Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Keeping Track of Your Attack Surface for Cheap - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Keeping Track of Your Attack Surface for Cheap

Various commercial services that promise to keep track of your "attack surface" are sprouting like tulips in the spring (yes... for you up north: Spring is near). But what options are there in particular for smaller companies to track your attack surface "on the cheap"?

Let's first define "attack surface" for the purpose of this post: The attack surface is composed of exposed services that if vulnerable could be used by attackers to breach your network. We will not consider client issues (for example Microsoft's excellent attack surface reduction tools focus on that). But instead, we will consider anything from network storage devices to cat feeders that may be exposed to the internet either intentionally or by mistake (still trying to find the telnet password for my cat feeder before the cat locks it down.. different diary for a different day).

So what are some of the tools that are available:

Zeek

I mention Zeek first because if Zeek works for you, you are done. Zeek is excellent at identifying new services. It offers a number of logs to help (e.g. known_services, known_hosts, software, known_certs ...). Out of the box, it does pretty much everything you need and it is pretty straightforward to collect the logs in a console like ELK.

So why continue reading? Well, Zeek may not cover everything. You may have hosts in the cloud, or even in home networks, that are not covered by your Zeek setup. 

Nmap

Nmap, the granddaddy of port scanning tools is easily scripted to periodically scan networks for open ports (= exposed services). It even got pretty good tools to identify services. The issue with Nmap is that you will only get a snapshot in time, and some services may only be exposed occasionally. It may also be a bit tricky to scan various networks you do not directly control. For example, how to deal with employee home networks? At the very least, you should get permission to scan the home network of employees (may not be a bad idea if this is a work-from-home setup). But there are several technical and ethical issues. Do not forget that Nmap can be a bit aggressive at times, and low-end home routers may crash if scanned. This will require some careful testing and probably a legal review.

DNS

DNS isn't a specific tool. But you should occasionally review which IP addresses your various hostnames point to. This will get you a list of IPs to scan with nmap to make sure you do not forget anything. But DNS is a classic first-stop for your attackers, so you should try it too.

Shodan / Onyphe

Now I am starting with various services that scan the internet for you. Shodan isn't 100% free, in particular, if you search for IP addresses, but with occasional sales, it is close enough to free. Shodan essentially runs the nmap scan for you and even has some alerting and custom scan functions (again: if you pay)

Onyphe.io is a service very similar to Shodan with some paid/free services. 

Censys

Censys has a commercial "attack surface management" service. But it's simple (free) search may be all you need for occasional checks. 

RiskIQ

RiskIQ does collect data from various databases like Whois, DNS, and others, and will inform you of any changes. They do have a limited free service as part of their Passivetotal acquisition. 

Internet Storm Center :)

Can't hurt to search here for your IP address. While we do not track exposed services, you will see your footprint in our sensor network.

Bug Bounties

Why not get the reports from people who already scan you. Make sure your security.txt file is in order to allow for easy reporting of any vulnerable exposed services.

Anything else I forgot?

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS Cyber Defence Japan August 2022

Johannes

4515 Posts
ISC Handler
Feb 3rd 2022
When I worked at SGI, I used OpenVAS. It was nice because I could have multiple nodes, both so I could spread out my vulnerability scans and so I could scan from inside or from outside a firewall. And, of course, in addition to just mapping out the attack surfaces (from various points of view), it also did some vulnerability scanning, and would give differential reports.

One of my routines was to scan a network, resolve any issues that were found, then 30 days later, perform another scan and look at the differential - what CHANGED on that network, new hosts, new services, new vulnerabilities, whatever. If built from source, it was a little fiddly to get setup and working with multiple servers to issue scans/test from, but it was a really slick tool!

(edited)... Hmph... I'm logged in so I don't know why this reply is posted as anonymous... Go figure. :-)
Brent

133 Posts
thanks, Zeek solved my problem nicely :)
its a neat program.
Anonymous
You mentioned "Microsoft's excellent attack surface reduction tools". What exactly are we talking about here: Microsoft Defender?
AAInfoSec

51 Posts

Sign Up for Free or Log In to start participating in the conversation!