Recall that a vulnerability is a weakness in a system or its design that could be exploited by a threat. An attack surface is the total sum of the vulnerabilities in a given system that is accessible to an attacker. The attack surface can consist of open ports on servers or hosts, software that runs on internet-facing servers, wireless network protocols, and even users. This article talks about attack surface in network security.
The attack surface is continuing to expand, as shown in the figure. More devices are connecting to networks through the Internet of Things (IoT) and Bring Your Own Device (BYOD). Much of network traffic now flows between devices and some location in the cloud. Mobile device use continues to increase. All of these trends contribute to a prediction that global IP traffic will increase threefold in the next five years.
The SANS Institute describes three components of the attack surface:
- Network Attack Surface – The attack exploits vulnerabilities in networks. This can include conventional wired and wireless network protocols, as well as other wireless protocols used by smartphones or IoT devices. Network attacks also exploit vulnerabilities at the network and transport layers.
- Software Attack Surface – The attack is delivered through the exploitation of vulnerabilities in web, cloud, or host-based software applications.
- Human Attack Surface – The attack exploits weaknesses in user behaviour. Such attacks include social engineering, malicious behaviour by trusted insiders, and user error.
The figure shows a circled building with textboxes around it. Each textbox has an arrow pointing toward the building. Textbox I o T connected devices projected to double to 30 billion by 2020. Cloud – by 2020 92% of data centre workloads will be processed by cloud data centres. Mobility 20% of total IP traffic will be from mobile devices by 2021. Global operations global IP traffic will increase nearly threefold over the next five years. B Y O D Gartner predicts that 70% of professionals will conduct work on their own smart devices by 2018.
An Expanding Attack Surface
Application Blacklisting and Whitelisting
One way of decreasing the attack surface is to limit access to potential threats by creating lists of prohibited applications. This is known as blacklisting.
Application blacklists can dictate which user applications are not permitted to run on a computer. Similarly, whitelists can specify which programs are allowed to run, as shown in the figure. In this way, known vulnerable applications can be prevented from creating vulnerabilities on network hosts.
Whitelists are created in accordance with a security baseline that has been established by an organization. The baseline establishes an accepted amount of risk and the environmental components that contribute to that level of risk. Non-whitelisted software can violate the established security baseline by increasing risk.
The figure shows a PC with two clouds below it labelled as white list apps and blacklist apps. There is an arrow going from the white list apps cloud pointing toward the p c and a textbox that states allow only. The blacklist apps has an arrow pointing to the p c and a textbox that reads prevent only beside the arrow.
Application Blacklisting and Whitelisting
The figure shows the Windows Local Group Policy Editor blacklisting and whitelisting settings.
Websites can also be whitelisted and blacklisted. These blacklists can be manually created, or they can be obtained from various security services. Blacklists can be continuously updated by security services and distributed to firewalls and other security systems that use them. Cisco’s Firepower security management system is an example of a system that can access the Cisco Talos security intelligence service to obtain blacklists. These blacklists can than be distributed to security devices within an enterprise network.
Search the internet for The Spamhaus Project, which is an example of a free blacklist service.
Sandboxing is a technique that allows suspicious files to be executed and analyzed in a safe environment. Automated malware analysis sandboxes offer tools that analyze malware behaviour. These tools observe the effects of running unknown malware so that features of malware behaviour can be determined and then used to create defences against it.
As mentioned previously, polymorphic malware changes frequently and new malware appears regularly. Malware will enter the network despite the most robust perimeter and host-based security systems. HIDS and other detection systems can create alerts on suspected malware that may have entered the network and executed on a host.
Systems such as Cisco AMP can track the trajectory of a file through the network, and can “roll back” network events to obtain a copy of the downloaded file. This file can then be executed in a sandbox, such as Cisco Threat Grid Glovebox, and the activities of the file documented by the system. This information can then be used to create signatures to prevent the file from entering the network again. The information can also be used to create detection rules and automated plays that will identify other systems that have been infected.
Cuckoo Sandbox is a popular free malware analysis system sandbox. It can be run locally and have malware samples submitted to it for analysis. A number of other online public sandboxes exist. These services allow malware samples to be uploaded for analysis. Some of these services are VirusTotal, Joe Sandbox, and CrowdStrike Falcon Sandbox.
An interesting online tool is ANY.RUN, which is shown in the figure. It offers the ability to upload a malware sample for analysis like any online sandbox. However, it offers a very rich interactive reporting functionality that is full of details regarding the malware sample.
ANY.RUN runs the malware and captures a series of screenshots of the malware if it has interactive elements that display on the sandbox computer screen. You can view public samples that have been submitted by ANY.RUN users to investigate information about newly discovered malware or malware that is currently circulating on the internet. Reports include network and internet activity of the malware, including HTTP requests and DNS queries. Files that are executed as part of the malware process are shown and rated for threat.
Details are available for the files including multiple hash values, hexadecimal and ASCII views of the file contents, and the system changes made by the files. In addition, identifying indicators of compromise, such as the malware file hashes, DNS requests, and the IP connections that are made by the malware are also shown. Finally, the tactics taken by the malware are mapped to the MITRE ATT&CK Matrix with each tactic linked to details on the MITRE website.
I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.
Download Our App.
CEHNigeria On Google Playstore
Download Our Blog App On Google Playstore.
GET SEOPOZ. OUTSMART YOUR BLOG COMPETITORS
Have a deeper understanding of Google Search Console. Joint SEOPOZ for free.
Join Our Whatsapp Group Here
Join Our Whatsapp Group
Follow Us On Twitter and I will Follow Back
Follow Us On Twitter
Kindly follow me on Twitter and I promise I will follow back. Aside you will get updated when we post new articles.