Author: Vivo Internet Security Team – PengQiankun
This paper combines the two emerging attack surface management technology principles of CASSM and EASM to briefly describe the four key modules of asset management, comprehensive view (visualization), risk assessment and risk repair process, and provides a landable construction idea reference for enterprise attack surface security risk management.
First, the attack surface overview
The attack surface is the sum of all possible ingresses that an enterprise’s network assets can access and exploit without authorization.
With the continuous development of technology such as the Internet of Things, 5G, and cloud computing, and the continuous development of social digital transformation, the scope and type of current cyberspace assets have also undergone tremendous changes, and there will be more emerging assets and services in the future, and how to establish a more appropriate and efficient security technology system to manage the attack surface security risks faced by enterprises will be a new challenge for security operations.
In its July 14, 2021 release “2021 Security Operations Technology Maturity Curve,” Gartner explicitly mentions two emerging technologies for the attack surface: Cyber assetattack surface management and External Attack Surface Management. The goal is to enable the security team to scientifically and efficiently manage the exposed assets and attack surfaces, examine the possible attack surfaces and vulnerabilities of enterprise network assets from the perspective of attackers, and establish a full-process closed-loop security analysis and management mechanism for the enterprise network attack surfaces from detection and discovery, analysis and judgment, intelligence early warning, response disposal and continuous monitoring.
As can be seen from the security operations technology maturity curve, CAASM and EASM are still in the start-up stage, and although these two technologies are just born and are still in the conceptual stage, they have attracted widespread attention.
CAASM is an emerging technology designed to help security teams address ongoing asset exposures and vulnerabilities. It enables organizations to view all assets (both internal and external) through API integration with existing tools, query consolidated data, identify vulnerabilities and scope of vulnerabilities in security controls, and correct problems. It replaces the traditional manual collection of asset information and cumbersome processes to improve the efficiency of asset management.
In addition, CAASM enables security teams to improve basic security capabilities by ensuring that security controls, security postures, and asset exposures are understood and corrected throughout the environment. Organizations deploying CAASM reduce reliance on in-house systems and manual collection processes and bridge gaps through manual or automated workflows. In addition, these organizations can optimize record source systems that may have stale or missing data by improving the coverage of visual security tools.
Taken together, there are the following advantages for organizations:
Full visibility into all assets under your organization’s control to understand attack surface areas and any existing security control gaps.
Faster compliance audit reports through more accurate, timely and comprehensive reporting of assets and security controls.
Comprehensive view of assets, reducing manpower investment.
EASM refers to a set of processes, technologies, and management services deployed to discover externally oriented enterprise assets, systems, and related vulnerabilities, such as servers, credentials, misconfiguration of public cloud services, and software code vulnerabilities of tripartite partners. EASM provides services that include DRPS, threat intelligence, tripartite risk assessment, vulnerability assessment, and supplier competency assessment.
EASM mainly contains 5 modules:
Monitor, continuously proactively scan the Internet for domain-related environments (e.g. cloud services, externally oriented internal infrastructure) as well as distributed systems.
Asset discovery, discovery, and mapping of externally facing assets and systems
Analysis, analysis of whether there is a risk or vulnerability of the asset.
Priority assessment, prioritize and alert on risks and vulnerabilities.
Repair recommendations, providing remediation recommendations that address risks and vulnerabilities.
From the perspective of industry trends, attack surface management has gradually entered the commercialization strategy of major security vendors, which not only reflects the urgency of market demand for this technology but also reflects a certain commercial practice value.
From the technical definition of EASM and CAASM, it is not difficult to find that the core content can be summarized into 4 modules, namely asset management, integrated view (visualization), risk assessment, and risk repair process.
These four modules coincide with our current security capacity building ideas, so the follow-up mainly focuses on these four modules to summarize our practical experience in attack surface risk management.
Second, the implementation of attack surface risk management
The industry usually defines attack surface management as an asset security management method that detects and discovers, analyzes and judges, analyzes and judges, provides intelligence early warning, response disposal and continuous monitoring of the enterprise network attack surface from the perspective of an attacker, and its biggest feature is to examine the possible attack surface and vulnerability of enterprise network assets from an external perspective.
The attack surface is mainly reflected in the security weaknesses exposed to all levels of the attacker by the enterprise, and the attacker can use different means to achieve the attack behavior. Therefore, the “First of all” that effectively manages attack surface risk is asset management.
