TL/DR: Attackers and defenders or security professionals often look at an attack surface from a completely different perspective. The gap between those two perspectives is where vulnerabilities are likely to pop up. Crowdsource hacker Luke “hakluke” Stephens writes about how companies can close the gap and secure the ever-expanding attack surface.
Rapid proliferation of data, growing volume of domains and subdomains, and rise in third-party software have expedited the need for having a robust security program in place. As the web-facing attack surface grows, existing security practices are falling behind. The traditional segment of vulnerability management will become less relevant as companies see an increased need to protect the attack surfaces as a whole – especially as more employees have access to internal systems and applications all the time.
Imagine a physical brick wall, too high to climb over without a ladder. Stick with me here because it will all make sense later on. There are two people looking at the wall, from opposite sides. They are looking at the same wall, but the things they are seeing are completely different. One does not know what the other can see, or even if the other person exists. Here’s an overhead view. The orange is the wall and the green is their field of vision.
The one with the black hat is the attacker, they want to somehow get to the other side of the wall. The one without a hat is the defender, trying to make sure that nobody gets to their side of the wall. Currently, it looks like the defender is winning – but if we zoom out a bit, we see a different story.
Is that a gap in the wall? Just outside of the defender’s vision? And over on the right, there appears to be a ladder that the attacker could use to scale the wall.
Even if we widen the defender’s field of vision, they’ll still never see the ladder, because it’s on the wrong side.
The defender can not defend effectively without having a wide view of what is happening on both sides of the (fire)wall. This concept also applies to defending an organization’s attack surface. To map out the attack surface of an organization as extensively as possible, we really need to be looking at the organization from an internal perspective and from an attacker’s (external) perspective.
Attackers start with a disadvantage because they do not have internal knowledge of the organization’s infrastructure, technologies, security processes, etc. but they can quickly gain the advantage because they only need to find one gap in the wall to bring an organization to its knees. Attackers have realized this advantage, that’s why they’ve developed a stack of crafty reconnaissance methods, in an attempt to uncover forgotten assets and shadow IT.
To make things even more interesting, the attack surface is constantly changing as new environments are spun up and down, new technologies implemented, new libraries utilized, etc. In other words, the brick wall moves constantly, and gaps can open up anywhere at any time.
The good news is that defenders can gain back an advantage by simply borrowing attacker recon methods to identify their own attack surface, augmenting their own field of vision, and beating the attackers at their own game.
Actually, there’s a term for this concept: “External Attack Surface Management“, or EASM for short. Implementing an EASM program is like having a security camera on the other side of the fence, which would be able to see the ladder.
It is clearly becoming increasingly difficult to keep track of what you’re exposing online and where your organization’s weaknesses lie. Hackers have long been monitoring the web to find vulnerabilities in places where organizations aren’t looking, or even know exist. They have eyes and ears where companies don’t, and that’s where Detectify comes in.
Detectify is your security camera.
Powered by a community of handpicked 400 ethical hackers, Detectify helps security defenders stay on top of web security and thrive in the digital landscape. It captures, scales and automates testing with the latest active attack vectors from hackers into your daily development processes. Detectify maps out your growing attack surface and conducts vulnerability tests to find exploitable anomalies across your surface. It goes beyond OWASP top 10 and looks for unknown assets like subdomains to prevent subdomain takeovers, alongside 3rd party software risks. With your attack surface under control, you’ll be able to make more informed security decisions and prioritize your scarce security resources. Hacking yourself is the best way to protect your attack surface. Go hack yourself!
Luke Stephens a.ka. hakluke. Currently living on the Sunshine Coast, in Australia, I recently resigned from my role as the Manager of Training and Quality Assurance for Bugcrowd to start my own consultancy, Haksec. I do a lot of penetration testing and bug bounties and create content for hackers. Check out my Youtube channel.
More about Detectify
There is no silver bullet when it comes to protecting the external attack surface or your web applications. You need a modern security toolbox that leverages crowdsourced security to help you continuously monitor and scan your assets for anomalies. Automated vulnerability security tools like Detectify go well with bug bounty programs and manual pentesting by maintaining a constant level of automated security testing. See what Detectify will find in your attack surface with a free 2-week trial.