Hunt the Shadows: Attack Surfaces and Entry Points!

So before I start, I would like to say thanks to the organizers to give you this opportunity and a big thanks to all of you to take your time and attending this session so everyone can hear me clearly. Is it everything is set there?

Yeah, we can hear you. We can hear you well. Okay. Okay.

Okay, perfect. So again, thanks for the organizers to give this opportunity and thanks for all of you to take in your time and attend this session. So before I start the topic, let me quickly tell you who's this guy speaking? I msla. At the moment I'm acting as executive director for the EC Council Global Services, which is a consultancy division of the EC council for both proactive and reactive cyber security practices. 20 years in the IT 16 dedicated to the information security and cyber security.

I'm a public speaker with a recording the DEFCON besides Nasscom and here No, and I'm a mentor for the bull team village and one of the contributors for the Mitre different projects. I would be more than happy to connect to you via the LinkedIn. I'm super active there. And if you'd like to learn more about cybersecurity and take the technical side of the threat hunting from the scratch, I have a series currently at my YouTube channel at nothing cyber.

So for for the next 20 minutes, I'm going to quickly discuss the challenges that we have in the cybersecurity, why we can't have a hundred percent security no matter what we do. And then we talk about the unknowns, the, those are one of the main reasons actually behind every cyber attacks these days. And then we gonna talk about how being proactive help us to address the issues in a better way. So I always start this kind of presentations with my tagline. There is no a hundred percent security.

It doesn't matter how much we are spent on the technology, how much we train our people, how much we try to work around the multi-layer defense. Still there are issue in the cybersecurity. So based on the IBM and mandate, which is one of the two biggest players, only 80% of the cyber attacks could be detected by automated solutions. So tier one and tier two still 20% remains undetected and a few of those 20% can remain in our environment for up to 280 days, which is quite enough for the hacker to do to hacker to do whatever they want.

I like the second report by Mandiant when they go and check the efficiency of the current technology, regardless of what technology they use as a AI base machine learning base or all these big data or big names, they were not that super duper effective against the sophisticated cyber attacks. So based on that report actually around 91% of the attack did not generate any alerts. So if you are wondering why this is how, this is where I'm going to discuss about three main and big challenges in the cybersecurity, why we can't have hundred percent security.

So the first one is familiar for all of you. I don't want to spend so much time on that. Is that that magic triangle, the security cost and functionality where we should always sacrifice one or two or or the behalf, behalf of the others. All of not aware of that, okay, we have to put this metric like the zero trust multilayer, but they are not that necessarily cost effective, not user friendly. So in reality we should always sacrifice one on the behalf behalf of the other. So I prefer to spend more time on the other two factor which is comes with the Swiss cheese model.

So the Swiss cheese model is exactly aligned with the multi-layered cybersecurity. So we place multilayer of the defense in the different layer of our organizations to make sure we take care of security in every aspect. But like the tiny holes in the delicious, a slice of the cheese in the Swiss cheese, if there is a very tiny issue or any mistakes in each layer, it could give a way to the hackers to walk into our digital environments. And if by chance those holes in each layer of the defense align to each other, the damage would be more severe.

So this damage cannot be easily avoided because they are in the wide variety of categories. It could be just a system failure, the human error, poor fine tuning, emerging technology hackers with no day off and many important one blind spots. This is what we are going to discuss today and this is what I call it a scope X. So in cybersecurity, almost every projects, every practice, even technical or non-technical either is AGRC or compliance or penetration testing or digital forensic threat hunting, start with something that that, that we call in a scope.

So there are a certain domain of our environment for whatever reason we think it's important and we should only limit it our test on that particular ip, that particular web application, that particular department or technology. So we put everything in the scope and we either do the in-house or we hire the third party vendors to do it for us. Whatever. For whatever reason we think is not important, we put them out of the scope. So we know they are exist but we think they may not be that important to as, which is not necessarily a a current current point of view.

We I, I have many clients here that engage us for the penetration testing and we did a ate penetration testing for them compared risk assessment, everything set, everything aligned, still they got hacked and then when they get get back to us, we explain to them that's why the first day we insist you should play around with your scope because hackers may think differently from us, whatever we think important and we put it in the scope, the hackers may use those we put out of the scope. But either in scope or out of the scope, both of them have something in common.

They are known, at least we know they are exist. At least we know I have a set of the IP set of departments set up the devices I want to test them or not, but I know they are exist. The problem become more sophisticated when we have assets in other organizations and we are not even aware of their existence. This is what we call it a scope X. All unregistered are attendant and unknown assets in our environment. I'm not only talking about shadow it, shadow, IT is just a part of what we call a scope X. Actually S opex is more holistic.

