More Related Content Similar to Enumerating Enterprise Attack Surface (20) More from Denim Group (11) Enumerating Enterprise Attack Surface1. © 2019 Denim Group – All Rights Reserved
Building a world where technology is trusted.
Enumerating Enterprise
Attack Surface
Dan Cornell | CTO
2. © 2019 Denim Group – All Rights Reserved
Dan Cornell
• Founder and CTO of Denim
Group
• Software developer by
background
• OWASP San Antonio co-leader
• 20 years experience in software
architecture, development, and
security
3. © 2019 Denim Group – All Rights Reserved
2
Advisory
Services
Assessment
Services
Remediation
Services
Vulnerability Resolution
Platform
Building a world where technology is trusted
How we can help:
Denim Group is solely focused on helping build resilient
software that will withstand attacks.
• Since 2001, helping secure software
• Development background
• Tools + services model
4. © 2019 Denim Group – All Rights Reserved
Attack Surface
3
5. © 2019 Denim Group – All Rights Reserved
Attack Surface?
4
6. © 2019 Denim Group – All Rights Reserved
Attack Surface
• For the purposes of this
presentation…talking about application
attack surface
• Web applications
• Web services
• Mobile applications
• And so on…
5
7. © 2019 Denim Group – All Rights Reserved
Other Materials
6
https://www.slideshare.net/denimgroup/monitoring-application-attack-surface-to-integrate-security-into-devops-pipelines
Application Attack Surface
https://www.slideshare.net/denimgroup/reducing-attack-surface-in-budget-constrained-environments
Reducing Attack Surface
8. © 2019 Denim Group – All Rights Reserved
So You Want To Roll Out a
Software Security Program?
• Great!
• What a software security program ISN’T
• Question: “What are you doing to address software
security concerns?”
• Answer: “We bought scanner XYZ”
• What a software security program IS
• People, process, tools (naturally)
• Set of activities intended to repeatedly produce
appropriately-secure software
7
9. © 2019 Denim Group – All Rights Reserved
Challenges Rolling Out
Software Security Programs
• Resources
• Raw budget and cost issues
• Level of effort issues
• Resistance: requires organizational change
• Apparently people hate this
• Open source tools
• Can help with raw budget issues
• May exacerbate problems with level of effort
• View the rollout as a multi-stage process
• Not one magical effort
• Use short-term successes and gains to fuel further change
8
10. © 2019 Denim Group – All Rights Reserved
But for many organizations, the first
challenge they need to overcome is the
reality that…
9
11. © 2019 Denim Group – All Rights Reserved 10
You can’t defend unknown
attack surface
If everything is important
then nothing is important
12. © 2019 Denim Group – All Rights Reserved
[Translation]
Find out what applications you
have in your organization
Decide the relative importance of
applications and treat them
differently based on this
11
13. © 2019 Denim Group – All Rights Reserved
What Is Your Software
Attack Surface?
12
Software You
Currently Know
About
Why?
• Lots of value flows through it
• Auditors hassle you about it
• Formal SLAs with customers mention it
• Bad guys found it and caused an
incident (oops)
What?
• Critical legacy systems
• Notable web applications
14. © 2019 Denim Group – All Rights Reserved
What Is Your Software
Attack Surface?
13
Add In the Rest
of the Web
Applications You
Actually Develop
and Maintain
Why Did You Miss Them?
• Forgot it was there
• Line of business procured through non-
standard channels
• Picked it up through a merger /
acquisition
What?
• Line of business applications
• Event-specific applications
15. © 2019 Denim Group – All Rights Reserved
What Is Your Software
Attack Surface?
14
Add In the
Software You
Bought from
Somewhere
Why Did You Miss Them?
• Most scanner only really work on web
applications so no vendors pester you
about your non-web applications
• Assume the application vendor is
handling security
What?
• More line of business applications
• Support applications
• Infrastructure applications
16. © 2019 Denim Group – All Rights Reserved
What Is Your Software
Attack Surface?
15
MOBILE!
THE CLOUD!
Why Did You Miss Them?
• Any jerk with a credit card and the ability
to submit an expense report is now runs
their own private procurement office
What?
• Support for line of business functions
• Marketing and promotion
17. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• Two Dimensions:
• Perception of Software Attack Surface
• Insight into Exposed Assets
16
Perception
Insight
18. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• As perception of the problem of attack
surface widens the scope of the problem
increases
17
Perception
Insight
Web
Applications
19. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• As perception of the problem of attack
surface widens the scope of the problem
increases
18
Perception
Insight
Web
Applications
Client-Server
Applications
20. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• As perception of the problem of attack
surface widens the scope of the problem
increases
19
Perception
Insight
Web
Applications
Client-Server
Applications
Desktop
Applications
21. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• As perception of the problem of attack
surface widens the scope of the problem
increases
20
Perception
Insight
Web
Applications
Client-Server
Applications
Desktop
Applications
Cloud
Applications
and Services
22. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• As perception of the problem of attack
surface widens the scope of the problem
increases
21
Perception
Insight
Web
Applications
Client-Server
Applications
Desktop
Applications
Cloud
Applications
and Services
Mobile
Applications
23. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• Discovery activities increase insight
22
Perception
Insight
Web
Applications
24. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• Discovery activities increase insight
23
Perception
Insight
Web
Applications
25. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• Discovery activities increase insight
24
Perception
Insight
Web
Applications
26. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• Over time you end up with a progression
25
Perception
Insight
Web
Applications
27. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• Over time you end up with a progression
26
Perception
Insight
Web
Applications
Client-Server
Applications
28. © 2019 Denim Group – All Rights Reserved
Desktop
Applications
Client-Server
Applications
Attack Surface: The
Security Officer’s Journey
• Over time you end up with a progression
27
Perception
Insight
Web
Applications
29. © 2019 Denim Group – All Rights Reserved
Desktop
Applications
Client-Server
Applications
Attack Surface: The
Security Officer’s Journey
• Over time you end up with a progression
28
Perception
Insight
Web
Applications
Cloud
Applications
and Services
30. © 2019 Denim Group – All Rights Reserved
Desktop
Applications
Client-Server
Applications
Attack Surface: The
Security Officer’s Journey
• Over time you end up with a progression
29
Perception
Insight
Web
Applications
Cloud
Applications
and Services
Mobile
Applications
31. © 2019 Denim Group – All Rights Reserved
Attack Surface: The
Security Officer’s Journey
• When you reach this point it is called
“enlightenment”
• You won’t reach this point
30
Perception
Insight
Web
Applications
Client-Server
Applications
Desktop
Applications
Cloud
Applications
and Services
Mobile
Applications
32. © 2019 Denim Group – All Rights Reserved
First Decision
• What is considered to be in scope?
