Image generated by OpenAI's DALL·E
In a world that is increasingly shaped by technology and digitalization, attackers have a playground: the attack surface of companies. For a hacker, this is like a labyrinth full of potential entry points, vulnerabilities and valuable data. In this article, we delve into the mind of a hacker, explore why a company's attack surface is so fascinating, how it can be spied on remotely and what challenges arise in the current security situation.
Why is a company’s attack surface so fascinating?
An organization's attack surface is like a map that shows attackers where potential vulnerabilities and entry points into an organization's systems are. This digital map covers various areas, including websites and web applications, email servers, remote access systems, cloud services, and external interfaces.
Attackers can remotely create a map of points and targets that could potentially be of interest.
To name just a few, the following points are included:
All DNS records
All associated IP addresses
WHOIS or DNS registration information
Geolocations of assets
Hosting providers responsible for the assets
All open ports
All SSL/TSL certificates used and details
Email systems
DNS systems
Applications such as websites, emails, VPN dial-in, time tracking
Software versions used in the discovered assets and applications
Login pages
Often, there are also assets of a company that are unknown to the IT department or those responsible for security - especially due to cloud structures, it often happens that assets are made available in the cloud and have access to the internal network, but have not been secured accordingly.
For a hacker, a company's attack surface is extremely fascinating. It's like a labyrinth full of opportunities and potential targets. Each area offers new challenges and potential prey. Websites and web applications can have vulnerabilities that allow a skilled hacker to steal sensitive data.
How can you remotely spy on the attack surface?
Remotely spying on the attack surface often requires nothing more than a computer and an internet connection. By searching on Google and querying the right databases, attackers can find out a lot of important information about a company - all with freely accessible data and information. Using this information and techniques such as social engineering, phishing, and exploit kits, hackers can try to gain access to sensitive information or exploit vulnerabilities in a company's security architecture. Most of the information can also be found in "well-known" search engines such as Shodan, and a lot of information can also be obtained with the "right" search queries in Google - so the attacker does not have to be a highly trained hacker.
There are also dedicated tools and methods for conducting OSINT. This is not to say that finding an asset is generally bad - but it does allow the attacker to define the targets more precisely and identify vulnerabilities and configuration problems from a distance and "put their finger on the sore spot". No initial access to the internal network is necessary.
The current security situation
In a world driven by digitalization, companies and organizations are facing ever greater and more complex challenges in the area of information security. Those responsible for the company's security are faced with an ever-growing risk potential from cyber attacks. As business areas, production facilities and business models become increasingly interconnected, the attack surface for potential attackers is growing rapidly.
In addition to the official IT infrastructure, shadow IT instances often arise in companies that are outside the control of the IT department. Silo thinking in the departments leads to parallel solution landscapes that no one has a proper overview of. This complexity was further exacerbated by the pandemic and the associated wave of home office work. External resources and access points have increased rapidly, and many OT service providers also want their own remote access to the production facilities - which represents further, unmanaged access to the network. In most of the analyses I carried out, I also found some systems and instances that should actually have been switched off - but were not.
When evaluating data from Shodan search, we find 32,534,118 open ports, 4,854 industry controllers and 2,606 open databases in Germany alone.
In response to the development of the economy - especially during Corona - companies have invested heavily in cloud-based solutions. These enabled on-demand access to servers, storage and applications via the Internet. Unfortunately, technological progress also has disadvantages - in some cases these services do not have the same level of protection as "self-provided" services or the changed attack surface of these assets is unknown. However, the same, known attack surfaces also affect these assets.
Wouldn't a vulnerability scanner find that too?
In the corporate environment, classic vulnerability management is often practiced, which focuses on known IT assets and their security vulnerabilities. This management follows established standards such as ISO 17799 and ISO 27001 to assess, prioritize and resolve newly discovered vulnerabilities. Rating systems such as the Common Vulnerability Scoring System (CVSS) are often used to determine the criticality of the security vulnerabilities. The primary goal is to close highly critical security vulnerabilities, while medium-level threats can often go unnoticed despite their potential to be exploited by hackers.
In contrast, attack surface management takes a more comprehensive and proactive approach. It analyzes and monitors all of a company's network-connected assets, including unknown ones. This approach involves simulating normal Internet traffic and using DNS information to identify vulnerabilities not only in the company's own network, but also in connected third parties, the supply chain, and subsidiaries.
The difference between these two approaches is significant: While vulnerability management is limited to patching known vulnerabilities on known hosts, attack surface management aims to identify and secure the entire spectrum of possible attack points in order to minimize the risk of a successful cyber attack.
In the context of the attack surface, it is important to understand that not all identified aspects necessarily represent critical security vulnerabilities. Often, this includes identifying areas that do not have immediate vulnerabilities but could still appear attractive to an attacker. Such areas could be a "finger in the sore spot" - that is, they could provide attackers with clues or entry points that, while not directly leading to a critical security incident, offer the opportunity to find further vulnerabilities and possible points of attack.
Conclusion
In a world that is increasingly connected and digitalized, it is becoming increasingly clear that the unknown often holds the greatest risk. The differences between vulnerability management and attack surface management are significant, with the latter primarily exploring the unknown areas of a network. The real dilemma lies not only in the weaknesses that we know and can fix, but rather in those that go unnoticed.
Comprehensive attack surface management that also considers unknown aspects is crucial because "what we don't know, we can't protect." Companies must therefore focus not only on securing known vulnerabilities, but also on detecting and analyzing the unknown components of their digital infrastructure. What is particularly noteworthy is that these attacker "investigations" are carried out remotely and without direct intervention, allowing hackers to operate unnoticed. Proactively identifying and securing these unknown and remotely accessible areas is key to maintaining security and integrity in the digital era.