What is the Technical Attack Surface?
What is the Technical Attack Surface? To answer this question, we need to first understand Digital Presence and Attack Surface.
How we as individuals, organizations, products, and services appear online is our digital presence. You can find your digital presence on the open web, the deep web, the dark web, information repositories, archives, directories, and social networks.
In our practice, an Attack Surface consists of a Business Attack Surface and a Technical Attack Surface. The Business Attack Surface encompasses everything that is revelatory about an organization’s strategic initiatives, operations, and financials. The Technical Attack Surface (currently popularized as the External Attack Surface) references all publicly available data that is revelatory about an organization's IT infrastructure, services, and applications. Each of these “surfaces” (Business and Technical) provide equal value in empowering an adversary with information useful in planning, executing, and continually attacking any organization.
Unpatched vulnerabilities, coding inconsistencies, and application misconfigurations at the Technical Attack Surface present opportunities for adversaries to gain access, evade defenses, and escalate privileges into an organization. Not to mention opportunities to attack its respective ecosystem of partners, customers, and supply chain.
When security professionals assess an organization's Technical Attack Surface, application vulnerabilities, mismanagement of domains, HTTP headers, certificates, and online forms are highlighted (and, in our opinion, should always be in-scope of a continuous security sweep). We want to further highlight the following four areas of investigation that security teams most often overlook:
Search Engine Exploits and Archived Web Pages
Search Engine Exploits (ranked #4 in our OSINT Top Ten) are maliciously targeted queries to uncover anything and everything about an organization. These queries, commonly known as "dorks," can reveal infrastructure technologies, applications, services, confidential/proprietary/sensitive data, and even IoT entities associated with your organization.
Archived Web Pages (which is ranked #8 in our OSINT Top Ten) are cached records of your web pages available online over the lifespan of your domain. Mismanagement or turning a blind eye to this vital part of an organization's digital presence can lead to brand damage, data leaks, or even possible persistent/ongoing attacks against existing live assets.
Search Engine Exploits and Archived Web Pages are two of the most robust capabilities and resources available for an adversary to gain intelligence about a target organization.
As previously covered in our open-source intelligence top ten threat arena (OSINT Top Ten) posts, adversaries can easily uncover all of the following through targeted search engine queries (Search Engine Exploits) and investigating cached records of an organization’s web pages (Archived Web Pages):
IoT Entities
Network Information
Revealing Error Messages
Servers
Web and Application Servers
Footholds into Servers
Server Vulnerabilities
Folders
Containing Sensitive Information
Files
Sensitive Files
Network, Firewall, Honeypot, and Intrusion Detection Logs
Email Addresses
Sensitive Information
Passwords
Usernames
Customer and Supplier Data
Orders and Credit Card Data
Application Portals and Login Pages
Cloud Resources and SaaS Applications
An organization needs to have knowledge and awareness of their cloud footprint as it is vital to manage their Cloud Exposure (which is ranked #5 in our OSINT Top Ten). Tracking protected, open, sanctioned, unsanctioned, and look-a-like cloud resources linked to an organization is crucial. Keeping stock of your SaaS resources and SaaS applications footprint is equally important.
Software as a Service (SaaS) applications come with their own slew of configuration settings, permission assignments, and integrations. It is required for an organization to be aware of their SaaS applications; understand how they are being used; who uses them; and if they are even used at all.
Lack of oversight and misconfigurations in SaaS has been (and will continue to be) the leading cause of significant cloud security incidents. For example, many of these SaaS applications facilitate information sharing between organizations and their users. Applications with rich repositories of data that adversaries may use for gaining access, escalation of privileges, or any other attack avenues such as phishing.
Domain Information
Domain Information (ranked #1 in our OSINT Top Ten) includes all Domains, Subdomains, Certificates, and Emails (Company Names, Domains, and Emails). This area of investigation consists of the most critical internet-facing assets of your organization. It is essential to inventory and monitor everything on this front to properly manage attack surfaces, online brand integrity, service delivery, and get ahead of any possible threats/risks/exposures to customers/partners.
Under the umbrella of Domain Information, organizations should continuously investigate and test look-a-like domains, also known as Domain Name Permutations. Organizations should continually research and test look-a-like domains that adversaries can use to attack.
Maintaining a list of look-a-like domains or domain name permutations is a valuable source of targeted threat intelligence. It is essential in getting ahead of typosquatting, phishing attacks, fraud, and brand impersonation.
Another tactic to be aware of is Keyword and Term Manipulation. This tactic employs the harvesting and analysis of online words and terms associated with an organization. Adversaries use this information to develop attack opportunities, such as creating possible password lists to gain access and escalate privileges. Understanding how vulnerable your organization is on this front is imperative. Proactively taking an inventory of all the keywords and terms broadcasted online (especially those associated with your domain and your partner organizations) can help prepare or even prevent a possible attack.
The areas mentioned above provide essential reconnaissance information for an adversary to gain access and escalate privileges into an organization's IT infrastructure, services, and applications. We strongly feel security teams need to monitor these additional areas of investigation for their organization continuously. Let us know your thoughts in the comments below.