicly exposed MySQL database backends on the Internet.
They cannot all be test servers, right?
Exhibit #2: Poor RDP Management as a Ransomware Precursor
A practical example of a ransomware precursor service is Remote Desktop Protocol, RDP, which especially during the pandemic has been a handy way to access your desktop remotely. Even if you think you’re safe, since you have kept your machine up-to-date and no known vulnerabilities affect the exposed RDP service itself, ransomware gangs are finding it an easy entry vector through leaked user credentials or by conducting brute-force attacks. Slightly north of three million seems to be the magic number for publicly exposed RDP services as well.
Exhibit #3: Solarwinds Orion Supply Chain Attack
Earlier, I’ve written about external attack surface analysis using Solarwinds, the company, as an example. In that post I focused on looking at the external attack surface of the company itself, since they were in the headlines for serving as a supply chain attack vector through the software they sell to their customers. This example in turn, is looking at the publicly exposed Solarwinds Orion servers themselves over time. What still surprises me is that the numbers have not gone down, even after all the public exposure the supply chain attack and its consequences have had in the news. In a sense, it highlights what I stated above about the need for CVEs with reference to exposures or lack thereof. Be that as it may, a cool thousand seems to be the steady number of publicly exposed Solarwinds Orion servers on a monthly basis.
From Public Exposure to Attack Surface Reduction
If there is one take away from this post, it is that we need to move away from being passive targets to actively reducing our attack surface. Most people recognize vulnerability and configuration management as important topics, but it seems the topics need more emphasis in practice – as exhibited by my research data above.
Offensive or Defensive Cyber Security?
For a long time, the industry has been paying a lot of attention to offensive cyber security and it is somehow viewed as more valuable than steadily maintaining robust services in the harsh environment called the Internet. Attack surface reduction does depend on the attacker mindset, but instead of glorifying the exploit, we must be more focused on understanding and defusing the findings. What I’m driving at, is that discovery mostly helps the attacker unless vulnerability disclosure and remediation is handled responsibly, systematically and professionally.
Protection Against Ransomware
In a sense, ransomware is a good indicator on how well an organization’s investment in cybersecurity is working out in practice. Threat actors do not need to spend big bucks on zero days, if they can just buy access to your RDP service and take it from there. Strictly speaking, the best protection against ransomware is to minimize your external attack surface, so that the attackers go elsewhere.
Quoting Jim Butcher:
You don’t have to run faster than the bear to get away. You just have to run faster than the guy next to you.
In closing, I hope you enjoyed this brief tour on public exposure, which serves as the inaugural post for this blog about defensive cyber security.