DeepSec 2024 Talk: Far Beyond the Perimeter – Exploring External Attack Surfaces – Stefan Hager / khae
Looking for intel in all the right places is an art that adversaries seem to have mastered; but for their own data, many companies seem to lose interest in examining anything that’s outside the “perimeter” – whatever that is supposed to be nowadays. Credential leaks, shadow IT, unofficial websites with official info – the list of assets far outside the data centers of companies is long and those assets nevertheless pose risks. Instead of turning a blind eye, it’s important (and necessary) to get an understanding of what kind of information is out there, ready to be used or abused and protect accordingly.
What risks are “out there” and what is meant by “out there”? How can those risks be addressed? What tools are easily available?
Gathering information is a valuable tool not only for adversaries but also for anyone trying to address risks before they become problems. Most companies with more than just a handful of employees eventually will find out that not all of their digital assets are behind company firewalls. Any sensitive data that is not controlled by the company itself can become a problem – from leaked credentials to VPN access details being sold on the darknet and other shady places.
Knowing something has leaked won’t solve the problem, but will give the opportunity to protect against potential attacks leveraging this intel, and also to examine the reasons it’s somewhere it shouldn’t be.
This talk won’t go into details of scanning company servers or whatever goes on in internal networks; we will focus solely on all the things adversaries can and will use to craft spear phishing emails, learn company secrets or to find a scenic back route to internal networks.
Hopefully, this talk will motivate you to dig deeper into getting to understand the external attack surface of the company you’re working for, or help you prepare your next red team engagement. If you’re already doing this stuff daily, there won’t be any surprises, but if you never thought about digging into this topic, you’ll hopefully learn a ton of new things.
Not looking for risks poses a risk in itself.
After all, how can something be protected if nobody knows about it?
We asked Stefan a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- Nearly every company has digital assets outside the company firewalls which can serve as an information source (or even worse: as a pivot point).
- Unknown assets are usually unprotected as well as unmonitored.
- Having (and using) the same information that attackers use can help with protection.
- “External Attack Surface Management” (that’s how Gartner calls it) can be a valuable addition to the defense layers that are already in place.
- Dealing with dangers that are known yet can’t be changed can be daunting; yet ignoring them is even worse.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
One major task of my work is basically looking for publicly available information that attackers could use; that, of course, spans a broad range from leaked credentials to shadow IT to information traded on the shady corners of the net and more. We’re doing this for a long time. Over the years it became obvious that a lot of companies don’t bother with exploring their external attack surface for various reasons.
Now that “External Attack Surface Management” is on the hype cycle of a famous quadrant reporter, it’s a good time to collect and distribute the info and experience I’ve been able to gather and channel everything into an hopefully entertaining and interesting talk.
Why do you think this is an important topic?
I think it’s important because companies are abandoning their own infrastructure and moving services and business-critical processes to the cloud; because credential stuffing is still a thing and because attackers can learn a lot about a company without ever hitting the company servers. Of course, just knowing about a risk doesn’t remove it; and sometimes, nothing can be done about it. And yet, not knowing about existent risks is an even worse choice.
Is there something you want everybody to know – some good advice for our readers, maybe?
There are some cheap / free services that companies can use to get some basics addressed; too many to list here, but they’ll be on a slide in my talk. As a thought experiment – if you are a defender – just think about ways how an attacker could hit the company you’re working for without ever connecting to all the stuff which is thought to be “inside the perimeter”. Or maybe just think about where that ominous perimeter is nowadays. Once you give those questions some thought, try to find out about risks that are beyond your control and how you still could mitigate them.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
As always, when a “new” (as in: new to the quadrant game) topic surfaces, vendors are eager to brand their solution as fitting to the additional problem. This is not always the case. The entire field – OSINT and information gathering using publicly available data – is not new at all. I do not expect this, but a real innovation would be a system that has a nice UI, works well, can implement some kind of workflow and allows users to structure/tag data and can export/import records to and from other systems. What can I say, I’m an optimist…
Stefan works for the Internet Security Team at German company DATEV eG. He started messing with computers in the 80s and turned it into a job as a programmer in the early 90s. Since 2000 he has been securing networks and computers for various enterprises in Germany and Scotland. His main focus nowadays is security research, raising security awareness, coming up with creative solutions to security problems and discussing new ideas concerning threat mitigation. When not trying to do any of the stuff mentioned above, he is either travelling, producing hacker music and other electronic beats or gardening.