It could be any issue in your process, it could be any issue in your people. So let me give you a very challenging example of when we migrate to the cloud, the SLA. So when we move to the cloud, we only think about operations.

So yeah, operation wise it's a big help Reduce the cost, no operation burden on us until the incident happened. When the incident happened. When we go and negotiate with the service provider to give us access to the certain amount of the data or certain type of the digital evidences to do the root cause analysis, then the opex issue will bring up. So based on the SLA, you don't pay for that log based on the SLA, you don't pay to have access to that set of informations. So in summary, the unknowns are the main root cause of many issues these days.

This is what I call it, the dark side of the moon and the dangerous of the unknowns. So everything starts with the digital transformation, which is a very good movement. AC actually I don't want to talk about the the benefits. Everyone know efficiency and productivity, flexibility, customer engagement of course more communication and collaboration especially these days with the culture of the remote working. But the problem is that during the pandemic, I don't want to talk about a classic way of the whole, the pandemic affects cybersecurity.

No, I just want to highlight the fact that during the pandemic digital transformation was a matter of survival, not something that we add on on other business. We have to go digital to survive. That's why the things is rapidly accelerated in the very, I mean crazy way. So based on the McKenzie report that I have read a few I think last year, so something that's supposed to be digitalized in like seven years in the global and 10 years in the SE Pacific just done within a year. So this is truly called rapid development, rapid digital transformation. So every rapid growth could bring some risk.

So rapid DevOps and unattended issue, lack of readiness, lack of visibility and many important one new attack surfaces. So when things happen super fast, we actually expand our attack surfaces. We don't a proper evaluation of the risk with the proper evaluation and identification of the attack vectors. So no wonder the back road release a report at 2021 40% is average amount of the unknown attack surfaces per organizations. So in our organization, 40% of attack attack surface, they are unknown. So one out of three attacks conducted against unknown on unauthorized assets.

So these are because we rapidly move to the the, to the digital environment we the properties. So let me give you a very simple example yet challenging and to be surprised the larger and the oldest is a company, this is the biggest challenge. So my question to the audience, you no need to answer, no, just find, answer yourself. How many sub-domains do you have in your digital wonderland at the moment? So I ask many people here face-to-face and almost everyone said we are not sure.

So subdomains is one of the most mysterious example of a scope X unknown and a preferred attack surface for the attackers. Because we have a hundred and thousand subdomains for the main domain, they are not necessarily well maintained. They are not inheritant, the security controls, the parent security controls and they are not even under our monitoring. So in many cases I can guarantee you just after this session tonight or tomorrow, just use any available tools to the sound domains in your organizations.

And then you hear how many supplements you can see with the staging, with the dev, with the test. These are the things that technically our development bring it up, activate a service behind them to check some things and they forgot to deactivate it, not on their radar, not known a perfect entry point for cyber criminals. So this is one of the best example of the the unknown attack surface and and COP X. So what to do, let's discover them before the attacker discover and use it against us. Be proactive. I'm actually a big fan and, and and advocator of the proactive cybersecurity.

So reactive cybersecurity is an integral part of every strategy beyond question. So we set up our technology, we keep monitoring and in case something happen we go and add and address that. But this is what I call it a popcorn security. We can have just technology on the place and enjoy our popcorn and wait until something happened. The damage will be higher if we just rely on the technology and do not go and proactively check the security issues and try to address them.

So when it comes to the attack surface management, discovering these assets help us to better understand our environment, identify the unknowns as much as possible and that may help us effectively to reduce our attack surface. We have two simple approach in, in a combination they work better. One is active, one is a passive. There are plenty of even free and open source scanners out there that can help us to periodically monitor the internal view and the external.

So we do internal scanning to see what we can see and definitely we need the external scanning to look at other environment from the eyes of the adversaries to see okay this is what the hackers may see from the old side. So in the active scanning we can just use any scanner to look for the assets that are still active and they are some who related to our organization or we can do it the passive video direct interaction by just collecting the logs and then network traffic and then try to identify the assets from that. Definitely the threat, intelligent and dark web monitoring.

Add more insight and context in this in this process because initially back to those days when we talk about attack surface, we mainly focus on only servers like web applications, APIs, IP addresses. But nowadays in the era of the technology era of the data, we can't just limit our attack surface only or those digital IT assets. Just like hackers. Hackers never never limit the scope to the specific, the threat, sorry, their attacks to the specific scope. Never. So as a threat hunter, as a cybersecurity defender we should do the same. We should not limit our scope to just limited technology.

So when we, when it comes to the attack surface management in the modern day we talk about the the digital attack surfaces like those that we just give a i I just gave an example like the IP addresses, like a web application, anything digital, anything that operate in other environment use the language of the zero and one and process the data or keep the data. It could be a physical attack surface that giveaway for the attackers to walk into our building. And the main important one, human attackers attack surface.

