The underrated threat of domain takeover and hacking a firm’s internal and external attack surface can enable malicious actors to circumvent many advanced website protection mechanisms. However, Detectify Crowdsource hacker Jasmin Landry says that deploying an external attack surface management (EASM) system can help beef up your security before a malicious hacker wreaks havoc on your company.
A common aphorism in cybersecurity is that there’s no such thing as perfect security. Implementing a proper security programme goes beyond vulnerability scanning and monitoring. A strong digital infrastructure is similar to that of a concrete cube with no windows or doors, where a hacker might have to bring out the jackhammer.
Understanding Attack Surface 101
To make one’s digital infrastructure impenetrable or at least difficult to get access to, it’s important to understand the meaning of an attack surface and the risks it entails. Essentially, it refers to the total number of entry points through which an attacker could try to penetrate an environment. The attack surface goes beyond your website and includes all web assets such as your IPs, domains and subdomains, third-party providers and SaaS softwares, company acquisitions, social media accounts, and mobile apps. An attacker’s entry point is often the server that nobody knew existed, an application that was missing a patch, the port that was left open, or weak passwords. It’s easy to see why guidance by the Security and Exchange Commission highlights the need to inventory hardware and software so the organization knows where its assets “are located, and how they are protected.”
When hunting for bugs out in the wild, Detectify Crowdsource hacker Jasmin Landry found that, more often than not, you have dozens or even hundreds of subdomains within your network. Furthermore, not all assets are equal in an IT environment. A hacker with that data could bypass firewalls and access your product development information, financial records and even your patent-protected data. Confident that they’ve gone undetected, nefarious actors could place malware into your network where spyware could follow your employees, recording each keystroke. Before you know it, a ticking time bomb of regulatory and reputational destruction could await the next decision.
Despite the escalating risks of an exposed external attack surface, organisations still have significant gaps in what they understand about their digital environment. The result is a weakened cyber security posture leading to a potential breach. What’s more – cybercriminals have turned their craft into a means for global warfare which could cost the world $10.5tln per year by 2025, according to a report by Cybersecurity Ventures. Landry adds, “We’ve seen so many breaches in the past few years and a lot of these were simply because they didn’t have proper web attack surface management in place. It could be by mistakenly exposing a server, web application, S3 bucket, credentials in GitHub, etc.”
Where External Attack Surface Management (EASM) comes in
There are several ways that security leaders are implementing attack surface monitoring to make sure nothing goes unnoticed. Some of these ways include detection by providing complete visibility into all components in a system so as to monitor attack surfaces as attackable points for both known and zero-day vulnerabilities. Complete visibility to attack surfaces usually requires the implementation of attack surface detection tools such as security information and event management (SIEM), network access control lists etc. Other attack surface detection methods include monitoring by taking advantage of data flow, map out the attack surface and potential attack vectors and continuous penetration testing through black box and white box methods.
EASM is different from other methods of scanning since you’re not necessarily looking for vulnerabilities. Landry explains, “You’re scanning for web assets that shouldn’t be externally accessible or that are not properly configured and expose sensitive data. A good example of this is monitoring your S3 buckets, with EASM you’d check to make sure your buckets aren’t publicly accessible for all on the Internet.”
Image: List of subdomains connected to the apex domain being monitored by Detectify
What hackers see when looking into your cloud
Looking into the clouds, Landry details from his experience that he often finds outdated hardware and software which – in the hands of an attacker – could compromise sensitive data, disrupt business operations, or otherwise put the organisation at risk. For instance, PCI or HIPAA data i.e protected health information or payment details of cardholders, can be easily accessed and exposed and “if companies holding sensitive information get breached by not having proper attack surface management in place, it can be really bad,” Landry says.
In addition, companies transitioning to the cloud must prioritise to protect their attack surface as there are more opportunities to misconfigure and expose critical services. For instance, with respect to AWS, you need to make sure that EC2 instances, API Gateway endpoints, S3 buckets, Lambda functions, Elastic Beanstalk web applications aren’t misconfigured and exposing any sensitive information on the Internet, Landry explains. “It’s critically important to have IAM properly configured and making sure that you’re respecting the least privileged principle,” he adds. Indeed, companies need to make sure that each account or role has access to only what it needs and nothing more.
