Your New Attack Surface

+

WH I T E PA P E R

YO U R N E W AT TACK S U R FA C E Discover, Track, and Manage the Assets That Attackers Target

WHITE PAPER | YOUR NEW ATTACK SURFACE

TA BLE OF CONTEN T S

Security Starts With Knowing What to Protect

3

What Is Your Internet Presence?

3

Back to Basics: The Biggest Cause of Breaches

5

Discovery, Prioritization, and Risk Management

6

Discovering and Mapping Your Attack Surface

6

Where Are My Assets? The Importance of Global Coverage

6

Types of Networked Systems

7

Monitoring Your Attack Surface

9

You Need Global and Independent Data

9

Reducing Your Attack Surface

10

Remote Ransomware: The RDP Problem

10

99 Problems and They’re All in the Cloud

10

Don’t Talk to Strangers: Testing Geo-IP Based Blacklisting

11

Conclusion

12

2

WHITE PAPER | YOUR NEW ATTACK SURFACE

SECURITY STARTS WITH KNOWING WHAT TO PROTECT Bad actors are constantly looking for ways to hack into organizations. They hunt for vulnerabilities on websites, exposed data servers in the cloud, and systems that are connected directly to the Internet with little or no protection. Organizations need to understand their attack surface — all of the ways that their infrastructure is exposed and vulnerable to attack — and prioritize activities that can help make that attack surface smaller. The risks presented by exposures on your attack surface are real: Dozens of organizations have experienced breaches from database servers in the cloud (275 million Indian nationals, 3.4 million Panama nationals, and 600,000 Alaskan voters)1 WannaCry and NotPetya caused hundreds of millions of dollars in damages by exploiting public-facing SMBs (which should never be public-facing) An RDP attack against LabCorp resulted in 7,000 systems and 1,900 servers infected2 In this white paper, we’ll explore what makes up an organization’s attack surface, the major risk drivers and critical exposures, and how to regain control of your attack surface should you suffer an attack.

WHAT IS YOUR INTERNET PRESENCE? Organizations have a lot of information posted online. Their Internet presence can include websites, networking equipment, mobile apps, LinkedIn data, or even Glassdoor reviews. Attackers scour the Internet for these data to leverage it in attacks. The classes of data fall into a few different buckets, some of which may not actually belong to the organization itself: Attack Surface: This consists of the directly attackable parts of your network like websites, networking equipment, and exposed user workstations. It can also include your larger cyber ecosystem, such as supplier or subsidiary networks that might be targeted for an attack.

¹

https://securitydiscovery.com/database-with-millions-of-indian-personal-records-exposed-and-hijacked/ https://securitydiscovery.com/panama-citizens-massive-data-breach/ https://www.alaskapublic.org/2017/09/20/unsecured-database-discovered-with-information-from-about-600000-alaska-voters/

² https://www.csoonline.com/article/3291617/samsam-infected-thousands-of-labcorp-systems-via-brute-force-rdp.html

3

WHITE PAPER | YOUR NEW ATTACK SURFACE

Brand Protection: Malicious apps, domain squatting to phish your employees or customers, and counterfeit services. Threat Intel: A broad category of data, some of which is directly discoverable. Hackers discussing imminent attacks on dark web forums, your employees' PII for sale, or even your executive’s administrative assistant, who can then be targeted. All three of these are often lumped together, but each serves a distinct purpose, and comes with a different level of importance. For example, learning that hackers are talking about targeting your organization on an underground forum is only useful if you can actually do something about it, like adding extra security staff to support an incident response, or sending out a warning email to your employees to be extra diligent about incoming emails. In the same way, learning that your data has already been exposed can be useful, but everyone would prefer to prevent a breach in the first place instead of just having excellent detection capabilities. Brand protection is also very difficult to do well. Many organizations register thousands of domains defensively, purposefully owning misspellings and typo domains to make it harder for attackers to scoop these up. But with so many combinations of domains, it’s nearly impossible to cover them all. Phishing attacks are usually launched extremely rapidly, with the period between domain registration to emails sent being as short as minutes, but the detection, alert, and action cycle can be much longer.³ Another common brand protection strategy is to look for logo images, but the false positive rate can make this an unrealistic endeavor. Fraudulent mobile apps and social media attacks can cause harm, but they require much more effort from attackers and impact victims one by one (as opposed to a central data breach). Any exposed network services, on the other hand, are ticking time bombs just waiting to be found. By far, the cheapest and most successful attack against organizations is simply scouring a perimeter until an unsecured device is found. Given the limited number of resources available to every security staff, it’s essential to focus on the biggest risk factors when securing your organization. The data show that for many organizations, a lack of basic perimeter security and hygiene cause the largest number of data breaches and the biggest impact to the bottom line.4 ³

Recent data suggest that a significant proportion of domains are used days, weeks, or months later, but dynamic learning and blocking of suspicious inbound emails is likely a more effective strategy. https://docs.apwg.org/reports/APWG_Global_ Phishing_Report_2015-2016.pdf

4

Organizations should independently determine their biggest attack vector. Public data can be complicated to interpret. One of the most well-known studies is the Verizon Databreach Investigation Report. This includes a wide range of cyber incidents, including hacking, phishing, denial of service, and other ‘threat actions’.

