TL/DR: The Hack Yourself London event gathered leading ethical hackers, industry thought leaders, and IT security experts to discuss several topics around Attack Surface expansion, Gartner’s top security and risk management trend for 2022. From the importance of shifting right and going beyond OWASP Top 10 to understanding what External Attack Surface Management is and isn’t, this post summarizes the five key takeaways from the event.
1. What is and isn’t External Attack Surface Management (EASM)
When Algolia’s security program manager Regina Bluman ran a Twitter poll to see how many people within the security industry understood the concept of EASM, she didn’t expect that the term is far from being on an IT security team’s radar. Moreover, most were not even aware of it. Defined by Gartner, EASM includes all “the processes, technology and professional services deployed to discover external-facing enterprise assets and systems that may present vulnerabilities.” Essentially, it´s a structure that should sit across all of your existing toolsets. EASM is not only about building an inventory of all of the components but also about testing the integrity of each of those “bolts.”
Marking a clear distinction between what it entails and what it doesn’t, Bluman explained that EASM is neither a product nor a standalone service and cannot be a replacement for pen-testing, vulnerability management, or threat intel. A robust EASM program needs to be continuous and automatized, as a static asset list can’t pick up the pace of a constantly-changing landscape. Once the scope is considered carefully, bug-bounty programs can also be used as a tool to help discover previously unknown attack surface dimensions. For instance, the Death Star was well defended and considered impregnable but was still destroyed by Luke Skywalker. The reason being the thermal exhaust port was not addressed only because the Empire discounted the importance of external exposures. Looking for exposures previously unknown was not prioritized and caused them to fail. This is no different from your web attack surface.
After an EASM program is in place, the following tips will help elevate the approach to the next level:
- If organizations use CASB tools (Cloud Access Security Brokers) like Appgate or Zscaler, those can be integrated to cover all bases and benefit from a holistic view.
- Dark web monitoring systems can also bring interesting insights since a vulnerability in an organization’s system is likely to be somewhere on the web.
- Start building a software bill of materials (If you are not already). Software bill of materials (or SBOM) lists all the components in a piece of software. They will soon be mandatory for any company doing business with the US federal government.
- Get rid of shadow IT by combining technology and culture. Instead of banning internal teams from using certain services, security teams can work with them, so they understand how to pivot to safer IT practices.
Watch more about what is and isn’t EASM and how it is the only hope by Regina Bluman
2. Shifting right, right?
Shifting right has been a conversation topic for many years. The idea is to move security efforts from waterfall to iterative, accelerating development pace, and understanding that security can no longer be a control function. Detectify CEO Rickard Carlsson detailed how working in increasingly complex environments without integrating security throughout the entire process can work against the benefits of an efficient DevOps implementation. The same mindset shift that broke down siloes and enabled a collaborative framework to speed up the deployment of new features applied to security led to the DevSecOps movement. By employing the core principles of DevOps within security, DevSecOps ensures that teams address security matters at every stage of the production process.
In the waterfall model, a security team runs testing towards the end of the process, usually before deploying to production. However, in this approach, detecting and fixing problems in the final stages of shorter, fast-paced production cycles inevitably result in higher costs and release delays. Fitting this outdated approach to security in the DevOps framework is contrary to the very essence of its culture of breaking down siloes and bringing accountability to all the teams involved.
The concept of shifting left means performing a task such as testing, security, or deployment earlier in the application development lifecycle. Within the DevOps frame, this idea translates into applying security testing throughout the entire production pipeline, not only “shifting” the task from later stages to the front. Integrating security every step of the way is crucial to maintaining the DevOps workflow optimal and accelerating development velocity.
