Data breaches, ransomware attacks and intrusions continue to cause disruption and financial and reputational damage to companies and organizations. The root cause of these incidents varies from vulnerable web-facing applications; to misconfigurations; to forgotten, unpatched services.
Often, these errors are visible to malicious actors from the outside. There are a variety of public resources, tools and methods for discovering information about a target, which can be a domain name, IP address, email address, web content, social media handles, transport layer security (TLS) certificate data, web content and more. Attackers use this information to find internet-facing assets and services, which may offer opportunities for them to exploit. For example, attackers often run internet-wide scans looking for specific types of software with unpatched vulnerabilities. They scan for programs or operating system features such as remote desktop protocol (RDP), which can provide a potential initial access vector for threat actors if left exposed to the internet. They might look for email addresses of a company’s employees, which can then be leveraged for phishing attacks. They might hunt for access keys or other secrets that have been mistakenly published on an organization’s GitHub, a public software repository. They might find long-forgotten servers or virtual machines on third-party hosting providers, which could offer a way to get into a network.
These kinds of avenues comprise what’s known as an organization’s attack surface. An attack surface must be regularly assessed and managed to harden defenses from attackers. However, now an organization’s attack surface extends beyond their own network, strategies to mitigate threats must ensure they are based on a full picture of their attack surface. Gathering information through open source intelligence (OSINT) tools provides one avenue of doing this; organizations are often unaware of how much information they have exposed on the surface for an attacker to exploit.
But using OSINT tools one at a time is time consuming and inefficient. What is more, exclusively using OSINT tools can only ever provide half the picture: a hidden class of threats are being primed on the cyber underground ready to undermine operations. A modern attack surface management system must ensure they are assessing threats to their attack from the cyber underground as well, seeing themselves as an attacker would. Intel 471’s Attack Surface Protection is the answer.
Attack Surface Protection: Attack surface management re-imagined
In November 2022, Intel 471 acquired SpiderFoot – an automated reconnaissance, attack surface management and digital investigations platform. It consolidates hundreds of OSINT tools, data sources and analysis techniques into a fast, software-as-a-service (SaaS) web application that returns deep information about a target starting with just a sliver of data. Today, SpiderFoot forms the foundations of our newest product: Intel 471 Attack Surface Protection.
Attack Surface Protection is a suite of three solutions - Attack Surface Discovery, Attack Surface Management, and Attack Surface Intelligence. These solutions combine the breadth of SpiderFoot’s OSINT functionality with the depth of Intel 471’s Cyber Threat Intelligence (CTI) to proactively manage their attack surface.
Map out your attack surface with Attack Surface Discovery
Attack Surface Discovery is the base solution in the Attack Surface Protection suite, from which all other solutions extend from. It gives users the ability to map their attack surface at a single point in time, uncovering exposed assets they may not even know existed. Penetration testers or consultants can use findings as part of their engagements to pinpoint possible opportunities for exploitation, allowing an organization to improve their overall security posture.
Attack Surface Discovery maps assets by pulling data from over 200 modules, each of which is a component that collects and analyzes information. A query starts with a target, which can be pieces of information such an IP address, email address, name, domain, host name, subnet, phone number or Bitcoin address. The modules research the target and feed off each other’s findings to uncover relationships, hidden data, security problems and more.
Content analysis modules specialize in extracting data from a target, such as email addresses, cryptocurrency addresses and metadata from images. The crawling and scanning modules can look for Amazon Simple Storage Service (S3) buckets associated with a target, gather information about TLS certificates and even scan for vulnerabilities on a site. The domain name system (DNS) modules deliver a comprehensive profile of a domain, including DNS records and top-level domain (TLD) data, which can help organizations identify typosquatting or other domains on other TLDs that may have the same names as the target.
Attack Surface Discovery’s power comes from analysis modules that feed off data discovered by other modules. By taking the natural next step when data is discovered, Attack Surface Discovery returns a deep digital footprint of the target. For example, if a user inputs their business domain for a scan, a module for Hunter.io will begin searching for email addresses related to the inputted business domain. If email addresses are found, the module for Have I Been Pwned will then search if any have turned up in a data breach. Another module can take an email address and check it against reputational lists to see if it has been used in scams. In another example, if its fast port scanner module identifies an open port, a module will grab the port’s banner, which is the metadata that identifies an application running on the port. If a scan turns up a GitHub repository belonging to the target, a module will automatically begin searching the repository for sensitive data, such as secrets or keys. The amount of data that is returned from rich targets can be voluminous, but Attack Suface Protection can display the results visually and provides a correlation engine to surface risky findings from the data collected. Modules also can be turned off to limit results.