• Depends on how you want to manage
vulnerabilities and manage risk
31
33. © 2019 Denim Group – All Rights Reserved
Process
• Identify Application “Homes”
• Enumerate Applications
• Collect Metadata
• Repeat as Needed
32
34. © 2019 Denim Group – All Rights Reserved
So Where Are These Applications?
• Your Datacenters
• 3rd Party Datacenters
• Cloud Providers
33
35. © 2019 Denim Group – All Rights Reserved
Enumerating Applications
• Technical
• Network inspection
• DNS and other registry inspection
• Non-technical
• Interviews
• Other research
34
36. © 2019 Denim Group – All Rights Reserved
IP Range Detection
• IPOsint: https://github.com/j3ssie/IPOsint
• ip-osint.py –t CompanyName
• Data sources:
• Whois
• Ripe
• Arin
• Hurricane
• Censys
• securitytrails
35
37. © 2019 Denim Group – All Rights Reserved
Network Inspection
• nmap: https://nmap.org/
• Look for common web server ports:
• 80, 443, 8000, 8008, 8080, 8443
• Others depending on your environment
• nmap -sS -p 80,443,8000,8008,8080,8443 x.y.z.0/24
• Great for dense environments you control
• Largely datacenters
https://www.denimgroup.com/resources/blog/2016/03/threadfix-in-action-discovering-your-organizations-software-attack-surface-web-app-edition/
36
38. © 2019 Denim Group – All Rights Reserved
DNS Inspection
• SubFinder: https://github.com/subfinder/subfinder
• docker run -it subfinder -d target.org
• Can get even more data with service-specific
API keys
• OWASP Amass: https://github.com/OWASP/Amass
• sudo docker run amass --passive -d target.org
37
39. © 2019 Denim Group – All Rights Reserved
Mobile Application Identification
• Scumbler: https://github.com/Netflix-Skunkworks/Scumblr
• Purpose of tool evolved over time
• Not currently maintained – looking for
maintainers
38
40. © 2019 Denim Group – All Rights Reserved
Interviews
• Line-of-business representatives
• Will need to translate their definition of
“application” to your definition
• Think in terms of business processes and
these can map to multiple applications and
microservices
• Tech leads
• More familiar with the deployed infrastructure
and other assets
40
41. © 2019 Denim Group – All Rights Reserved
Other Research
• Disaster recover plans
• If someone wants to make sure it is up, you
probably want to make sure it is secure
• Accounting
• Find cloud providers via billing records
41
42. © 2019 Denim Group – All Rights Reserved
What is an ”Application”
• What assets do we have?
• IP addresses
• Host names
• Mobile apps
• Business view of “applications”
• Challenge: Create a consolidated view
• Challenge: Correlate applications and the
supporting infrastructure
42
43. © 2019 Denim Group – All Rights Reserved
Collect Metadata
• Technical: Language, Scale
• Architectural: Web, Mobile
• Exposure: Public, Partner, Internal
• Regulatory: PCI, HIPAA, GDPR
43
44. © 2019 Denim Group – All Rights Reserved
Value and Risk Are Not
Equally Distributed
• Some Applications Matter More Than Others
• Value and character of data being managed
• Value of the transactions being processed
• Cost of downtime and breaches
• Therefore All Applications Should Not Be
Treated the Same
• Allocate different levels of resources to assurance
• Select different assurance activities
• Also must often address compliance and
regulatory requirements
44
45. © 2019 Denim Group – All Rights Reserved
Do Not Treat All Applications
the Same
• Allocate Different Levels of Resources to
Assurance
• Select Different Assurance Activities
• Also Must Often Address Compliance and
Regulatory Requirements
45
46. © 2019 Denim Group – All Rights Reserved
Rinse and Repeat
• This list will change over time
• Metadata will change
• This is especially true in a world of
microservices
46
47. © 2019 Denim Group – All Rights Reserved 47
You can’t defend unknown
attack surface
If everything is important
then nothing is important
48. © 2019 Denim Group – All Rights Reserved
[Translation]
Find out what applications you
have in your organization
Decide the relative importance of
applications and treat them
differently based on this
48
50. © 2019 Denim Group – All Rights Reserved
Building a world where technology is trusted.
@denimgroup
www.denimgroup.com
50
dan@denimgroup.com