3. Mulitple ways criminals are phishing for your data
Phishing, which frequently occurs through an email-based attack, is an attack vector used to trick users into making a mistake, such as clicking an incorrect link that will download malware or redirect them to a malicious website. Although phishing is still somewhat immature, there are outliers to this, like the Pegasus iOS malware sold to state actors by NSO group. Cyber Defense Manager at KPMG Aron Dobie explained that defense against phishing is usually based on Mail filters that apply higher-level processing to emails beyond RFC mandated DNS checks, like sender authentication checks, language filtering, natural language processing, reputation-based filtering, and much more. If an email goes through, user awareness is the next layer to be protected against a phishing vector attack. Are users expecting the email and content? Is the domain validated? Microsoft’s catalyst for change is based on shifting macro security default settings: an upcoming update will update the way Office handles all macro-enabled documents, blocking the execution of any macros which have a Mark of the Web (MoTW) Identifier attached to the file. When applications find the MoTW property on a file, they usually open it in a read-only mode. This is how they block malware exploitation unless users click the “enable-editing” button.
As a new era of technically advanced phishing rises, so do MotW bypassing methods. Since not all software applies MotW tagging, and it is only supported on NTFS file systems, phishing attackers still find ways to slide malware into files. Social engineering also plays a key role in MotW bypassing. Users can be encouraged and tricked into accepting security warnings or guided to remove this flag on files. Also, when files are executed from trusted locations, MotW is not evaluated.
Dobie added that companies are likely to start seeing an increase in Browser in the Browser (BitB) attacks, which simulate a browser window, utilizing iframes to load pages within the used browser, spoofing an address bar. From a user perspective, it is a challenging task to detect this attack, as the domain looks right, it has an SSL padlock and pops up expectedly. Remote Browser Scenario is another example of sophisticated phishing techniques that are likely to expand during the upcoming months. If you present a video feed, allow remote control of a browser within a container that is remote from the user, and present it with low enough latency and smooth interaction, users can view and utilize a browser on the attacker’s host, and they won’t know even notice.
4. Is OWASP Top 10 the security Bible for CISOs?
OWASP is a non-profit organization focused on making software security visible, allowing individuals and organizations to make informed decisions about their web app security. The OWASP Top 10 is an awareness document for developers and web application security practitioners that brings a broad consensus about the most critical security risks to web applications. It constitutes the very first step toward changing the application development culture within organizations into the one that produces more secure code.
During Hack Yourself London, we had the chance to learn about OWASP’s projects that allow companies to leverage the potential of OWASP beyond their Top 10 from OWASP London Chapter Leader Sam Stepanyan. Projects can be tied seamlessly into the software development lifecycle and help organizations build app security programs from requirements gathering, threat modeling, vulnerability scanning, vulnerability management, security testing, code review, best practices, maturity assessments, and developer training. The complete inventory includes more than 250 projects, categorized into Flagship, Labs and Incubator. One of the biggest project names is OWASP AMASS, for network mapping of the attack surface and external asset discovery, using open source information gathering and active reconnaissance techniques. Other flagship projects include OWASP DependencyTrack and OWASP Nettacker. While OWASP proves that organizations can kick off a robust security strategy with zero budget, only a method that combines monitoring of the complete attack surface, together with a deep web app scanner will boost your attack surface protection coverage. Plus, Detectify’s products automate the latest security research coming from elite ethical hackers, which builds up a unique repository to fuel the discovery of vulnerabilities in organizations’ attack surface.
5. How WordPress plugins are dramatically expanding your attack surface
Ethical-hacker Katie Paxton-Fear, or as we know her InsiderPhD, shared a collection of stories on some of the vulnerabilities that she has found during her time hacking. WordPress, the worldwide top Content Management System (CMS) solution that individuals and organizations use for managing and updating their websites, is a featured case that she has frequently hacked during her career. Though the magic of WordPress relies heavily on plugin usage, these make websites’ attack surfaces expand dramatically, especially considering how some of them rarely get updated properly. While it is true that there is a button for updating most of the plugins in one click, most of the time it is missed, as WordPress maintenance tends to be a forgotten subject. Different WordPress users from varied company departments hastily install plugins upon an immediate need, often forgetting about their updates and maintenance. Without even including plugins, most highlighted critical CVEs for WordPress include code executing, SQL injection, and directory traversal.
If you missed Hack Yourself London, you are still on time to register to attend Hack Yourself Stockholm on May 19, with guest speakers of the standing of David Jacoby and Stök among others. Go Hack Yourself!