Enumerating Enterprise Attack Surface
2 likes874 views
The document outlines the importance of understanding and enumerating an organization's software attack surface to effectively manage security vulnerabilities. It emphasizes the need for a software security program that encompasses people, processes, and tools, while also addressing challenges such as resource allocation and organizational resistance. The strategy involves identifying, categorizing, and continuously monitoring applications based on their significance to prioritize security efforts.
![© 2019 Denim Group – All Rights Reserved
[Translation]
Find out what applications you
have in your organization
Decide the relative importance of
applications and treat them
differently based on this
6](https://image.slidesharecdn.com/enumeratingenterpriseattacksurfacev3houseccon-190410211821/85/Enumerating-Enterprise-Attack-Surface-7-320.jpg)
![© 2019 Denim Group – All Rights Reserved
[Translation]
Find out what applications you
have in your organization
Decide the relative importance of
applications and treat them
differently based on this
42](https://image.slidesharecdn.com/enumeratingenterpriseattacksurfacev3houseccon-190410211821/85/Enumerating-Enterprise-Attack-Surface-43-320.jpg)
Enumerating Enterprise Attack Surface
- 1. © 2019 Denim Group – All Rights Reserved Building a world where technology is trusted. Enumerating Enterprise Attack Surface Dan Cornell | CTO
- 2. © 2019 Denim Group – All Rights Reserved Dan Cornell • Founder and CTO of Denim Group • Software developer by background • OWASP San Antonio co-leader • 20 years experience in software architecture, development, and security
- 3. © 2019 Denim Group – All Rights Reserved 2 Advisory Services Assessment Services Remediation Services Vulnerability Resolution Platform Building a world where technology is trusted How we can help: Denim Group is solely focused on helping build resilient software that will withstand attacks. • Since 2001, helping secure software • Development background • Tools + services model
- 4. © 2019 Denim Group – All Rights Reserved So You Want To Roll Out a Software Security Program? • Great! • What a software security program ISN’T • Question: “What are you doing to address software security concerns?” • Answer: “We bought scanner XYZ” • What a software security program IS • People, process, tools (naturally) • Set of activities intended to repeatedly produce appropriately-secure software 3
- 5. © 2019 Denim Group – All Rights Reserved Challenges Rolling Out Software Security Programs • Resources • Raw budget and cost issues • Level of effort issues • Resistance: requires organizational change • Apparently people hate this • Open source tools • Can help with raw budget issues • May exacerbate problems with level of effort • View the rollout as a multi-stage process • Not one magical effort • Use short-term successes and gains to fuel further change 4
- 6. © 2019 Denim Group – All Rights Reserved 5 You can’t defend unknown attack surface If everything is important then nothing is important
- 7. © 2019 Denim Group – All Rights Reserved [Translation] Find out what applications you have in your organization Decide the relative importance of applications and treat them differently based on this 6
- 8. © 2019 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 7 Software You Currently Know About Why? • Lots of value flows through it • Auditors hassle you about it • Formal SLAs with customers mention it • Bad guys found it and caused an incident (oops) What? • Critical legacy systems • Notable web applications
- 9. © 2019 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 8 Add In the Rest of the Web Applications You Actually Develop and Maintain Why Did You Miss Them? • Forgot it was there • Line of business procured through non- standard channels • Picked it up through a merger / acquisition What? • Line of business applications • Event-specific applications
- 10. © 2019 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 9 Add In the Software You Bought from Somewhere Why Did You Miss Them? • Most scanner only really work on web applications so no vendors pester you about your non-web applications • Assume the application vendor is handling security What? • More line of business applications • Support applications • Infrastructure applications
- 11. © 2019 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 10 MOBILE! THE CLOUD! Why Did You Miss Them? • Any jerk with a credit card and the ability to submit an expense report is now runs their own private procurement office What? • Support for line of business functions • Marketing and promotion
- 12. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Two Dimensions: • Perception of Software Attack Surface • Insight into Exposed Assets 11 Perception Insight
- 13. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 12 Perception Insight Web Applications
- 14. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 13 Perception Insight Web Applications Client-Server Applications
- 15. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 14 Perception Insight Web Applications Client-Server Applications Desktop Applications
- 16. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 15 Perception Insight Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services
- 17. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • As perception of the problem of attack surface widens the scope of the problem increases 16 Perception Insight Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services Mobile Applications
- 18. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Discovery activities increase insight 17 Perception Insight Web Applications