Additionally, Attack Surface Discovery has modules for some of the top third-party OSINT sources. There are modules for Have I Been Pwned, which indexes breached email addresses; DNSDB, Farsight’s database of historical and passive DNS records; Shodan, the search engine for internet-connected devices; Whoisology for reverse Whois lookups; VirusTotal for malware research; and AlienVault’s Open Threat Exchange for other threat research. Other integrated open source tools include Nmap for operating system fingerprinting and Nuclei for external vulnerability scanning.
Take action with Attack Surface Management
The ever changing nature of an organization’s internet facing assets and exposures, means a single snapshot of their digital footprint is limiting for a robust cyber security defense. Intel 471’s Attack Surface Management solution extends the functionality of the Attack Surface Discovery to provide ongoing monitoring of an attack surface.
It facilitates automated, regular scans of an organization’s attack surface. Regular scanning enables defenders to get alerts of potential security issues, such as exposed Amazon S3 or DigitalOcean storage buckets. Scanning can also pick up if attackers may be trying to digitally impersonate an organization. Scanning through the social media module will also spot accounts that have been set up using an organization’s name. If a significant change is identified, an alert will immediately be sent - crucial when organizations should waste no time in re-securing their assets from threat actors.
Results of past scans are also saved so that organizations can compare scans to track changes in their attack surface over time. It’s always enlightening to see where new fixes have taken hold, or where more resources need to be directed to hinder a repeated influx of new issues.Crucially, organizations are equipped with the tools to manage their attack surface, rather than simply monitor it.
Attack Surface Management also contains an application programming interface (API) which facilitates automation of remediation efforts, also known as orchestration. Using orchestration through the API, security operations can run more efficiently by integration with selected apps and automating processes to rapidly reduce the amount of time the attack surface is exposed.
Monitor beyond the horizon with Attack Surface Intelligence
Of course, exclusively using OSINT tools to protect an organization’s attack surface means you’re only monitoring up to the horizon, and not what is beyond it. There’s a whole, hidden, class of threats that can only be identified by looking for signs on the cyber underground. Often, these signs can be the only indicator that a problem is afoot. Using CTI experts to interpret these signs can be the difference between tackling a full-blown security crisis or securing a vulnerability before it could ever be leveraged by a threat actor.
Attack Surface Intelligence is the most extensive offering in the Attack Surface Protection suite. It augments attack surface management with CTI by extending monitoring of an organization’s digital footprint into the cyber underground. Users will have access to Intel 471’s comprehensive intelligence covering the cybercriminal underground, including breaches, malware, threat actors and vulnerabilities. They will be able to see detailed cybercrime and threat intelligence reports that are directly relevant to issues found about their attack surfaces. As an example, if Attack Surface Intelligence discovers that a domain or application has a vulnerability, it can pull more underground data about that vulnerability, such as if it is being actively targeted. If a researcher is investigating a domain name, the Intel 471 module may return information such as if it has been mentioned on cybercriminal forums and if stolen credentials have been offered for sale.
The Intel 471 intelligence reports are carefully curated by Intel 471 intelligence analysts and researchers: experts in the cyber underground and the threat actors that operate there. Their unparalleled intelligence allows defenders to see themselves as attackers do, clarifying exactly where to direct their resources and which patches to prioritize so they can stay one step ahead of the threat actors.
Attack Surface Intelligence gives unmatched power to the defense of your digital footprint. It draws a cohesive link between an organization’s attack surface and how it squares with relevant underground activity. Only by acting on this link, can organizations build a truly proactive cyber security defense.
INTEL 471 ATTACK SURFACE PROTECTION WAS LAUNCHED ON FEBRUARY 6, 2023.
To begin protecting your organization from threats beyond the horizon, visit the Attack Surface Protection section of our website.