4

WHITE PAPER | YOUR NEW ATTACK SURFACE

BACK TO BASICS: THE BIGGEST CAUSE OF BREACHES With all of the advanced technologies that have been developed over the past decade, it’s easy to lose sight of some of the basic tenets of security. Knowing your network and the devices on it is the number-one control listed by SANS/CIS, yet most organizations haven’t conducted an IP list audit in years. The Privacy Rights Clearinghouse maintains a public ledger of data breaches. The data convincingly show that “hacks” (which includes both perimeter attacks and phishing) are by far the most frequent and costly form of data breach.5 A privately maintained database of incidents recorded 10 times more hacking incidents than phishing incidents.6 And individual organizations that have been analyzed also show perimeter incidents occur at three to four times the frequency and impact compared with email phishing.7 The figure below shows the combined perimeter exposures for a sample of a dozen Fortune 100 organizations. Cumulatively, they have over 700 certificate hygiene issues and the occasional Telnet or SNMP exposure on registered ranges alone. When looking across the cloud, the counts become even worse, with some organizations having dozens of RDP instances publicly exposed.

Perimeter Security is Not Improving

2000

Exposure

certs_expired certs_insecure_algo certs_self-signed certs_short_key certs_wildcard ftp internal_ip_leak mssql mysql netbios rdp sip smb snmp telnet unencrypted_login

1500

1000

500

This graph shows the cumulative number of perimeter exposures for a sample of Fortune 100 organizations. Each bar represents one month. If perimeter misconfigurations were going down, we would expect to see a downward trend in the total number of exposures. Instead, the total number of perimeter exposures is remaining constant or even getting worse, showing that organizations are not prioritizing basic hygiene of public-facing devices.

0

Over Time from June 2017 to April 2018

Source: Expanse

5 Hofmann, Annette, Spencer Wheatley, and Didier Sornette. "Heavy-Tailed Data Breaches in the Nat-Cat Framework & the Challenge of Insuring Cyber Risks." 6 Romanosky, Sasha. "Examining the costs and causes of cyber incidents." Journal of Cybersecurity 2.2 (2016): 121-135. 7 Kuypers, Marshall A., Thomas Maillart, and Elisabeth Pate-Cornell. "An empirical analysis of cyber security incidents at a large organization."

5

WHITE PAPER | YOUR NEW ATTACK SURFACE

Attackers don’t even need to resort to phishing or other attack techniques when so many misconfigured devices are sitting around. They can simply find open exposures to figure out how to access sensitive assets and data. Leaving these assets accessible from the public Internet is like putting your servers out on the sidewalk.

DISCOVERY, PRIORITIZATION, AND RISK MANAGEMENT How can an organization begin to claw back its attack surface? How can an organization reduce the parts of its Internet Presence that actually cause breaches? It all starts with discovering what your attack surface really is.

DISCOVERING AND MAPPING YOUR ATTACK SURFACE The attack surface area of an organization has never been more distributed than it is today. Organizations have to track more asset types across different locations than ever before. Any discovery and mapping program should start with the basics: General requirements: Coverage across the entire public Internet, including all major cloud providers and commercial ISP space (not just known registered ranges) Comprehensive indexing, spanning all major port/protocol pairs (i.e. not limited to the old perspective of only tracking HTTP and HTTPS websites) Leveraging multiple data sources for attribution (i.e. not just registration and DNS data) No reliance on agents (which can’t find unknown assets) Continuous updating (i.e. not a two-week refresh rate)

WHERE ARE MY ASSETS? THE IMPORTANCE OF GLOBAL COVERAGE In the past, the majority of an organization’s attack surface was based on static ranges that were registered to that organization. Today, organizations need to search for their assets across the entire Internet.

