What’s in a Modern Attack Surface?

To keep up with the breakneck speed of modern business, organizations are moving customer and partner interactions online along with the critical infrastructure required to support it.

Unfortunately, increased risk of cyber attack and the associated consequences like data theft, operational disruption, brand erosion, and employee and customer compromise have become a natural side effect of this digital transformation.

Risk is present today, right now.. You are not going understand the magnitude until you fully discover, map and manage your complete attack surface.

With the boundaries between what’s inside the firewall and what’s outside becoming less and less discernible, an organization’s attack surface — everything it needs to worry about defending — now begins inside the corporate network and extends all the way to the outer reaches of the internet.

Simply stated, if you are online, you have an Attack Surface! Internet visitors taking advantage of all these new digital touchpoints available to engage with brands are also in the crosshairs of hackers, who view their clicks, traffic, credentials, and computers as commodities to be harvested and traded and often use the brands they love as bait.

For security teams, the sheer depth and breadth of what they need to defend may seem daunting, but thinking about the Internet from an attacker’s perspective — a collection of digital assets that are discoverable by hackers as they research their next campaigns — can put the massive scope of their organization’s attack surface into perspective.

Here are five areas that I feel will help us all to better frame the challenges faced in keeping the Internet a safe environment, all of which underline a need to broaden awareness of the potential risks involved to foster a more informed approach to cyber defense.

1. The Global Attack Surface is much bigger than you think and growing every day.

How do I know this? Through my employer, RiskIQ, I have the ability to leverage a super cool, global web-crawling infrastructure. Each day, it analyzes more than 2 billion HTTP requests, takes in terabytes of passive DNS data, collects millions of SSL Certificates, and monitors millions of mobile apps, to map the scope of this attack surface over two weeks.

• We observed 3,495,267 new domains (a whopping 249,662 per day) and 77,252,098 new hosts (or.. 5,518,007 per day) across the internet over a two week period, each representing a possible target for threat actors.

Modern websites are made up of many different elements — the underlying operating system, frameworks, third-party applications, plug-ins, trackers, etc., all designed to deliver a user experience that people have come to expect, as well as reduce the time to market and derive maximum value from user interactions.

As in the PC environment, this commonality of approach is attractive to malicious actors as a successful exploit written for a vulnerability or exposure on one site can be reused across a large number of sites.

As the attack surface grows — so does your risk. Move from a state where you are uninformed, to actively managing it. Simply deploying a perimeter is insufficient and ignores the issue!

As an example, Content Management Systems (CMS) are popular amongst web developers for creating dynamic sites that are easy to maintain and update. Their ubiquity makes them a popular target for hackers as we’ve seen many times in the past.

Over a two week period my research team found:

• 13,297 WordPress plugins in the Alexa top 10,000 (most visited websites)
• 12,536 CMS instances in the Alexa top 10,000
• 1,713,556 WordPress plugins overall
• 1,814,997 CMS instances overall

Common Vulnerabilities and Exposures (CVE’s) are classified by severity on a scale of 1 to 10 using the Common Vulnerability Scoring System (CVSS), where 7 to 8.9 represent high vulnerabilities and 9 to 10 represent critical vulnerabilities.

Focusing on these high and critical vulnerabilities, our research showed:

• 3,390 of the Alexa top 10,000 domains were running at least one potentially vulnerable web component.
• 6,303 potentially vulnerable web components in total were found in the Alexa top 10,000
• 1,036,657 potentially vulnerable web components were found overall

While some of these instances will have patches or other mitigating controls to prevent the identified vulnerabilities and exposures from being exploited, many will not, so beware, and ponder what risks may lie hidden in your “unknown or forgotten” infrastructure.

2. Often, hackers know more about your attack surface than you do

It’s a scary thought, but most organizations lack a complete view of their Internet assets. In my dealings with new customers, I typically find 30 percent more assets than they thought they had, and these are sophisticated security teams with endless resources at their disposal. There are two contributors to this lack of visibility many organizations don’t think about; shadow IT and mergers and acquisitions (M&A).

Where IT can’t keep pace with business requirements, the business looks elsewhere for support in the development and deployment of new web assets. The security team is frequently in the dark with regards to these shadow IT activities and as a result, cannot bring the created assets within the scope of their security program.

Unmanaged over time, orphaned assets form an Achilles heel of an organization’s attack surface. They are not regularly patched or security tested and the operating systems, frameworks, and third-party applications of which they are comprised can quickly age and become vulnerable to common hacking tools. When you merge with another company, their vulnerabilities become your vulnerabilities.

Mergers and acquisitions often bring with them incomplete and inaccurate lists of public facing digital assets that further exacerbate the problem. Digital assets can be broken down into many different types, each with associated risks that must be understood and managed. Some of the key asset types are hosts, domains, websites, certificates, third-party applications, and third-party components.