2.1 Security Asset Management Module
Before doing asset management, it is necessary to sort out the assets of the whole network and confirm the scope and type framework of assets.
2.1.1 Sorting out of security assets
The idea of asset sorting is sorted out according to the four dimensions of business, system, host and others.
It includes domain names, URLs, public IP addresses, package-dependent management assets, and application assets.
It includes API interface, public IP internal mapping relationship, public port internal mapping relationship, intranet cluster VIP-LVS, intranet application cluster VIP-Nginx, intranet port assets, and intranet IP resource status assets.
The host dimension
It includes host IP assets, container assets, k8s assets, host port assets, middleware assets, database assets, operating system assets, account information assets, process information assets, and other application service assets.
Includes asset patch status, asset owner and organization.
Due to the length problem, the above only contains second-level projects, in fact, there are more sub-items below the second level according to different enterprise scenarios, for example, from the vivo Internet, the domain name of the business dimension we have subdivided 11 items, including the management background domain name, the public network buried point domain name, the buried point SDK domain name, the DB domain name, the host domain name, the credit management domain name, the intranet interface domain name, the public network interface domain name, the online business domain name, the static resource domain name, other domain names, etc.
There is no one-size-fits-all formula for asset sorting, and the best practice is to frame the entire network of assets based on the actual infrastructure and business scenarios.
2.1.2 Build a reliable database of asset information sources
There are three main sources of data in the asset library.
CMDB: The primary asset information supply channel
HIDS: Supplements host-related asset information, such as processes, account numbers, network links, and other asset information
VCS: Active asset information collection to supplement the asset library
Usually the construction of the security asset library often faces technical difficulties, such as the adaptability of asset information collection tools, the stability of collection tools, the probability of affecting production, the reliability of asset integrity, etc., but technical problems are often not difficult to solve, with the help of open source tools, commercial products and even self-developed tools can solve most of the problems, and the real headache is a large number of complex communication and confirmation work with the asset owner (business side).
From the perspective of past best practices, from the perspective of the business side to build an asset library, the publicity of business value can more smoothly carry out asset information collection, for example, the asset management system can draw a consolidated asset view of multiple teams in the entire enterprise, which can include business teams, operation and maintenance teams, security teams, etc., everyone can query their own information from this view, and stimulate the willingness of collaborators to support through value publicity.
2.1.3 Build asset active discovery capabilities
In asset management, there are often problems such as the difficulty of actively reporting assets to supervision, the lag of asset information caused by the high frequency of asset changes, and the access of some illegal assets, so it is necessary to build asset active discovery capabilities to complete the asset information of this piece, and if possible, it can be used as the input source of the asset transformation audit system.
Traffic analysis: Identify asset information such as hidden assets, aging assets, and shadow assets through traffic analysis.
Scan tools: IAST/DAST/SAST, NMAP tools, etc. identify and supplement assets and maintain them.
Security log and alarm: comb through unstandardized assets to supplement the asset library.
In addition, it should be noted that the frequency of operation and the working time period of the scanning tool or engine need to be carefully considered in the asset proactive discovery process to avoid affecting production.
2.2 Integrated View Module
The construction of a comprehensive view is not a plot for the sake of plotting, it is a comprehensive view with good logic and readability after certain data analysis and asset association chain mapping combined with business scenarios, whether it is a direct user (security operation team) or a non-direct user (business or O&M) can obtain the asset information they need through the comprehensive view.
2.2.1 Asset Relationship Chain Mapping
The purpose of asset association capacity building is to map the asset relationship chain to correlate the security events of each module of the system, and the whole link is divided into two links, namely the relationship mapping chain from the public IP / domain name to the intranet host and the relationship mapping chain from the intranet host to the intranet IP/domain name and the public IP / domain name.
2.2.2 Global View of Assets
For the above two asset-strong related modules, if it is built over a one-year period, the following construction plan can be consulted:
2.3 Risk assessment module
2.3.1 Risk Discovery
Risk discovery sources consist of two broad blocks:
Defense in Depth System: The integrated defense-in-depth defense platform provides basic alarm source data.
Active scanning: Regularly scans the vulnerability of the entire network from the perspective of the defender, and generally builds an automated scanning system to regularly and continuously scan the vulnerability of the entire network facilities/nodes.
Artificial penetration testing: Organize human tools from the perspective of the attacker to conduct vulnerability testing of information assets from the outside.
Baseline compliance scanning: Solve internal baseline compliance problems, such as weak passwords, root permissions, outgoing control, etc.