6

WHITE PAPER | YOUR NEW ATTACK SURFACE

Core IP space: Core ranges are table stakes. Organizations need to rapidly monitor known ranges for inadvertent misconfigurations or device exposures. Any exposures on these ranges are highly attributable and are likely to be targeted quickly. Subsidiary and acquisition networks: Attackers look for entry points anywhere they can, including nested subsidiaries and historical acquisitions. Often, Expanse identifies ranges that were orphaned during an M&A event and are left unmonitored. Organizations should take care to search for abandoned assets that may have been overlooked in the past. Cloud environments: Organizations are moving to the cloud, and it has never been easier for an employee to spin up a device outside of normal IT processes. Organizations should have focused discovery of assets pointed at all cloud environments, including AWS, Azure, Google, Oracle, Rackspace, and other cloud hosting providers. Commercial ISP space: A mobile workforce has created new classes of risk that haven’t existed before. Traveling employees may have misconfigured workstations that expose their laptops to the world on Remote Desktop Protocol. These exposures are highly ephemeral because they move as the employee travels from home to a coffee shop to a hotel. Strategic suppliers: Suppliers are more connected than ever. It’s often impossible to do business without sharing sensitive data or permitting network access to critical business partners. Exposures on these fringe segments of your network can lead to data loss or network intrusions on your corporate enclave. Overall, these different locations add up to the entire global Internet. Organizations have networks that are so widely distributed that they need to monitor the entire Internet to accurately track their Internet-facing presence.

TYPES OF NETWORKED SYSTEMS Fifteen years ago, most organizations’ public Internet presence consisted of websites. Today, lots of other device types are exposed that are increasing risk by creating new entry points into a network. At Expanse, we conducted an experiment to see what attackers are

If you have a vulnerable asset on the public Internet, an attacker is almost certainly going to find it and find it quickly.

looking for across the Internet. We stood up some honeypot listeners and watched what traffic came in. The graph below shows the number of unique scanners and the number of unique scan attempts to our honeypots by port.

7

WHITE PAPER | YOUR NEW ATTACK SURFACE

Ports that are closer to the upper left corner are scanned more often by more people. There are four TCP ports that are scanned more than web ports. Attackers are constantly looking for Telnet, SSH, SMB, and RDP, even more so than websites. Database servers and teleconferencing devices are popular targets as well. If you leave any of these exposed, an attacker is almost certain to find them, and they’ll find them quickly.

10,000 28015

5,000

22

3389 2,000 1,000 8088

8545

443

28015 200 50802

100

5083

50

21

1900 3128 443 139

2433

80

1433

5000

500

81

2323

8000

88 85

8890

This graph shows the number of connection attempts and the distinct

8900

20 10

23

445

3145

42852

sources for various open ports. Ports

646

in the upper right of the graph are hit by many scanners, and scanned very frequently. Any port in the upper right

5

is going to be found quickly by attackers. Ports in the lower left corner are not

2

scanned as frequently, and not

1

scanned by many distinct individuals. 1

2

5

10

20

50

100

200

500

1,000

2,000

Distinct Port Scan Sources and Connection Attempts(Log Scale)

Some engineers think they are being clever by hiding services on non-standard ports (e.g. port 2323 for Telnet, or port 8000 for HTTP). Our data show that attackers are already looking for devices on common, non-standard ports and will quickly find those assets as well. Your attack surface area doesn’t consist of only web servers, but rather many other types of devices like: Port

Protocol

Common Device

80

HTTP

Web Servers

443

HTTPS

Web Servers

23

Telnet

Network Infrastructure

3389

RDP

Workstations, Servers

1433

SQL

Database Servers

8

WHITE PAPER | YOUR NEW ATTACK SURFACE

MONITORING YOUR ATTACK SURFACE Discovering and mapping your attack surface is just the first step. Ongoing monitoring is essential to remaining secure. Critical capabilities include: Continuous monitoring Implementing processes around updating/changing your network (i.e. new cloud providers, new network ranges) Conducting periodic audits Monitoring the entire attack surface for strange and risky communications going to and from the network, not just exposed services

YOU NEED GLOBAL AND INDEPENDENT DATA When a tax professional audits your taxes, they don’t just check your math. Instead, they verify your filing status, deductions, and ask you questions like ‘Did you move last year?’ to ensure that you haven’t overlooked a part of the tax law. Similarly, when you get a home inspection, the inspector doesn’t just use the pictures on Zillow to see if the foundation has cracks, but rather they visit the house. The Mars Curiosity rover used six independent radars to measure the speed as it approached for landing. In high-tech and high-value situations, independent data become even more important. In security, there is still a tendency to use the same data to manage and audit a system. Audits will look at vulnerability scan outputs to confirm that all critical vulnerabilities have been patched. But what about the systems that aren’t being scanned because they reside outside of the network? Or what about the alerts that have been muted because they have waivers in place to allow an insecure machine to be public facing for a critical business project? Audits that don’t use independent data won’t catch these. A better strategy for auditing your systems is to obtain independent and global data. Independent data avoids your bias, exceptions, and errors. Global data gives you the best chance of finding unknowns and anchors the analysis in ground truth instead of focusing in on where you happen to have the best visibility.