To highlight the scope of the challenge large organizations face in defending their digital assets, we conducted research on the FT30 basket of companies.

Summarizing the results, on average each organization has:

• 5,322 hosts
• 9,896 dormant websites (parked, defensively registered, etc.)
• 3,846 live websites, 3,201 of which are currently serving content
• 596 live websites hosted on Amazon, 67 hosted on Azure (20 percent of total)
• 38 mail servers
• 1,766 registered domains
• 616 web pages collecting PII, 35 percent doing so insecurely
• 4 websites with expired certificates and 3 websites using old, untrusted encryption algorithms
• Content Management Systems (CMS’s) — 96 instances of WordPress and 56 instances of Drupal
• 120 websites with a potential critical score CVE (CVSS score 9–10)
• 228 websites with a potential high score CVE (CVSS score 8–9)
• 123 test sites. Some of these should be exposed on the Internet but in our experience, many should not.

These assets comprise a large and complex attack surface that needs to be understood and actively managed to reduce the low-hanging fruit available for cybercriminals to exploit.

3. The hidden attack surface: Hackers don’t have to compromise your assets to attack your organization or your customers

Social engineering through impersonation remains a top tactic for threat actors. Impersonating domains, subdomains, landing pages, websites, mobile apps, and social media profiles are all used, many times in combination, to trick consumers and employees into giving up credentials and other personal information or installing malware.

• Last year, our team identified 26,671 phishing domains impersonating 299 unique brands, 40 percent of which were financial services brands
• Phishing tactics have become increasingly sophisticated, often leveraging multiple digital elements (link has more information about the “MyEtherWallet” phish).

Apart from their own assets, organizations must be on the lookout for impersonating or affiliating assets created to target their customers and employees. Early detection and takedown of infringing assets are one of the most effective ways of disrupting targeted campaigns.

4. The mobile attack surface: You have much more to worry about than just the Apple and Google Play mobile app stores

The general perception is that there are a small number of mobile app stores but the reality is somewhat different. There are a large number of secondary and affiliate stores primarily serving the Android market which provide an opportunity for malicious actors to compromise legitimate apps and launch fake apps while hiding in the vastness of the app store ecosystem.

Q3 2018 mobile app research revealed:

• 169,138 blacklisted mobile apps across 120 mobile app stores and the open internet. This equates to 3% of all new apps detected. 76,095 of those were detected in the Google Play store.
• 52 percent (18,692) of all feral apps (mobile apps not hosted in a store) were blacklisted. Users are often directed to these apps through mobile and social phishing campaigns
• A large percentage of apps blacklisted claimed the READ_SMS permission, which allows the app to read messages and can be used for any number of nefarious purposes, including circumventing two-factor authentication

Organizations must do more to monitor the app store ecosystem for stores hosting their apps without permission and for apps impersonating their brand(s). Users should stick to the primary app stores where possible and be vigilant in researching apps they wish to download. They should question whether the developer looks legitimate, whether the user reviews indicate anything concerning, and whether the permissions being asked for seem excessive for the functionality the app needs to provide its service.

5. Cryptocurrency Miners are the latest attack surface compromise

While spyware, ransomware and other forms of malware still proliferate, cybercriminals are augmenting their activities by stealing computer resources rather than information. With the exponential growth in the value of cryptocurrencies, crypto mining is now a lucrative pursuit.

The primary challenge facing cryptocurrency prospectors is that mining requires an extreme level of computing power, which can be prohibitively expensive — Fundstrat reported that the cost of mining a single Bitcoin reached about $8,038, and the cost of mining other coins are not far behind.

To get around it, actors are siphoning computing resource from unwitting users across the internet; hosting crypto mining scripts on the websites of highly visited sites which then execute in the web browsers of visitors to those sites.

My team’s research found:

• 50,000+ websites have been observed running Coinhive in the past year
• An average of 495 new hosts running cryptocurrency miners each week over the past 26 weeks.
• 326 Drupal injections on hosts running Coinhive, suggesting that this is one of the ways sites are being infected.
• Across the websites belonging to the FT30, we found 11 instances of cryptocurrency miners

Some of the crypto mining scripts we found have been active for over 160 days, suggesting that organizations are failing to detect them.

Final Thoughts

Traditionally, the security strategy of most organizations has been a defense-in-depth approach starting at the perimeter and layering back to the assets that should be protected. However, there are disconnects between that kind of strategy and the attack surface as presented in this report. In today’s world of digital engagement, users sit outside the perimeter along with an increasing number of exposed corporate digital assets — and the majority of the malicious actors. As such, companies need to adopt security strategies that encompass this change. Remember, if you are online — who isn’t these days? — You have an attack surface, and someone is already watching it, looking for a way in. Consider my 5 tips and how you may be at risk. I’d love to hear from you if you want to further discuss or explore what the risks may mean for you, your team or your business.