I'm not only talk about a phishing or social engineering, the amount of the information that the human left in the live in the internet intentionally or unintentionally. This should be part of our monitoring for attack surface because every a small piece of information can give away to the attackers to walk into the system. So maybe want to talk about how to manage the attack surface in the very compact version. It needs a continuous discovery because technology evolving day by day. Some settings works today a zero day attack come and other settings may be required.

So this is not a one day job so we should start having the inventory of our assets I know is not easy. But the logic is that as much as possible, as much as we can, maybe at the beginning we are in, we are not in the point of hundred but as still better do not stay in the 0.0. So being somewhere in better than do nothing definitely for each asset we need a risk assessment and prioritize the asset to understand which one is more important. We should comfy with some mitigation and remediation that help to reduce the attack surface, give less entry point to the attackers.

And of course all of this need continuous monitoring. But one thing that I would like to highlight here in the attack surface management, in the risk assessment and especially in the proactive threat hunting, we are mainly focusing on high value assets. I highly recommend beside the high value assets, we consider the high risk users as well. So everyone know behind or beside every high value asset, there is a user who has access to that assets or work with the data on that assets.

So adversaries is not necessarily only attacking technology, especially these days, technology is major enough back to days in the earlier version of the operating system, it just a matter of the few click with the some tools that we download from nowhere and we may able to get access. Nowadays things are a little bit mature in term of the os. That's why a lot of attackers move toward the technology to the process and to the people.

So when we want to go for the attack surface management, threat hunting and risk assessment, beside the high value assets, we should focus on the high risk users because those are the very effective entry point for the attackers as well. So the main question now is that okay, consider we do all of these things.

No, we know our assets, we know the attack surfaces and we find a bunch of the entry points. What would be next? So the main things that we should do, identify known vulnerabilities, known issue, and known gaps within those attack surfaces. So when it comes to the particular vulnerability, the CVSS, I'm pretty sure you are familiar with the common vulnerability scoring system. So I suggest to consider a new metric just recently introduced the EPSS exploit prediction and scoring system.

So the CVSS tell us how server is the vulnerability and EPSS explain how is possible for that particular vulnerability to get exploit in the real world and real practices. So when we deal with the new vulnerabilities, sorry, with the non vulnerabilities are gaps, at least we can deal with something that known and we save time to deal with the unknowns. But when it comes to the attack surface management only, vulnerability management alone is not enough because sophisticated attack is a combination of the few vulnerabilities, few issues, few security gaps.

That's why we should go one step ahead and focus on the attack vectors. So the attack vectors is a technique than the attacker used to walk into our systems and for that particular attack vectors it may be a different entry point in our holistic attack surface. So it's more, it's so important not only focus on the vulnerability and issues because normally traditionally we just said okay, let me discover the assets, find the attack surface. I do the patch management and vulnerability management. Done I'm safe.

No, nowadays attacks are more sophisticated than that. We should go in depth for the attack vectors and and TTPs. So miter framework for example, is one of the one of the best and the first thing that we could start with to understand what is going on. So apart from knowledge about vulnerabilities, attack vectors and TTPs, we still should think like a hacker. So a simple and high level thread modeling will be a big help in this case. For example, talking about a server, I have a sensitive server somewhere connected to my network, it was unknown.

I just discover it and know it's part of my radar. So I want to analyze the the, the case of the unauthorized access. What is the potential way that the attackers can access to that particular server? So the the simple attack three can easily help us. It could be for example, the remote access could be physical access via the VIC passport explode actually in the reality it's more advanced than what I showcase as a example here. So this is give us a better idea.

Okay, I have this entry point but I have this vulnerability there. So the known one I deal with or remediated. But is there any other ways that the attacker could misuse any issue in different layer of my attack surface and walk into to have more holistic view about that? So considering know we identify everything, we do the risk assessment, we deal with the all known things in our system. What would be next? I highly suggest a proactive threat hunt. So this is where we can handle those 20% of the attackers that can remain undetected and stay in our environment for a longer time.

And the longer they stay, the more severe that the damage they can cause. So in this approach we always assume the breach means okay it regardless of what we did so far makes the breach maybe happen. Yes. I'm sorry to interrupt you. I think we are running out of time a little bit so maybe we could, Yeah, this is my last slide actually Quickly and I suggest you show us, give us your contact information so if anyone has any Sure questions they could reach you directly. Thank you very much.

Okay, sure. So just the last message for this section, automate what you know, spending and finding what you don't know. So here is my contact information. So you can just find me via my name in the LinkedIn or just connect me via the YouTube. Nothing cyber. Hope you enjoy the talk.