9

WHITE PAPER | YOUR NEW ATTACK SURFACE

REDUCING YOUR ATTACK SURFACE When you have a global and comprehensive program for discovering, monitoring, and managing your attack surface, you can avoid some of the most common risks facing organizations today. These risks include:

REMOTE RANSOMWARE: THE RDP PROBLEM RDP recently became a top entry point for ransomware attacks. A workstation with RDP exposed on the public Internet is the equivalent of leaving a laptop open to its login screen sitting on the street, where anyone can try a username and password. Most organizations think that they’re blocking RDP across their networks and devices, but Expanse regularly detects RDP instances for large organizations on the public Internet, including a majority of the Fortune 100. The most common attack against RDP starts out with a brute force password-guessing attempt. If the password isn’t complex enough or if there aren’t lock-out attempts, then attackers can compromise a device. Once this happens, ransomware is typically installed, which can spread throughout the organization causing significant business interruption incidents. Data may be encrypted or destroyed, leaving organizations with a crippled network caused by an unknown exposure that occurred in IP space that they were not monitoring.These exposures are especially difficult to track because they often occur outside of places regularly monitored by the organization’s IT and security staff. Without the complete, current, and accurate indexing of the entire Internet provided by Expanse, organizations don’t have a way of tracking these findings themselves. By indexing the global Internet multiple times per day, Expanse helps customers detect exposures like RDP before they are targeted, not weeks after the exposures have occurred and been found and exploited by attackers.

99 PROBLEMS AND THEY’RE ALL IN THE CLOUD A number of the data breach stories of 2018 weren’t typical hacks, but rather were caused by an employee who initialized a database server in the cloud without telling the security team. Developers often use production data instead of fake data for testing and if these databases become inadvertently exposed, it’s just a matter of time before they are found. IT and security teams aren’t informed and can’t see them because they exist outside of policy.

10

WHITE PAPER | YOUR NEW ATTACK SURFACE

These exposures occur easily and can expose sensitive data to malicious actors with virtually no effort on their end required. Organizations need to remain diligent by looking for common database misconfigurations (SQL, Elasticsearch, MongoDB, Memcached) and not just on their core IP space, but across cloud environments too.

DON’T TALK TO STRANGERS: TESTING GEO-IP BASED BLACKLISTING Many organizations restrict communications to countries that they shouldn’t be doing business with. Financial institutions are legally barred from doing business with certain countries put on a list by the Office of Foreign Assets Control (OFAC). Communications to or from Iran, Syria, or Belarus are unlikely to be legitimate traffic. Most financial institutions have already implemented blacklisting to prevent communications with unapproved countries. Expanse’s Behavior database contains sampled netflow traffic from across the globe. Netflow is basically metadata about a communication. You can see the source and destination IP and port, but you can’t see any of the actual content of the message. These data are both independent and global, giving a ground-truth validation if geoblocking has been implemented correctly. Expanse almost always finds traffic to or from blacklisted countries, even though most organizations think that they’ve implemented geoblocking. Upon investigating the flows, the security team usually realizes that they only have visibility into the main Internet connections. Traffic can be leaking out of the network in many other places where the security team doesn’t have visibility. By accessing global and independent data, the security team isn’t limited to what they know about. Instead, they can actually test to see if their geoblocking policy works by watching data on the global Internet, even for parts of their network where they have no local traffic sensor.

11

CONCLUSION Fifteen years ago, the Internet was a large place. If you exposed a device accidentally, it might go unnoticed for months or even years. Things are different today. Attackers can find every device on the Internet in 45 minutes. Any misconfiguration or accidental exposure is likely to be discovered very quickly. Internet-scale attacks like WannaCry and NotPetya demonstrate how a new wave of attacks doesn’t target specific companies, but rather seeks out and attacks vulnerabilities across the entire globe. The attack surface has grown to include the cloud and even commercial ISP space, creating new challenges for organizations trying to reduce entry points into their networks. Expanse specializes in identifying high-risk asset types that occur outside of known IP space, especially in cloud environments and commercial ISP space. With Expanse, you can discover your attack surface and take steps to minimize it, resulting in a more secure organization.

Expanse continuously discovers and monitors the dynamic global Internet attack surface for the world’s largest organizations. WP-Your_New_Attack_Surface_V01_062419