Web versions

From warfare to web security, protect your attack surface from the weakest link – The New Stack

With the rapid proliferation of data, the growing number of domains and subdomains, and the increase in the number of third-party vendors, the number of entry points through which attackers can infiltrate a company’s web environment is infinite. Attacks are increasingly having consequences felt beyond an organization’s perimeter, as demonstrated earlier this year with the Colonial Pipeline Rupturewhich caused fuel prices to skyrocket along the US East Coast, and the attack on software provider Kaseya which forced hundreds of grocery stores in the Nordic countries to close for days.

What’s true in battle is true in business

Fredrik Nordberg Almroth

Fredrik Nordberg Almroth is co-founder and security researcher at Detectify. He was voted Security Expert of the Future 2015 by Symantec and is among others in the Google Security Hall of Fame.

Security breaches often occur through a pathway no one saw coming – a server no one knew existed, an old landing page, weak passwords, or an application that lacked a patch. It has perhaps never been clearer than today that a business is only as strong as the weakest link in its growing attack surface.

The challenges facing businesses in today’s Internet landscape are reminiscent of the concept of Survival bias and its most famous example from World War II. One of the biggest problems the US Air Force faced during the war was how to prevent their planes from being shot down. Attaching the armor made the aircraft heavier with reduced range, so one solution was only to armor the most essential areas.

After analyzing where her planes had taken the most damage, she determined that she needed to reinforce the wingtips, center body, and elevators of the planes. However, mathematician Abraham Wald pointed out that there is another way to look at the data. He argued that the armor shouldn’t be where the bullet holes are, but rather where the bullet holes aren’t – on the engines, because that’s where the damage on the planes was. who were destroyed and who did not come back at all. .

Drawing on an analogy between the Internet and World War II, it is easy to see how companies invest more resources in the visible vectors rather than the more dangerous and invisible vectors. Whether it’s a battle or a business, it’s about being proficient at what you do and removing inefficient systems and processes. Are you putting your armor in the right places? Are you looking for security issues where the attackers are? Where are the bullet holes in your business that you can’t see?

These actual attack methods are all examples of how survival bias comes into play in modern web security – and how to avoid them.

CVE-2019-7609: RCE Kibana

Sometimes protecting the attack surface can be as simple as assessing whether exposing certain systems to the web actually adds value. Kibana is a free and open application used by companies to visualize internal data. Because it is used for internal data analysis, it typically lives on the company intranet and does not need to be exposed to the Internet. Trying hard here would therefore seem like an inefficient use of security resources.

However, a quick search on Shodan, a search engine for internet-connected devices, reveals that around 8,000 Kibana instances are actually exposed online, and I’m willing to bet a lot of them shouldn’t be. Add to that the fact that Kibana relies on Elasticsearch, a search and analysis engine for numeric and textual data, which in turn relies on the Java-based Log4j logging framework.

Are you putting your armor in the right places? Are you looking for security issues where the attackers are? Where are the bullet holes in your business that you can’t see?

In 2018, researchers discovered an arbitrary code execution vulnerability in Kibana versions prior to 5.6.15 and 6.6.1 that allows an attacker to send a request that will attempt to execute JavaScript code. This could lead an attacker to execute arbitrary commands with the host system’s Kibana process permissions. The vulnerability was patched in February 2019. The Log4j bug CVE-2021-44228 who is currently setting the internet on fire is would not affect Kibanabut it illustrates just how vulnerable these exposed systems can be.

Making sure to keep tabs on what’s exposed online and removing it from the internet if it shouldn’t be there will save you resources that are better used elsewhere.

Include Local Files from ‘Mailchimp for WooCommerce’ WordPress Plugin

Just because your third-party app is up-to-date doesn’t necessarily mean it’s safe from attack – there may still be less obvious security holes underneath. WordPress is the most popular content management platform in the world, estimated at nearly 40% of all websites in the world. Many companies have WordPress installed somewhere in their infrastructure, and it’s easy to believe that as long as you’re running the latest version, you’re safe.

An example of this could be if you are using an older version of the Mailchimp for WooCommerce WordPress plugin. An attacker could gain access to secrets such as configuration, log files, API keys and passwords which can be used as a starting point for further attacks. This bug can also be pivoted to Remote Code Execution (RCE).

Keeping inventory of all sites you create, especially temporary ones used for a campaign, will be essential to prevent attack surface exploits like hostile subdomain takeover or an RCE. There are many open source and licensed options that can automate monitoring and enumeration of logged in and forgotten web assets, and alert you if they change in any way.

Expiration of name servers

Sometimes parts of the external attack surface fall into oblivion because they do not require regular maintenance, although they are a crucial part of the infrastructure and therefore must be constantly monitored for problems. An example is name servers, which are usually configured once and then left as is. It’s probably more common to set up, for example, CNAME records for campaign sites than full name server records. For this reason, nameserver pointers are easy to forget. However, the impact can be devastating and far-reaching if an attacker gains control. This was the case with the top level domain for the Democratic Republic of the Congo, “.cd”.

A year ago I discovered that one of the name servers for the .cd country code was about to expire. Obviously, such an important domain – used by a population of 90 million people – was not supposed to expire, but someone in the Congolese government probably forgot to pay for its renewal. Fortunately, expired domains don’t disappear immediately.

When I found out it was about to expire, I started monitoring it, assuming someone in the Congolese government would pay to get the domain back. But, to my surprise, no one did. During the Christmas holidays in December 2020, the domain was about to fall off the internet. Minutes after the domain became available, I bought it for $9 to prevent bad actors from taking it over.

Had it fallen into the wrong hands, a malicious actor could have launched a man-in-the-middle attack to intercept Internet traffic for millions of users. Being in this position, it was possible to abuse the issuance of SSL/TLS certificates to further undermine encrypted communication. This means that an attacker could not only see, but also modify the traffic flowing to and from all .cd domain names even when encryption was applied (including everything from normal web traffic to emails and other types of internet communication), all because someone had overlooked this small but significant corner of their attack surface.

Hacking is the only way to protect the external attack surface

Attackers have eyes and ears all over the web, and those who succeed are always looking where others are not. When I approach a target as a bug hunter, I skip the main application and look for less obvious and sometimes simple paths. I choose the path of least resistance, and that’s how I was able to find security bugs in Google, Dropbox, Uber, and Tinder among many others. In an ever-changing security landscape, companies must constantly hack themselves to keep up with the hacker community.

This means applying the hacker mindset and constantly monitoring the assets you have, and performing pressure tests to find exploitable anomalies. You can also team up with ethical hackers in various ways to minimize the available attack surface. From my point of view, the collaboration between companies and hackers will allow us to access a safer Internet faster.

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Coast, Kaseya, Detectify.

Photo by Xulong Liu on Unsplash.