Codifying Digital Attack Surface
Digital attack surface is a central theme in modern information security. Understanding the full scope of vulnerabilities in a system enables a more complete assessment of the threat model, and allows for more accurate and effective mitigations (if you're a network defender), or exposes weaknesses and opportunities (if you're a network attacker).
There are a host of excellent resources on the internet that codify attacker techniques, or the 'shape' of an attack. These are mature and well-designed references, but both are focused on understanding the attacker or identifying methods to halt their progress. Defenders can do better: proactively identifying and eliminating attack surface rather than simply reacting more quickly to known patterns.
In this article (and likely several follow-ups), I'll discuss my framework for thinking about attack surface as a network defender. Instead of thinking first about what an attacker might have, I focus on what *I* have, what *I* expose to attack, and most importantly, effective strategies to mitigate that exposure. Credit where it's due: I drew inspiration from this article, and added a few dimensions of my own.
Physical attack surface
People - Insiders and outsiders. This category is first, for good reason. It's where your draconian policies meet their toughest foe: your users. Security should not only enable good behaviour, but strive to make it the obvious easiest choice. Conversely, outsider threats like spam, vishing, and other cons are smart, and attackers have productized the weaknesses of their fellow man.
Places - Your real estate. Buildings should have locks, and server rooms should have access control. Remote locations, say, your hilltop radio tower, may need alarms, or cameras, depending on your threat model.
Things - The devices that attach to your network. There's a bit of overlap here with the 'infrastructure' category below, but for the physical attack purposes: what happens if your CEO loses their phone, or their access keyfob? Or if someone steals your shiny prototype at a trade show? Is your loss limited to the value of the hardware, or to the value of the data on that hardware?
Logical attack surface
Physical Layer - Not the same as 'physical attack surface', but related. Physical layer attack surface concerns the fundamental mechanisms that move data through your information systems. The preeminent sources of phy-later attack surface are wireless networks. Wireless coverage area equals attack surface. If I can sniff your wireless, I can perform network reconnaissance, deny service, or exploit your devices. Less obvious: baseband processors, ages-old firmware, or the physical conveyances between buildings, campuses, and data centers. This is also the layer where protection provides the most value: security here provides security at all higher layers.
Infrastructure Layer- The systems that are necessary to support your business' function. Routers, switches, smart thermostats, access control, cloud infrastructure-- all are ... the list goes on. Inventory is a critical first step in reducing this attack surface, and segmentation and access control can't begin until you understand the use cases. Recent attacks exploiting some products from F5 Networks are a good example of the importance of this attack surface.
This also includes the protocols, algorithms, and services that are part of these systems: your 256-bit encryption provides zero protection if you also allow ftp access.
Application Layer - The software your business exposes to the world, or to your data. Apps, browsers, office software, operating systems, development tools, accounting or personnel management tools, the third-party collaboration software you can't seem to upgrade... the list goes on. This category already gets a lot of attention: software supply chain attacks and 'software bill of materials' (SBOM) are topics du jour, as they were a major vector in the SolarWinds hack. But as defenders (who have a seat at the table when new software is acquired, right?) can meaningfully contribute to protection before purchase, or at least plan for it during integration.
It goes without saying, because a significant percentage of the cyberdefense industry is focused on it, but your web-facing services are part (but not the whole) of your application layer attack surface.
More to come!
As a quick summary to this article: understanding attack surface precedes eliminating attack surface, and eliminating attack surface is one of the strongest tools in a defender's arsenal. This six-part model is how I think about it, but like every other infosec practitioner out there, I'm still learning, still trying to drink from the firehose of information, to make sense of it and make use of it. I'd love to hear your insights and input, how you'd change the model, and most importantly, suggestions for a catchy acronym for this model.
The contents of this article are copyright 2021 Rampart Communications. Reproduction only with permission.