One of the most unanimous problems in cybersecurity currently is the difficulty discovering and monitoring an organization’s attack surface. A big part of the problem is that the average size of an organisation’s attack surface has expanded dramatically in recent years. In order to properly plan out an organization’s cyber defense it’s paramount that the organization is fully aware of its attack surface, but this rarely happens. This opens up a plethora of options for malicious hackers seeking to expose an organization’s sensitive data or gain access to their internal networks.
Let’s break down some of the assets that may comprise a company’s attack surface.
Personal Computing Devices
Every computer device owned by an organization is a potential entry point for a hacker. This means every laptop, workstation and mobile device that has access to your networks or stores information that is valuable to your organization. If any employee’s personal devices are allowed to connect to an organization’s network or store any sensitive data relating to the organization (emails, chat apps, documents, credentials, etc.), these are also part of the attack surface.
Servers may be internal or external, cloud hosted or on premises. They can host any number of data and services including web applications, mail servers, databases, document storage, VPNs and APIs.
Applications and APIs
Most organizations utilize applications, either external or internal, bespoke or 3rd party. These may come in the form of client portals, employee payroll systems, webmail, the organization’s website(s), SSO systems, CRMs, banking applications, invoicing applications, file storage applications, etc.
One of the first steps that an attacker may take when targeting an organization is to enumerate their subdomains. An organization may have thousands of subdomains, and each of them presents another opportunity for an attacker to gain access to an organization’s sensitive data or a foothold on their protected networks.
An often-underestimated aspect of an organization’s security is social media, the accounts of the employees and also the organization itself. Attackers may use social media platforms like LinkedIn to identify who works for an organization and then use more personal sites like Facebook or Instagram to find out about the employees’ personal life. This information is then used to create compelling phishing emails or phone calls that can trick employees into performing an action that would expose their credentials or somehow jeopardize the organization.
Public Code Repositories
Code repository platforms such as GitHub and Gitlab are great for sharing code and collaborating on projects, but they also have the potential to become a security nightmare. Whenever developers commit code to these repositories there’s a chance that they will accidently leak information that is important to an organization. This may include usernames, passwords, IP addresses, access keys and subdomain names. A study by North Carolina State University revealed that over 100,000 repositories on Github had leaked API or cryptographic keys.
Another common tactic is finding developers who work for an organization, then finding their personal Github/Gitlab accounts. It is not uncommon to find bespoke code from an employer uploaded to a developer’s personal GitHub account, which may include sensitive API keys or credentials.
Does the organization use any third party for their IT maintenance, cybersecurity, physical security, development, accounting, legals, or anything else? There’s a good chance that the attack surfaces of these outsourced organizations are now a part of this organisation’s attack surface too, because they are interacting with the organization’s networks, systems and sensitive information.
Employees in departments other than the IT department often spin up their own systems in order to achieve some task. While the IT department may not be aware of such systems, they are still a part of the attack surface. These systems are sometimes referred to as “Shadow IT”.
Monitoring Assets Over Time
It’s important that organizations not only scan their attack surface at a single point in time, but they must scan and monitor their assets continuously to stay on top of changes to their attack surface that may arise at any time. This gives organizations the ability to respond when something critical/unexpected appears on their attack surface before hackers take advantage.
SpiderFoot Can Help
Users of the open source SpiderFoot will know how effective it can be at mapping out an organization’s attack surface, however SpiderFoot HX builds upon that to offer an automated solution for monitoring your attack surface through periodic scanning and alerting when changes are identified. To read more about how SpiderFoot’s attack surface monitoring works, click here.