Note: This is part 3 of a 5-part series in which we examine a smarter approach to attack surface management. Catch up on last week’s post first.
Inventory management, the precursor to attack surface management, operated on the assumption that you knew where your network started and stopped. With the move to the cloud, and COVID-19’s acceleration of digital transformation, every organization should now assume their network is potentially “everywhere.” That’s Step 1.
As discussed in last week’s blog, Step 2 is taking action using solutions that help reduce unknown attack surface, and prioritize high-risk assets. While the reasons for attack surface drift are often due to normal business processes like digital transformation and M&A, the rate at which these activities now occur has hardly been anticipated by the inventory discovery and tracking solutions in-market today. Bugcrowd Attack Surface Management fills the gaps left by traditional solutions by delivering human ingenuity at the speed of business, for a prioritized assemblage of previously unknown or unprioritized assets. But regardless of how you build your own attack surface map, there are several options for then securing it.
In this week’s blog, we’ll focus on Step 3— what to do with your prioritized list of assets.
Translating your Asset Risk Outcomes to Business Value
1. Eliminate Assets (Including those you assumed were already gone)
Asset Risk delivers a full attack surface assessment, with an inventory of connected assets (assets to us are fully qualified domain names and/or IP address) prioritized by potential business risk. The next step for most organizations is to then eliminate those deemed irrelevant to current operations. Many customers have been surprised to see assets they believed were decommissioned years ago show up in this report. But as asset inventory is often tracked manually via spreadsheet, it’s not uncommon for accounting errors or ownership shuffles to disrupt offboarding flows leaving now “invisible” assets connected to the network.
E.g. Subdomain Configuration: Do you remember that marketing campaign you ran 3 years ago, for just under a month? You had an intern spin it up but they never actually logged that activity anywhere beyond the tools they used. This can come back to haunt you in a few different ways. Sometimes it’s in the form of urls that don’t resolve, which are now ripe for subdomain takeovers. If you don’t want hackers posting their content on your domain, we recommend shutting it down altogether.
2. Remediate High Indicators of Risk
Once you’ve eliminated the things that aren’t important, take a look at those that contain clear indicators of risk. Asset Risk assigns risk rankings based on some combination of the following IoRs (Indicators of Risk):
- Unsecure Auth
- Possible User Enumeration
- Reflected XSS
- Subdomain Configuration
- Invalid Certs
- SSL score
- Login over HTTP
Some of these are easily remedied, though can cause extreme damage if left unattended.
E.g. CVEs & Configuration: Some common configuration problems include many open ports, ports like 22 or 23 that are not encrypted, leaked passwords, or even standard passwords on systems. All of these issues are easily resolved, but if chained together by a malicious attacker that finds them first, can result in something more serious.
Certificate Issues: While expired certs can again be resolved quickly, they indicate a larger opportunity for hackers who find them– patterns of neglect. Hackers may use these systems to test more intrusive techniques and begin fingerprinting/profiling without worrying their activity will be detected. Common cert errors your attackers are looking for include:
- Low SSL Scores
Fixing certificate errors is usually pretty simple and well documented. While you resolve those issues, it’s also in your best interest to improve your cert score at the same time. This can be done by using SHA256 for the signature algorithm, and only using trusted certificate authorities.
As the focus of Asset Risk is to go “wide,” not “deep,” it should be clarified that IoRs like these typically represent a larger problem with the asset at hand. For those assets which have high business value, we recommend additional discovery and monitoring, per the next section.
3. Dig Deeper & Keep It Secure
Depending on the asset’s business criticality and associated risk level, you may want to consider adding it to an active testing program like Bugcrowd Bug Bounty, or Next Gen Pen Test. These programs incentivize highly skilled security researchers to “dig deep” within a given target, incentivized by vulnerability volume and severity. While offered on-demand or continuous, the latter can reduce risk without added operational overhead, making these programs ideal for things like web apps and APIs which might undergo frequent code changes.
4. Build a Repeatable Framework
While Asset Inventory runs continuously, flagging risks and changes to monitored assets, and adding new ones all the time, Asset Risk engagements are performed in 4-5 week windows, typically after significant business change, or roughly 9 months – 1 year on average. If your organization is experiencing significant changes, initiating deeper assessments like these, every 3 – 6 months may be advised. Regardless of frequency, it’s always important to work with your internal security and development teams to remediate issues quickly, and create a plan for securing and tracking newly discovered assets.
Bugcrowd’s Attack Surface Management portfolio contains a powerful combination of asset discovery, management, and prioritization solutions which when deployed together, can help organizations regain, and maintain control over dynamic attack surface. For more on how human ingenuity plays a crucial role in staying ahead of malicious attackers, stay tuned for next week’s blog, or contact us today!