- 19. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Discovery activities increase insight 18 Perception Insight Web Applications
- 20. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Discovery activities increase insight 19 Perception Insight Web Applications
- 21. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 20 Perception Insight Web Applications
- 22. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 21 Perception Insight Web Applications Client-Server Applications
- 23. © 2019 Denim Group – All Rights Reserved Desktop Applications Client-Server Applications Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 22 Perception Insight Web Applications
- 24. © 2019 Denim Group – All Rights Reserved Desktop Applications Client-Server Applications Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 23 Perception Insight Web Applications Cloud Applications and Services
- 25. © 2019 Denim Group – All Rights Reserved Desktop Applications Client-Server Applications Attack Surface: The Security Officer’s Journey • Over time you end up with a progression 24 Perception Insight Web Applications Cloud Applications and Services Mobile Applications
- 26. © 2019 Denim Group – All Rights Reserved Attack Surface: The Security Officer’s Journey • When you reach this point it is called “enlightenment” • You won’t reach this point 25 Perception Insight Web Applications Client-Server Applications Desktop Applications Cloud Applications and Services Mobile Applications
- 27. © 2019 Denim Group – All Rights Reserved First Decision • What is considered to be in scope? • Depends on how you want to manage vulnerabilities and manage risk 26
- 28. © 2019 Denim Group – All Rights Reserved Process • Identify Application “Homes” • Enumerate Applications • Collect Metadata • Repeat as Needed 27
- 29. © 2019 Denim Group – All Rights Reserved So Where Are These Applications? • Your Datacenters • 3rd Party Datacenters • Cloud Providers 28
- 30. © 2019 Denim Group – All Rights Reserved Enumerating Applications • Technical • Network inspection • DNS and other registry inspection • Non-technical • Interviews • Other research 29
- 31. © 2019 Denim Group – All Rights Reserved IP Range Detection • IPOsint: https://github.com/j3ssie/IPOsint • ip-osint.py –t CompanyName • Data sources: • Whois • Ripe • Arin • Hurricane • Censys • securitytrails 30
- 32. © 2019 Denim Group – All Rights Reserved Network Inspection • nmap: https://nmap.org/ • Look for common web server ports: • 80, 443, 8000, 8008, 8080, 8443 • Others depending on your environment • nmap -sS -p 80,443,8000,8008,8080,8443 x.y.z.0/24 • Great for dense environments you control • Largely datacenters https://www.denimgroup.com/resources/blog/2016/03/threadfix-in-action-discovering-your-organizations-software-attack-surface-web-app-edition/ 31
- 33. © 2019 Denim Group – All Rights Reserved DNS Inspection • SubFinder: https://github.com/subfinder/subfinder • docker run -it subfinder -d target.org • Can get even more data with service-specific API keys • OWASP Amass: https://github.com/OWASP/Amass • sudo docker run amass --passive -d target.org 32
- 34. © 2019 Denim Group – All Rights Reserved Mobile Application Identification • Scumbler: https://github.com/Netflix-Skunkworks/Scumblr • Purpose of tool evolved over time • Not currently maintained – looking for maintainers 33
- 35. © 2019 Denim Group – All Rights Reserved Interviews • Line-of-business representatives • Will need to translate their definition of “application” to your definition • Think in terms of business processes and these can map to multiple applications and microservices • Tech leads • More familiar with the deployed infrastructure and other assets 34
- 36. © 2019 Denim Group – All Rights Reserved Other Research • Disaster recover plans • Accounting • Find cloud providers 35
- 37. © 2019 Denim Group – All Rights Reserved What is an ”Application” • What assets do we have? • IP addresses • Host names • Mobile apps • Business view of “applications” • Challenge: Create a consolidated view • Challenge: Correlate applications and the supporting infrastructure 36
- 38. © 2019 Denim Group – All Rights Reserved Collect Metadata • Technical: Language, Scale • Architectural: Web, Mobile • Exposure: Public, Partner, Internal • Regulatory: PCI, HIPAA, GDPR 37
- 39. © 2019 Denim Group – All Rights Reserved Value and Risk Are Not Equally Distributed • Some Applications Matter More Than Others • Value and character of data being managed • Value of the transactions being processed • Cost of downtime and breaches • Therefore All Applications Should Not Be Treated the Same • Allocate different levels of resources to assurance • Select different assurance activities • Also must often address compliance and regulatory requirements 38
- 40. © 2019 Denim Group – All Rights Reserved Do Not Treat All Applications the Same • Allocate Different Levels of Resources to Assurance • Select Different Assurance Activities • Also Must Often Address Compliance and Regulatory Requirements 39
- 41. © 2019 Denim Group – All Rights Reserved Rinse and Repeat • This list will change over time • Metadata will change • This is especially true in a world of microservices 40
- 42. © 2019 Denim Group – All Rights Reserved 41 You can’t defend unknown attack surface If everything is important then nothing is important
- 43. © 2019 Denim Group – All Rights Reserved [Translation] Find out what applications you have in your organization Decide the relative importance of applications and treat them differently based on this 42
- 44. © 2019 Denim Group – All Rights Reserved Questions 43
- 45. © 2019 Denim Group – All Rights Reserved Building a world where technology is trusted. @denimgroup www.denimgroup.com 44 [email protected]