At Randori, we recommend assessing risk by evaluating your attack surface the same way an attacker would. But, what does that actually mean, and how does an attacker’s perspective differ from a traditional defenders’ approach?
Viewing your company like an attacker means understanding intentions, capabilities, and opportunities—in other words, what are they after, how will they do it, and where across your attack surface are they most likely to strike. From this foundation, you can build a defensible framework to prioritize investment across prevention, detection, and response.
In this post, let’s talk about what makes a target tempting to an attacker. By understanding why certain targets are more appealing than others, you can extend beyond traditional vulnerability scoring (e.g. CVSS) to a prioritization model that minimizes company risk and best protects what’s most important to your business.
Looking from the Outside In
Most security teams understand the crown jewels they need to protect, and frequently scan their internal network for vulnerabilities. In addition, malicious activity is simulated via penetration tests that test security controls and highlight areas of improvement.
Vulnerability management & penetration testing help reduce risk, but fall short for three reasons:
- Limited Scope: Security tools and testing are only as good as their scope. Shadow IT, forgotten systems, and process failures introduce unknown, unmonitored risk. If these systems aren’t known to IT, it’s highly likely they will emerge as an interesting target to the attacker.
- Incomplete Coverage: Consistent patching alone isn’t enough. Misconfigurations (see Enumerability below) and credentials, whether default, weak, or stolen, also can grant attackers unauthorized access without the need for exploitation. Undisclosed exploits are also a problem against tougher adversaries.
- Point-in-time: As pen tests are usually delivered as service engagements, results quickly age as your attack surface changes or new attacker techniques are introduced. Company changes, such as cloud migration, mergers & acquisitions, or new software deployed on your perimeter present fresh opportunities for patient adversaries monitoring your attack surface.
Based on our experiences breaching orgs, we recommend the following strategy:
- Identify all of your internet-facing assets and services.
- Prioritize your assets and services by how tempting they are to an attacker.
- Test your defenses to confirm risk and improve incident response.
- Monitor your attack surface for change; train threat detection & response.
Breaking Down Target Temptation
We suggest six factors that should weigh into your prioritization process for remediation. These factors drive our patented Target Temptation engine, which scores and ranks each discoverable instance of software according to its attractiveness to an adversary—we define these instances of software as Targets.
Now let’s share why, we as attackers, think about these six target temptation factors:
Enumerability: How much information can we gather about the service?
Can we see the service’s exact version, or even better, gather configuration information? Enumerability is all about “peeking from the outside”: depending on the service and its deployment, a webserver target could show anything from “Apache Unknown” to “Apache 2.4.33,” or perhaps no server information could be discerned at all. If we understand the exact version of the service and glean insights into its configuration, we can be precise with the exploits and attacks we run, making the least amount of noise.
Weakness: How can it be attacked?
Are there public vulnerability disclosures or known weaknesses for this service? Are there exploits available? Weakness should consider vulnerability weighting criteria, but must also consider the next steps for the attacker. For example, initial exploits for BlueKeep were valid, but blue-screened the target. Therefore, there’s value for denial of service, but not Remote Code Execution (RCE). As the research progressed, RCE was achieved. Scoring must be predictive and dynamic.
Of course, if there’s a public exploit for a particular vulnerability (e.g. Metasploit module, code repository, or sometimes even a pastebin snippet), that greatly lowers the barrier to entry for attacks. Weakness scoring should also consider available exploits in non-public circles (e.g. Canvas, Zerodium).
As an example, Apache Struts version 2.3.31 has a critical vulnerability with reliable exploits: we rank it 5/5 for Public & Private Weakness. These are patched in version 2.4.18 (shown below), where it’s currently ranked 2/5.
Applicability: How common is this service in the wild?
If we develop tooling or a custom exploit, can we use it to get value from multiple targets?
This factor measures the likely utility of exploiting a service and takes into account ongoing research and markets for vulnerabilities. Common services include Exim SMTPd, Nginx, and Apache, which, for particular versions, we all rank as their Applicability as a 5/5 due to their broad prevalence.
Research Potential: How well researched is the service?
Is the software extremely esoteric or hard to obtain? Is there a history of weaknesses, or do no prior research findings exist? Redis, PHP, and Cisco-IOS are examples of well-researched services with disclosed vulnerabilities. As a result, it’s important to monitor these services as they will continue to be studied by white and black hats alike.
Post Exploitation Potential: What do we do after gaining control?
Is the post exploitation environment known? Does attack tooling exist? Are defenses typically present? This factor should consider capability, difficulty, and risk (e.g. EDR agent) associated with the post exploitation environment. For example, Dropbear 2018.76 (SSH client) is only used on POSIX platforms and is rarely used outside of embedded devices. Defenses are extremely unlikely and advanced tooling is available: we rate it 5/5 for post exploitation potential.
On the flip side, identifying an HTTP server, Google Load Balancer, or web server services reveals little information about the post exploitation environment, and we rate them 0-1 out of 5.
For anything that typically installs on Windows, Mac, or Linux, we weigh the high availability of persistence tooling against the need to circumvent a deployed EDR product to take next steps: a rating of 3 is standard.
Criticality: Does this get us closer to crown jewels?
Does this target represent a security boundary? VPN and Firewall services are very tempting targets because they guard important security boundaries. In most cases, it’s difficult to answer “where can I go from here?” from the outside-in. This is where attack emulation helps the most—it shows what an adversary would encounter, and directly highlight the risks of a bypassed security boundary.
Cisco IOS, Cisco ASA VPN, Apigee Router, and SAP NetWeaver App Server are examples of services with high criticality, as successfully attacking these services means bypassing a defined security boundary.
The Art of Attack
By prioritizing based off target temptation, you get a more accurate view into your true risk and what to do next. For example, this could reveal a need for better network segmentation, or monitoring on critical security boundaries. Combined with attack emulation to confirm hypotheses and true levels of risk, you can make a compelling case for broader teams to take action.
If you’d like to see what your company looks like to an attacker, sign up for a free trial of Recon, our check out our demo webinar. Just like true adversaries, you don’t need to install or configure anything. From just an email address, our black-box discovery will surveil your internet-connected assets, use Target Temptation to prioritize risk, and alert you on important changes to your attack surface.