Connecting the Dots

It’s not new news that external attack surfaces are growing, and growing fast. Even before the pandemic led to the rise of cloud-based work from home strategies, increased digitization was becoming apparent across industries.

From online banking, to restaurant ordering apps, and automated sensors in manufacturing, attack surfaces expanded everywhere. In fact, on average, 30-40% of a company’s attack surface contains assets that are unknown. These unknown assets lead to increased risks of supply chain attacks and more.

Significantly, company assets don’t exist in a vacuum. They are connected to each other, and a risk in one asset can trigger a risk in another. A strong attack surface management tool needs to take cross-asset testing into account. For many the answer is graph based visuals, which allow users to see connections between assets, and group related assets together.

What is graph based visualization and how does it contextualize assets?

Visual graph based strategies were originally designed to map attack paths cybercriminals could take to exploit a risk. These paths were often visualized using strike lines which connected assets, and grouping assets that could be reached through similar methods together. The goal of these maps was to aid in the identification of vulnerabilities in a company’s IT infrastructure, by making it easier to understand how an attacker moved between them.

Before graph based mapping, assets had to be listed and categorized into tables. Tables did provide an accurate overview of company assets. However, tables made it harder to see how assets linked together.

In a table, the user had to go into each individual asset and click for additional information. Additional information could contain associated IP addresses and ports. However, such a process made it harder to visualize the paths and connections between assets.

Graph based visualization allows for connections across assets to be clearly understood and thus easier to continuously monitor. A graph does not only list assets but shows the relations between them. For instance, strike lines between assets can show how one open port gives access to a variety of IP addresses. Effectively a user searching for all insecure ports should have the assets connected to those ports highlighted as well. The asset identified does not exist in a vacuum but is effectively given context in relation to its external function and the broader network.

Why is an asset's context important to ASM?

1. More accurate representation of multi-stage attacks used by cybercriminals

2. Insightful risk prioritization that takes into consideration links between vulnerable assets

3. Holistic insights to aid defense team security strategy

More accurate representation of multi-stage attacks used by cybercriminals

Visualizing how assets link together helps to understand the multi-stage attacks a malicious hacker might perform. Attackers that take advantage of misconfigurations in one asset, often don’t stop there, and will go on to launch attacks from the new access point.

For instance, a static source, such as an AWS S3 bucket, being misconfigured could be the foundation for XSS attacks. XSS attacks are a type of injection which uses malicious scripts to compromise user interaction with a vulnerable application. In this case, the misconfigured S3 bucket acts as the launch point.

Hackers can abuse compromised external sources such as AWS S3 buckets, if these external sources are imported by the site. Attackers can inject malicious JavaScript code into the external source and possibly circumvent well-defined Content Security Policies that are used to protect documents and sites.

A more basic attack on an S3 bucket could include an attacker adding a simple pixel that allows them to compromise an external source loaded by the website and log user traffic if the browser and web servers policies allow it.

It often happens that a company makes an application accessible internally or takes it offline in a way that allows it to still be accessed by attackers. Usually this happens due to misconfigurations in which the virtual host can be found within the attack surface, or due to the lack of overview of where services are located.

Understanding paths and connections between assets is important to accurately categorize risk, and defend against attackers. Vulnerability scanners which consider these paths are more effective attack surface monitoring tools.

Insightful risk prioritization that takes into consideration links between vulnerable assets

Contextualizing assets in relation to a broader network can improve risk prioritization and security operations. 2 low risk vulnerabilities might have a higher criticality when viewed in conjunction. For instance, an environment that contains company credentials is a low risk vulnerability on its own. However, if an attacker were also to find that the database authenticated by those credentials was accessible by the internet, a data breach could be imminent.

Holistic insights to aid defense team security strategy

As discussed above, new vulnerabilities and attack paths become clear when assets are considered in conjunction. Thus, understanding how assets are linked is important for security teams when choosing how to patch potential vulnerabilities.

For instance, sites that use third party script will be affected by security issues regarding that script, outside of the organization. In July 2018, a Tweet counter called New Share Counts was abandoned.While the script developer did make a post notifying users the script was discontinued many sites continued to use it. Eventually an attacker gained access to the S3 bucket where the discontinued script was stored and replaced it with a malicious version which redirected visitors to scam sites.

Visualization helps defense teams understand cross asset vulnerabilities and know which areas of their external facing assets need fortification.

How Hadrian emphasizes context in our attack graphs

Hadrian’s technology was built with asset contextualization in mind. In the discovery phase, assets are considered in relation to other internal assets, their external function, and across platforms. This contextualization informs the visual graphs in our dashboard.

For example, Hadrian carefully fingerprints each asset in relation to its external functions. By doing so, Hadrian considers specificities of the software daeman, modules, libraries and authentication methods. These insights are shown in Hadrian's attack graph, where relevant assets are connected to each other. Hovering over an asset reveals more context regarding its function, and location in the system.

Hadrian also does not shy away from displaying unconventional attack paths, which move across assets. Hadrian's goal is to ensure that customers' personalized attack graphs make risks easily repairable. Hadrian does this by making the steps taken to find and exploit that vulnerability clear. The assets are not only linked by connection within the infrastructure, but by the way an attacker moves between them.

In this new era, external attack surface management is becoming more complex. It is important to keep innovating and making bold choices in terms of how we visualize attack surfaces. Hadrian's hacker's perspective includes insights into asset context and cross asset links. The result is an ASM dashboard with increased utility.