With big companies and corporations, the biggest pitfall is having multiple development teams deploying code and servers on their own without advising other teams or the security team. Landry details, “I’ve seen on many occasions development teams deploying EC2 instances in AWS without making sure they were properly secured. This resulted in many vulnerabilities and customer PII exposures as those servers weren’t supposed to be public in the first place.”
When third-parties enter the room
In Landry’s experience, it becomes increasingly complicated to protect a company hosting various third-party domains as it could get too late. He says, “If a misconfiguration or exposure is found, we can’t react to it right away, we need to get in touch with the third-party company to have them fix the problem.” Tellingly, this can take a while so there’s a big risk that the vulnerability could be exploited by cyber criminals. As a result, organizations should continuously look for new attack surfaces through third-party penetration testing. For a deeper dive into protecting third party domains and assets, stay tuned.
Hackers know more about your attack surface than you do
EASM has evolved quite a bit during the past few years because of bug bounty programmes. With bug bounty, hackers monitor your web assets on a daily basis. As Landry put it, “They’ll think of looking at stuff you didn’t even know you had so we have to think like them when working with EASM.” For some, monitoring subdomains is their go-to trick. As soon as a new subdomain pops up, they get alerted right away and try to find bugs on it through crawling or fuzzing. With proper attack surface management in place, companies would be able to detect new subdomains. Detectify customers are already ahead in the game with the help of its crowdsource network of ethical hackers. Detectify collaborates with over 350 hackers including Landry who help secure hundreds of websites with automation and 237,000 vulnerabilities have been found until now.
Given that security professionals tend to focus more on defending attack surfaces within their organisations, attackable points that are not monitored remain unsecured and attackers eventually find those attack surfaces to exploit. With the help of the Crowdsource community, “you’d know whether a subdomain is intended or not and react on it right away,” Landry continues. “Or even better, have measures in place that prevent a subdomain from going public if it’s not supposed to.”
Attack surfaces are constantly evolving as new attack vectors are introduced and old attack vectors grow in significance. To keep up with this changeable nature of attack surfaces, the cool kids in tech and their security leaders are ahead of the curve and 43.8% of companies have teams dedicated to DevOps. In addition, firms such as Spotify, Apple, Microsoft among others are continuously engaging with ethical hackers throughout the security development and monitoring lifecycle.
Is EASM the silver bullet in security?
Web attack surface awareness is not a security panacea, but understanding how a network’s exposure relates to its risk of being breached gives enough valuable context when protecting one’s digital assets.
Finally, by considering a company’s potential attack surface, CISOs as well as CTOs can easily delve into – how secure the network probably was (or wasn’t) to begin with, how many ways in there would have been for an attacker, and how likely a successful breach would be overall. In conclusion, it only takes one small misconfiguration or mistake for the damage to be enormous. By continuously monitoring external assets, EASM would potentially be able to prevent breaches and leaks and keep your data safe. Landry says, “EASM is already a big part of the security sector at the moment, but of course it’ll be even bigger in the near future.”
How Detectify customers are more in control of their web attack surface
Detectify helps you analyze your attack surface to see which kind of assets are publicly viewable on the Internet and cause breaches with automated hacking methods such as taking over forgotten subdomains. What makes Detectify’s EASM tool different is that it can monitor more than just web application vulnerabilities. It can look for misconfigured cloud providers and DNS records that could be vulnerable to subdomain takeovers, content delivery networks or web application firewalls. “EASM is not just about what you code and build but also what you host, making it increasingly challenging to monitor,” Landry says.
About Detectify
A challenger to conventional application security, Detectify automates the latest security knowledge from leading ethical hackers and brings it into the hands of security defenders and web application teams. Powered by a network of handpicked ethical hackers, Detectify’s web vulnerability scanner checks your application beyond the OWASP Top 10 and helps you stay on top of threats in the cloud.
What will Detectify find in your web apps? Start a free 2-week trial of Detectify today.