Cleaning Every Surface: Traditional Approaches Versus Attack Surface Framework

by: Mauricio Espinosa, VMware Sr. Information Security Engineer, and Prajwal Panchmahalkar, VMware Lead Security Engineer

Domains, IP addresses, and Classless Inter-Domain Routing (CIDR, also known as supernetting) are a vital part of any enterprise 'surface' infrastructure. They are also ideal targets for today's threat actors. Currently, there is no single-pane-of-glass method to automate discovery of dynamic assets (and their associated vulnerabilities) through continuous scanning or exploitation. Existing solutions are proprietary, designed exclusively for a specific technology or program, and not readily scalable. This makes defending the ever-changing dynamic ecosystem a spotty affair, with varying levels of siloed security that may or may not communicate with other components.

A Day 0 in the life

Let's take a typical scenario involving Day 0 software released on a regular basis. While market demands dictate frequent releases, there are significant security challenges when it comes to discovering affected surface artifacts at scale.

For example, a critical Day 0 advisory outlining potential remote code execution (RCE) and/or distributed denial of service (DDoS) bugs is issued. Attackers may utilize the working knowledge or wait for the Proof of Concept (PoC) / working exploit to be released. They then begin enumerating publicly exposed assets worldwide-using sources such as shodan.io or censys.io-in order to identify vulnerable instances and potentially exploit them. This often involves the creation of automated weaponized worms and bots designed for nefarious attacks such as ransomware.

If an enterprise has an offensive security team, the traditional attack response is to follow the same methodology as the attacker-leverage remediation based on service-level agreements (SLAs) and severity of the vulnerability in question. Unfortunately, this process usually involves inefficient manual labor, is poorly organized as it is generally reactive in nature, and is not as effective as with proper (defined) expertise.

If the organization does not have an offensive security team, remediation is commonly based on potential detection through vulnerability scanners, antivirus, firewalls, and intrusion detection systems (IDS) or intrusion prevention systems (IPS). The main problem with this approach is that it relies on vendors taking time to release the signature, indicator of compromises (IOC), or a plugin to identify vulnerable assets. This can take anywhere from 24 to 48 hours or longer after an advisory is released, ample time for a sophisticated threat actor to gain a foothold within the corporate ecosystem, often undetected.

On top of that, there is additional time needed to scan and patch all affected assets. This opens another uncomfortable window of exposure for attackers, as well as a potential a new threat-bug bounty hunters. Following the same process as threat actors and internal personnel, the primary intention of such bounty hunters is to uncover vulnerable Day 0 assets with publicly available technical information. While this isn't always a malicious undertaking (many companies have a bug bounty program), there is no guarantee a bug bounty hunter is working in a company's best interest. Some pride themselves on simply disclosing their findings to public assets or demanding a bounty if there isn't one-with dire consequences if their demands aren't met.

A new frame of mind

VMware Attack Surface Framework redefines what's possible in this arena. For the first time ever, companies can take advantage of a comprehensive solution employing open source surface security tools for every aspect of a full vulnerability lifecycle-all wrapped in a single pane of glass residing on top of a graphical user interface (GUI). This allows infinitely scalable modules for scanning and exploitation, in addition to scripts, that can be easily integrated or imported for use within the attack surface framework.

A snapshot of the Attack Surface Framework flow within the enterprise

Once a Day 0 advisory is released, Attack Surface Framework supports the manual and automated additions of the vulnerability detection scripts or working exploit, scans for vulnerable entities, and generates alerts or reports as needed. If vulnerable assets are found, a remediation process follows based on the severity and defined SLAs. Of course, this is dependent upon the organization's internal remediation policy.

Attack Surface Framework is designed to augment existing cybersecurity efforts with a unique protective layer for an enterprise's attack surface. That said, it is important to note there is no one-size-fits-all, 'silver bullet' remedy for modern surface attacks. Each enterprise is a complex (and unique) entity, and threat actors are equally diverse.

Check back again for more in-depth blogs on this topic.

Infographic legend: *Common Vulnerabilities and Exposures **Security Information Event Management

VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. Contact your sales rep orvmwonvmw@vmware.com to schedule a briefing on this topic. Visit the VMware on VMwaremicrosite and follow us onTwitter.