Attack Surface, How To Defend It: The NIST Cybersecurity Framework Approach
Attack Surface : Our cybersecurity journey continues… but without leaving the hacker’s mind! Have you ever wondered how cybercriminals identify and exploit system flaws to carry out their attacks?
In the previous episodes, we have seen the different types of hackers, focusing on the motivation behind their actions: no longer vanity and reputation, but money directly. In such a context, it is natural to ask: how to defend the attack surface and where to start? The approach we strongly recommend is to start with the attack surface, which is the “portion” of the network that can be exposed to access and/or modification by unauthorized users.
Table of Contents
What Is The Attack Surface?
The attack surface in IT is the set of exposed systems in a network, the points of entry and the vulnerabilities that could be exploited by a potential attacker. This means that a company’s attack surface is nothing more than the total of server systems, workstations, various connected equipment, IT infrastructure, as well as users, whether they are contractors or suppliers who have access to the company’s IT network. It is essential to know and classify all company assets and identify their respective vulnerabilities, to proceed after their closure, through careful planning.
As history teaches, already at the time of Caesar, almost two thousand years ago, the Roman military commanders had understood that the defense improved considerably if the formations remained compact Applying the same principle to modern IT infrastructures, the goal is to minimize the size of the attack surface; the smaller the scope involved, the less chance an attacker, hacker or cyber threat will find an entry point and breach our data.
Cybercriminals Study Their Target Carefully And In Great Detail.
Silently and patiently, they check the assets that make up the victim’s IT infrastructure and look for a way to exploit even the smallest weakness, to be able to use it and enter the system. Having gained access, they continue their information-gathering activity to understand if any further defense or recovery tools need to be neutralized. Only when they have mapped their victim’s entire infrastructure is the actual attack launched, such as encryption or data theft.
In this context, it becomes essential to know in detail the company’s attack surface and to implement the necessary measures to defend it, applying the ancient principle of the Roman legions: compactness.
Where Can We Start? Attack Surface, How To Defend It
The methodological approach we adopt is that of the NIST Cybersecurity Framework, where the first step is the “IDENTIFY”, which is the detailed mapping of the corporate attack surface by identifying and classifying the assets that compose it. It starts with the Security Assessment, to identify and classify company systems about the Attack Kill Chain. With a Top-Down approach, we proceed with the collection of information useful to identify the systems and the main risk areas, to then validate the correct adoption of the main reference best practices in the field of Security Design by relating them to the Attack Kill Chain of the Security Zones involved.
Both interviews and documentation collection are foreseen, as well as precise configuration and test verification activities, carried out by internal resources such as Qualified Consultants, Certified Systems Engineers and recognized Ethical Hackers. Using systemic and instrumental activities, the probability that adverse events may occur and the relative extent of the damage that could derive from them are contextualized. With a consultative, strategic and structured approach, our Red Team emulates the hacker approach, analyzing the company and the infrastructure using techniques and tools typically used by cybercriminals.
Activities are carried out aimed at completing the mapping of the attack surface and measuring the exposure of confidential information, to provide a real measure of the risk factor, useful for estimating the potential direct damage that could derive from the attack actions. The main planned activities are the Vulnerability Assessment, the Penetration Test and the Threat Assessment which generate different reports:
- report of recognized vulnerabilities, the attack techniques implemented and the relative “resilience” of the infrastructure, with a detail of the confidential information exfiltrated
- remediation Plan accompanied by an Executive and Technical Report, which contextualizes the proposed countermeasures and the related reasons. Defending the attack surface: what assets is it made of?
Users, Internal Or External Collaborators, Or Suppliers, Can Attack Vectors By Expanding The Surface.
In 2021, for the third consecutive year, reports from leading market analysts confirm that over 99% of attacks are triggered by human intervention. Phishing and malware attacks sent in “spray and pray” mode are constantly increasing. Specifically, the most targeted attacks, which use URLs for phishing credentials, are growing exponentially. Unfortunately, users often do not understand the fundamentals of threats, much less the impact their behavior can have on the company’s vulnerabilities.
