My Attack Surface is How Big? (BSides Ottawa 2022)

Transcript

1. My Attack Surface is How Big?!

2. Who am I? u Geek. u Roughly 15 years in

   the InfoSec space u Worked in various roles… from analyst, to manager, to architect, to SE u Just happy to be a part of it. u Like most of us, I’ve seen things. Scary things. © 2022, Blue Team Cyber 2

3. “If you know the enemy and know yourself, you need

   not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” - Sun Tzu © 2022, Blue Team Cyber 3 • What if we know our enemy, but we do not know ourself? That’s our challenge, and the one we’re going to examine today. • How can we truly know the enemy if we do not know ourselves? • One of the problems I see often – whether in engagements or just in general – is our perception that we know our enemy via threat intelligence reports that include threat actor profiles and what-not, but we do not necessarily understand how that enemy is our enemy. • The best way to start figuring this out is by understanding ourselves.

4. For 60% of my assets, I can see every asset.

   CMDB How Well Do You Know Yourself? © 2022, Blue Team Cyber 4 Some organizations I’ve worked with have placed a scope on asset discovery and vulnerability scanning. The bad guys generally don’t follow a scope when it comes to discovery/recon; they take the scatter gun approach until they find something that interests them.

5. Factors Impacting Attack Surface u Cloud adoption u Shadow IT

   u Mergers and Acquisitions u Lack of asset management/CMDB u Technical debt u Supply chain u Viewing security as an add-on process to the business u Unbridled passion for experimentation u Lack of Automation u OT/IT Convergence © 2022, Blue Team Cyber 5

6. Let’s Play “Identify the Attack Surface”! © 2022, Blue Team

   Cyber 6 Attack Surface • Unpatched Systems • Laptops • Desktops • Servers • Network gear • Vulnerable Configuration • Even ”zoned” networks can be flat • Active Directory… • Unapproved software • Overly permissive access controls • The things you can’t control… • BYOD phones • Personal systems accessing resources via VPN

7. Managing Attack Surface 1. Maintain a CMDB (Yes, even Excel.)

   2. Update your CMDB! 3. Perform some sort of regular or continuous info gathering. 4. Automate Steps 1-3. 5. Set up (automated) notifications for detected changes. 6. Run a test environment for patching (automated). 7. (Automatically) prioritize your vulnerabilities. 8. Include your network and security gear in assessments and remediation! 9. Assess your AD configuration. Yes, automate this. 10. Automation and continuous visibility is key*. © 2022, Blue Team Cyber 7 *There are some caveats: If you’re not remediating in real-time, you don’t need to be scanning for vulns in real time. Also you probably shouldn’t automate remediation because that can be bad. A lab is the best place for building and testing automated patches, before rolling out to prod.

8. The Attack Surface Has Evolved © 2022, Blue Team Cyber

   8 Attack Surface • Unpatched Systems • IF you lift and shift IaaS • Vulnerable Configuration • Identity management • Permissive access control • Forgotten services • Infrastructure as Code • Default creds! • Multi-Cloud interoperability • Those you do and do not own • Hybrid environments • Traditional lift-and-shift lands VMs and network zones like- for-like (almost) into the cloud environment • There are a plethora of cloud-native services that you can leverage to avoid having to patch servers forklifted into the cloud • But you still need to ensure that they are configured correctly AND SECURELY! • Feeling the need for redundancy? Maybe you’re using multiple clouds, and connecting them via VPN.

9. Managing Attack Surface 1. Invest in a properly configured CSPM

   platform 2. Scan your IaC 3. Leverage SAST/DAST/SCA/SBOM to identify vulnerabilities 4. Perform some sort of regular or continuous recon. 5. Set up (automated) notifications for detected changes. 6. Run a test environment for patching (automated). 7. (Automatically) prioritize your vulnerabilities. 8. Leverage cloud-native services 9. If you lift and shift include the other top 10 10. Automation and continuous visibility is key*. © 2022, Blue Team Cyber 9

10. External Attack Surface Management u EASM is a new addition

    for Buzzword Bingo! u How many domain names do you own? u And does someone else maybe use them? u Do you or someone you know have any compromised credentials? u How many of your websites have expired certificates? u Do you know which platforms (e.g. WordPress) you’re running? u Is it vulnerable? u Have any of your URLs made it to a blacklist? u What has that recent M&A left you with? © 2022, Blue Team Cyber 10 What does your organization look like from the outside? What can the attackers see even without access to internal resources? Where do you maybe have some weaknesses that you are not actively monitoring? These are some of the questions that EASM can help you answer. Personally, I’ve seen some things that I didn’t expect whilst performing external attack surface analysis over the years. One of my biggest takeaways was that even though you may own a domain just for the sake of keeping people from using it, it can still be hijacked for nefarious purposes. The ability to monitor for and discover threats and vulnerabilities in your external attack surface is invaluable (to say the least).

11. Managing Attack Surface 1. Understand how your business depends on

    their external assets! 2. Maintain a CMDB (Yes, even Excel.) 3. Update your CMDB! 4. Perform some sort of regular or continuous info gathering. 5. Automate Steps 1-3. 6. Set up (automated) notifications for detected changes. 7. Build processes and procedures for decommissioning legacy (or “heritage”) assets 8. Perform cleanup activities regularly 9. (Automatically) prioritize your vulnerabilities. 10. Automation and continuous visibility is key. © 2022, Blue Team Cyber 11 Note how many steps in managing attack surface, regardless of location or platform, are similar. If you’re interested in learning more about attack surface management, follow along with us at https://blog.theblueteam.io, where Steve is currently working on the Attack Surface Management Saga.

12. Questions? © 2022, Blue Team Cyber 12