AoC 2022 Day 22: Attack Surface

Posted on by

Attack Vectors

An attack vector is a tool, technique, or method used to attack a computer system or network. If we map the attack vectors to the physical world, attack vectors would be the weapons an adversary uses, like, swords, arrows, hammers, etc. A non-exhaustive list of examples of attack vectors in cybersecurity includes the following:

  • Phishing emails; Deceptive emails that are often impersonating someone and asking the victim to perform an action that compromises their security.
  • Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks; Sending so many requests to a website or web application that it reaches its limits and can no longer serve legitimate requests.
  • Web drive-by attacks; Flaws in web browsers that compromise the security of the victim by merely visiting a website.
  • Unpatched Vulnerability exploitation; A flaw in the internet-facing infrastructure, such as the web server or the network interface, that is exploited to take control of the infrastructure.

Attack Surface

The attack surface is the surface area of the victim of an attack that can be impacted by an attack vector and cause damage. Taking forward our example of the physical world, the attack surface will include the unarmoured body of a soldier, which an attack of a sword, an arrow, or a hammer, etc., can damage. In cybersecurity, the attack surface will generally contain the following:

  • An email server that is used for sending and receiving emails.
  • An internet-facing web server that serves a website to visitors.
  • End-user machines that people use to connect to the network.
  • Humans can be manipulated and tricked into giving control of the network to an attacker through social engineering.

Attack Surface Reduction

As we might notice, the attack surface can not be eliminated short of running away from the battlefield. It can only be reduced.  However, this attack surface reduction works for the weapons of that time. This technique will not impact the attack surface against modern weapons.

In cybersecurity, the most secure computer is the one that is shut down and its cables removed. However, that is not feasible for running critical operations dependent on computers. Therefore, cybersecurity leaders aim to keep the operations running with the lowest possible attack surface. We can consider the goal as creating the digital equivalent of the Greek Phalanx.

Examples of Attack Surface Reduction

Close the ranks:
Santa’s website was defaced earlier. When investigating that attack, McSkidy found that an SSH port was open on the server hosting the website. This led to the attacker using that open port to gain entry. McSkidy closed this port.

Put up the shields:
Although the open SSH port was protected by a password, the password was not strong enough to resist a brute-forcing attempt. McSkidy implemented a stronger password policy to make brute-forcing difficult. Moreover, a timeout would lock a user out after five incorrect password attempts, making brute-force attacks more expensive and less feasible.

Control the flow of information:
McSkidy was informed by her team about the GitHub repository that contained sensitive information, including some credentials. This information could be an attack vector to target Santa’s infrastructure. This information was made private to block this attack vector. Moreover, best practices were established to ensure credentials and other sensitive information are not committed to GitHub repositories.

Beware of deception:
Another attack vector used to intrude into Santa’s network was phishing emails. McSkidy identified that no phishing protection was enabled, which led to all such emails landing in the inbox of Santa’s employees. McSkidy enabled phishing protection on Santa’s email server to filter out spoofed and phishing emails. All emails identified as phishing or spoofed were dropped and didn’t reach the inbox of Santa’s employees.

Prepare for countering human error:
The phishing email that targeted Santa’s employees contained a document containing malicious macros. To mitigate the risk of malicious macro-based documents compromising Santa’s infrastructure, McSkidy disabled macros on end-user machines used by Santa’s employees to avoid malicious macro-based attacks.

Strengthen every soldier:
McSkidy wanted the attack surface reduced from every endpoint’s point of view. So far, she had taken steps to strengthen the network as a whole. For strengthening each endpoint, she took help from Microsoft’s Attack Surface Reduction rules. Though these rules were built into the Microsoft Defender for Endpoint product, she took help from these rules and created a similar set of rules for her own EDR platform.

Make the defense invulnerable:
To further strengthen the infrastructure, McSkidy carried out a vulnerability scan highlighting some vulnerabilities in the internet-facing infrastructure. McSkidy patched these vulnerabilities found on Santa’s internet-facing infrastructure to avoid exploitation.

~ Source: Tryhackme.

Challenge Solution