By building an automated vulnerability scanning platform to centrally manage and scan tasks, the relevant security personnel will further confirm the various types of risk discovery generated by scanning, and if the risk of the vulnerability is confirmed, the vulnerability ticket will be automatically created by the vulnerability ticket, and the created vulnerability ticket will be synchronized to the vulnerability management system for follow-up vulnerability repair tracking, and the repair progress of subsequent vulnerabilities will also be synchronized to the automated vulnerability scanning platform for synchronous follow-up.
It is worth mentioning that the vulnerability scanning platform is not just blindly integrating scanning tools and scanning results, a system that can effectively solve risk discovery must start from the scene and land on the actual problem. The following are three examples of application scenarios:
2.3.2 Risk Assessment
Security risk assessment is from the perspective of risk management, the use of scientific methods and means, systematically analyze the threats faced by the network and information system and its vulnerability, assess the degree of harm that may be caused by security incidents, put forward targeted protection measures and rectification measures against threats, in addition, the landing form of risk assessment can be a set of scoring specifications or mathematical models, which can evaluate the overall security situation from a global perspective and present it in the form of specific scores.
There are four main elements of the standard risk assessment process:
Asset Identification and Assignment: Identifies all assets within the scope of the appraisal and investigates the size of the loss that may result from asset damage, assigning relative values to assets based on the magnitude of the hazard and loss.
Threat identification and assignment: Analyze how often each threat an asset faces, including environmental and human factors.
Vulnerability Identification and Assignment: Identify and identify vulnerabilities from both management and technical perspectives, and assign values based on damage to assets when exploited by threats.
Risk value calculation: By analyzing the above test data, the risk value is calculated, the high risk is identified and confirmed, and the rectification suggestions are made for the existing security risks.
From the perspective of landing practice, the evaluation and assignment of each information node needs to be relaxed, too fine the assignment scheme will be difficult to unfold, too coarse assignment scheme is difficult to have a good effect, the enterprise should combine its own development status, manpower, technical conditions and safety objectives to develop an assignment program.
2.4 Risk Closed Loop
For security operations, the actual work of risk management is essentially vulnerability management, and the risk closed-loop is a series of management processes from the discovery to the elimination of vulnerabilities, that is, the lifecycle management of vulnerabilities.
In fact, in the actual risk management process, many risks have not formed a closed-loop management, and most of the reasons can be summarized as follows:
The plan was unrealistic
No cause analysis was performed
Cause analysis was carried out but no countermeasures were implemented
The execution effect was not checked
Therefore, the above issues should be fully considered when developing a closed-loop strategy or process. The following examples are different closed-loop strategies based on the source of the vulnerability:
Enterprise attack surface grooming has become very important, and unclear attack surface will lead to serious consequences. On the one hand, attack surface risk management needs to continue to strengthen the supervision and guidance of enterprise attack surface security protection, strengthen the attack surface security management system and process, clarify the responsibilities and management requirements of relevant entities, regularly carry out attack surface sorting and investigation, and strengthen the supervision of enterprise attack surface security protection. Establish a more sound standard specification for attack surface protection, promote the implementation of policy guidance, standard constraints, etc., and improve the security protection capabilities of enterprises.
On the other hand, it is necessary to continuously strengthen the research and application of attack surface security protection technology. Expand attack surface analysis and research scenarios, integrate advanced technologies such as big data analysis and artificial intelligence, comprehensively carry out enterprise attack surface risk analysis, and improve attack surface detection and investigation capabilities and emergency response capabilities. Combined with continuous identity authentication, fine-grained access control, data flow security audit, data privacy protection and other security mechanisms to empower attack surface prevention and detection work, improve the ability to respond to attack surface utilization security incidents, and pay close attention to the current complex network security situation in both attack surface attack and defense technology development trends, starting from the asset management foundation, establish a platform and tools suitable for each enterprise to carry out attack surface security governance.
In general, the response practice of the attack surface should start from the attack surface combing, landing to asset sorting, synchronously building cyberspace mapping and risk scanning capabilities, assessing the risk as a whole with vulnerability assessment, building a unified risk view to control the risk globally, and finally effectively converging the attack surface in combination with risk closed-loop tools and processes.
Guess you like it
Introduction to crawler and anti-crawler technology
Dubbo generalization calls the application of the unified configuration system in vivo
HttpClient is optimized for high concurrency practices in vivo in-house browsers