Firewalls are considered to be a blocking control on our networks, but inherently also exists to allow users access to functionality; functionality provided by applications. Applications unfortunately regularly contain vulnerabilities, and it’s our duty to help close such vulnerabilities before attackers can take advantage of them. Active Focus and the team at the Offensive Security Operations Center does their best to continuously audit and validate any new risk encroaching on our businesses.
Configuration Changes and Mistakes
Yes, mistakes does happen. A change was rolled out, and it led to unintended risks. Who can blame the team? Knowing what risk is exposed when allowing new network services to be present on the Internet is hard, something typically best assessed by offensive engineers. A good reason why the Offensive Security Operations Center needs to pick up on such changes and help assess it.
Supporting the popular trend of rapid deployments and change, it can be hard to fully govern and control changes across the enterprise. Threat Actors are always on the lookout for mistakes and changes, and so are we. The moment we discover new and modified attack surface, we engage our offensive engineers to help assess the situation.
Scanning Continuously and Purple Teaming (AKA Cheat Codes)
Cyber Security requires us to be always on the lookout in order to be among the first to address new risk in the attack surface. Scanning and network discovery is a science in itself, and River Security loves to indulge in it, always trying to stay on top on the latest new. Network services on the Internet are typically hosted via IPv4 or IPv6 and is exposed via the TCP and UDP port. This accumulates to 65536 x 2 possible network services an IP address can host, and is typically time consuming to process through By using optimized and efficient scanning we can reduce the total amount of scanning activity drastically, for example, scanning the top 576 most common ports on the Internet makes up for 90% of all services available.
CTI provides us with great coverage of the latest developing threats. Having a thoroughly mapped overview of customers network services we can quickly help assess what is vulnerable and where actions must be taken. Our goal is to take actionable intelligence, as quickly as possible, to help assess the situation across assets, i.e. network services.
What is this thing about Purple Teaming and Cheat Codes? The fact of the matter is, we do not have to compete on the same terms as real attackers. Threat actors of different kinds are our adversary, we are not. Instead of acting as a true adversary, we can cheat! By cheating we mean blending the mix of colors between red and blue, defense and offense. Instead of having to discover all assets and systems as a red team, the offensive team, we can instead receive lists of assets and systems from the blue team, the defenders. This can be made through exposing API’s for pushing data, enumerating cloud deployments from the inside, or simply notifying our team about attack surface.
Attractiveness – Does Your Assets Make Our Team Drool?
Whenever we discover a network service, i.e. an application, we assign a internal attractiveness score. This score aids the team of Offensive Engineers to prioritize assets and guide them on targeting. Furthermore, new assets are by default flagged with the highest attractiveness score, forcing us to address them first.
This kind of prioritization can be useful in different ways. While it helps the team during continuous prioritizations, it also gives the advantage of empowering automation in e.g. to target certain assets and shy away from others.
What makes up for an attractive asset?
- Brand New – Fresh from the DevOps bakery, these kinds of assets we want to discover first, and jump on the opportunity to hack and demonstrate the risk on them.
- Old and outdated – Assets which are neglected, errored out, or otherwise just something which looks like it doesn’t belong on the internet anymore.
We use a scoring system where we rate, manually, assets from 0 to 5. Here is a summary of attractiveness:
- 5 – Very likely to be interesting to attackers and us a like. It just looks really interesting, has known CVE’s and other vulnerabilities associated to it.
- 4 and 3 – Interesting, but not that attractive. Potential risk functions like serialization, file uploads and more are present on sucha ssets. Custom code and configuration makes the targets attractive.
- 2 and 1 – Pretty uninteresting services. They’re “standard” and default. Fully patched, up to date, governed and controlled. What a hacker would call “boring”.
- 0 – These are out of scope, junk and other things.