To ensure a targeted approach to raising awareness of security, it is necessary to provide adequate, timely, complete, fully customizable training based on the actual needs of the various interlocutors (Security Awareness) with engaging and stimulating training content, developed on proven pedagogical principles, guaranteeing results. Optimal. We support companies in the implementation of dynamic Security Awareness training plans intending to increase user awareness, identify risks, change behaviors and thus reduce exposure. This way users become a solid last line of defense against attacks.
How the attack surface changes Attack surface mutation occurs in line with evolving IT infrastructures. For this reason, it is important to proactively monitor systems to protect data, safeguard intellectual property and avoid disruption in daily activities, effectively detecting possible threats and responding quickly. The tool capable of centrally collecting information and analyzing it in real-time is Security Information and Event Management (SIEM). We use the most advanced SIEM technologies on the market to identify, prevent and investigate threats in the entire network of computers, servers, applications, devices and users, regardless of whether the assets are located in the offices or the local data centers (on-premise) of the Customers. or in the Cloud.
The SIEM technology that we make available differs from other tools on the market for its maturity, design, pricing, collaboration with third-party suppliers in the normalization of information and the use of Artificial Intelligence (AI) and Machine Learning technologies ( Machine Learning, ML) for event correlation. The important amount of information collected by the attack surface is transformed into a real threat intelligence database. With the support of machine learning technology, the collected data is further analyzed and correlated, to detect internal or external cyber threats in real-time, allowing the IT security team to intervene promptly in protecting corporate assets.
Furthermore, Log management is essential to achieve compliance objectives with the main security regulations (GDPR, PCI DSS, etc.). SIEM is also the centralized collection and storage point of the IT infrastructure logs and must ensure the integrity, confidentiality and availability of the collected data.
How To Detect A Breach On Our Attack Surface?
It is important to keep an eye on the state of the attack surface at all times. As we said previously, once the first corporate defenses have been violated and access to the IT infrastructure is obtained, cybercriminals do not immediately launch the attack but continue the activity of gathering information (information gathering), to identify and subsequently deactivate all company defenses. Hackers move cautiously, like thieves in the physical world, trying not to generate noise.
For this reason, their stay in companies can be very long, sometimes even several weeks.
Hackers move from one system to another, looking for further vulnerabilities that allow them to obtain accesses or credentials with elevated permissions: the so-called lateral movements.
Based on the responses to incidents that have occurred in recent years, it appears that the dwell time, the “residence time”, of the attackers within a company has been significantly shorter than a few years ago. The timeliness in recognizing any traces is therefore essential and, to detect activities attributable to lateral movement, it is important to know and monitor the elements that are involved in the techniques that hackers use.
The four types of business assets involved in lateral movement are host, user, file and network, both on-premise and in the cloud. The technology underlying the Incident Detection & Response activities is XDR, as a platform that offers the possibility of preventing, detecting, diagnosing and repelling a wide range of attack vectors. The XDR platform is required to be able to autonomously and automatically diagnose alerts concerning hosts, files, users and the network, to reveal their cause and extent, applying the necessary corrective measures. the platform will be able to suggest and implement automated and highly customizable corrective actions to manage threats according to your preferences.
The XDR Platform Alone Is Not Enough
In cybersecurity, human intervention is essential: skills and timeliness count. Companies need to implement a SOC (Security Operation Center) through internal resources or by relying on technology partners specialized in cybersecurity. Our Cyber SOC provides organizations with a team of certified professionals, and highly specialized IT security experts dedicated to monitoring, detection (Detection), investigation (Analysis) of the entire company and definition of actions in response (Response) to threats. Based on specific needs, the remediation of threats can be performed independently by the Cyber SOC Team, or in collaboration with the internal IT staff. Our Cyber Security Team, therefore, assists organizations in monitoring the attack surface, constantly analyzing its composition, the infrastructure it relies on, the network environment and the various technologies involved, to avoid both the first breach and lateral movement.