This blog focuses heavily on digital footprints and the myriad ways threat actors can exploit those footprints. This article will focus more on those exploits and developing countermeasures to ensure ample attention is devoted to any attack surface a threat actor may choose to attack.
Digital Footprints and Attack Surfaces
An attack surface is anything a threat actor can target during the various stages of his attempts to compromise a victim and its systems. Importantly, this includes not only internet-facing systems, but the very people who comprise an organization.
Anything on the Internet can be attacked in one-way or another, be it denial-of-service, malware, or simply reputation trashing. This does not necessarily mean that the attack must breach a system or network to succeed. Depending on your organization’s definition of what may constitute an attack, the attack surface can be quite broad.
The threat actor’s goal may be to exfiltrate sensitive data, implant ransomware, or simply extort an organization. More often than not, that actor can only achieve such goals by first compromising a human being. Nowadays, researchers and developers have created countermeasures for most types of software compromise activity, making it exceedingly difficult for threat actors to engage in a head-on battle with those systems. Therefore, any discussion over attack surfaces must involve all aspects of a potential attack.
For example, a threat actor seeking to cripple an organization by sullying its leadership can do significant damage by organizing campaigns with social media alone. Small businesses and those organizations who are highly leader-centric are generally more susceptible to this type of attack, but large organizations can suffer from unplanned leadership turnover as well.
Therefore, it is important for any security team to be aware of all potential attack surfaces, as well as how threat actors may exploit them, both before and during an “attack”. There are several categories of surfaces:
- Digital surfaces, which include any IT and webapp infrastructure
- Physical surfaces, which include physical assets, be they server farms or office buildings, as well as the organization’s personnel
- Hybrid surfaces – (generally) digital infrastructure which specifically targets physical assets, such as social media
Thinking Like an Attacker, Analyzing the Attack Surface
Generally speaking, attack surfaces exist in public. How so? Well, any internet-facing infrastructure by nature of being internet-facing will freely give out certain information in order to communicate with other devices and services around the internet. The end user who visits a website may not be aware of the TCP handshake, the HTTP headers, response codes, cookies, or other information transferred when visiting a website, but that information comprises the mechanisms which allow those connections to occur.
By the same token, people, for better or worse, love to share information about themselves in online fora. Whether they merely list their resume on LinkedIn, post pictures of their children (as well as their children’s hobbies) on Facebook, or engage in opinionated discussions on Twitter, the information still exists in public, and a skilled investigator can learn deeply personal information about a person just by pay attention and making a few educated deductions.
In the case of internet-facing infrastructure, most of the time that infrastructure can record detailed logs of who visits and what actions they perform. With this information, a threat hunter may be able to deduce that a threat actor is reconning the system, though such a deduction would likely require more data (and patience) than a single individual would likely have at any on time.
More often than not, though, security teams have little to no way of knowing if a threat actor is conducting reconnaissance. As outlined in the Mitre PRE-ATT&CK framework, most pre-attack operations can be performed without anyway for the security team to find out. This includes digital reconnaissance (probing), OSINT targeting personnel, and attacker infrastructure development.
Thus, security teams must find a way to be prepared for such occurrences. First, active monitoring of potentially adversarial infrastructure to identify its creation will assist in understanding when and if an attack may occur. Second, understanding the information posted online by organization personnel can help understand whom a threat actor may target and how. Third, understanding the organization itself can help to identify who may want to attack the organization and for what purpose. Finally, user education will prepare non-security personnel to deal with potentially compromising circumstances, such as phishing and malicious document identification.
Knowing the Surface Inside Out, Outside In
In order to identify when potentially adversarial infrastructure appears, security teams must first understand their own network spaces from the outside in. Understanding the network’s architecture from the DMZ, through the proxies and firewalls, to the routers, the mail servers, and finally end workstation endpoints will enable the development of detailed attack and response plans, starting with robust attack tree diagrams, all the way to remediation policies to guide organizations in the event of a significant incident.
However, knowing the network, and how users interact with the network both inside the organization and on the open Internet, may be just as, if not more, important. For example, understanding where information flows from a workstation to a destination across the Internet can help determine if and when a workstation becomes infected, assuming that the organization has kept up with the latest threat intelligence.
Establishing Threat Models to Organize Attack Surface Defense
The easiest way in which to identify attack surfaces and subsequently build defenses is to develop robust threat models that answer tough questions about the network and the organization. With this knowledge base, tools such as DigitalStakeout’s Scout and Footprint will assist in developing robust monitoring capabilities to understand your network’s public spaces and potential adversary infrastructure, as well as the digital atmosphere surrounding your organization, where you can identify reputation trends and targeted threats.