A solid attack surface management (ASM) program can improve resiliency, instill trust, and reduce exposures by providing security operations teams with a continuous and ongoing assessment of their attack surface. Driven by an external perspective of what’s exposed, ASM provides continuous gap identification and validation of how effective a security team’s asset management, vulnerability management, and configuration management processes are working.
While 86% of organizations believe they follow best practices for IT Hygiene and security posture management, few have effective monitoring programs in place to know for sure. This is the gap external attack surface management platforms like Randori Recon fill.
When done well, ASM can provide much needed validation of the hard work and long hours security teams put into designing and implementing effective processes.
One of the most powerful and frequently-used features of Randori Recon is the ability for users to quickly create and share Saved Views of their environments. With Saved Views, users can now save frequently used Filters and Sorts to get to frequently accessed data. In this blog, we’ll highlight 5 of our favorite Saved Views developed by us and our customers that we feel every attack surface management user should have at their fingertips.
RDP Exposures
There is not a business right now that is not concerned about ransomware. Your attack surface is your first line of defense, with the majority of ransomware attacks starting with internet-facing assets. Being able to quickly track, monitor and report on your exposure to the most common ransomware attack vectors is a key requirement for any external attack surface management program. At the top of that list, RDP exposures.
It’s estimated that a majority of ransomware attacks now start when attackers log into exposed RDP instances using stolen or brute-force credentials. While not often exploitable, when poorly configured and monitored RDP provides attackers with an open door into an organization. Being able to accurately and continuously understand where and how your organization is exposing RDP to the internet is an essential capability – which is why at Randori, we make RDP exposures a default Saved View for every customer.
Ports – Non Standard Exposures
With the decentralization of IT, security teams must contend with a new range of developers, users and third parties empowered to stand-up and configure infrastructure for the company. One of the most common areas which security teams struggle to monitor is the unknown exposure or incorrect configuration of internet-facing assets. This is increasingly challenging for cloud assets, which can easily be stood up.
As a result, one of the most popular Saved Views by Randori customers is to monitor for the exposure of non-standard ports. While Randori will provide a list of ports not commonly exposed to the internet (20, 21, 139, 445, 1433, etc), most customers leverage Randori policies to adjust this view to match a standard server image or configuration set-up that is defined by company policy.
Easy to set up and continuously monitoring, this Saved View makes it easy for organizations to quickly identify assets likely to be poorly managed or that were set up out of policy. The most advanced users leverage Randori’s policy engine and integrations to reduce mean time to remediation (MTTR) by automatically creating tickets when select open ports are detected on an internet-exposed asset.
Cloud – Unauthorized IaaS
Organizations of all sizes are moving to the cloud and while cloud transformation projects will typically see organizations seeking to standardize on one or two public cloud providers, reality is often different. As cloud adoption increases, one of the most popular Saved Views used by IT & security teams is to monitor for assets running on unauthorized IaaS providers.
Using this Saved View, organizations have found assets serving from both AWS and Digital Ocean that were outside acceptable policies, unreleased marketing campaigns exposed by an advertising agency, and subdomains that had been hijacked to host NSFW content.
Set up is easy, simply define which cloud providers are approved and Randori will show you any identified cloud assets not running inside those approved providers.
Legacy – Infrastructure
As organizations decommission data centers and acquire new companies, oftentimes legacy infrastructure will get left behind. Either forgotten or believed to have been decommissioned, these zombie systems continue to run exposed and vulnerable to attack. Using Randori’s Saved View capabilities, organizations can automatically monitor for any legacy infrastructure that may have been forgotten. Leveraging Randori’s EOL characteristic, organizations can out of the box identify any EOL software identified by Randori but leveraging Saved Views users can monitor decommissioned networks or domains for exposed systems.
Using this Saved View, organizations have found decade old UNIX servers supposedly decommissioned years ago running and online, clusters of acquired assets unknown to IT or security, abandoned search appliances and VPNs, and hijacked assets.
Interesting Hostnames
It’s no secret that hackers will monitor certificate transparency logs and other OSINT sources for intriguing test/dev and other hostnames that may point them to interesting targets. Often temporary, poorly configured and lacking the full armament of security controls placed on production systems, these interesting hostnames are often used for gaining initial access.
Common examples of interesting hostnames include:
- Dev
- Test
- VPN
- Wiki
- Lab
- Intranet
- Staging
As an attack surface management professional, being able to quickly see the hostnames of interest to an attacker can be invaluable. Using this Saved View, organizations have found directory listings, database exposures, S3 bucket exposures, pre-release binaries, and internal employee portals and resource pages.
Get your hands on these 5 Saved Views and more today with Randori Recon.
