Understanding the Attack Surface of the Internet
In part-two of our Threat Detection, Defense & Remediation Using ASM series – based on this recent eBook from the Censys Research Team – we’re exploring the attack surface of the Internet. How is it evolving, and what do changes in the Internet’s attack surface mean for corporate cybersecurity?
When we talk about the “attack surface” of the Internet, we’re referring to all points of entry from which an unauthorized actor could potentially access data. Think of ports, servers, websites (that old microsite two team members forgot they spun up a few years ago), etc. Understanding the attack surface of the Internet as a whole yields some interesting takeaways, as we’ll see below. The key is leveraging insights to protect the attack surface of your own organization.
First, let’s test our attack surface knowledge. (Answers can be found at the end of the article.)
1.There are around 500,000 exposed VNC servers on the Internet. How many do you think require no authentication in order to connect?
B. Around 1,000
C. Around 11,000
2. Earlier this year, several reports came out which claimed that there were over 900,000 exposed Kubernetes services on the Internet. Out of those, how many do you think were actually misconfigured and allow for unauthenticated connections?
The evolution of the attack surface: the cloud
In recent years the attack surface of the Internet has been shaped by the continued growth of cloud adoption. More organizations are migrating an increasing number of assets to the cloud, and a rise in remote work means more team members require cloud-based services to do their jobs from various locations. As companies’ cloud footprints grow, so do their attack surfaces. It’s estimated that attack surfaces are growing 1.5-2.6x year over year.
Many security professionals are focused on securing the cloud, but they acknowledge there’s still room for improvement. Over three-quarters of security professionals surveyed agreed with the statement, “Our cloud infrastructure is somewhat secure, some additional measures need to be taken to address vulnerabilities.” And 6% admitted their cloud infrastructure is not secure and would require significant measures to address vulnerabilities.
“[Right now,] We do network access control and some other things around trying to identify assets on network (vulnerability scanning), and public facing things that identify assets across the broader Internet. We are trying to get a good picture and develop inventory. However, it is very ad hoc, immature. We’re working on it.”
– CISO, HIGHER EDUCATION
Understanding the vast Internet-landscape and trends
So we know that the Internet’s attack surface is growing – but what else do we know about it? Recent research by Censys looked at which ports, services, and software are most prevalent on the Internet.
Not surprisingly, HTTP is the most commonly-used service across all 222 million hosts on the Internet (it comprises 81% of the services we discovered). We also see that HTTP services run on the widest range of ports, the most of any service on the Internet.
Many of these are often set to run on non-standard ports.
While running services on non-standard ports is not in itself a risk, it can provide a false sense of security, especially if the service owner is relying on security through obscurity to protect their assets. The most commonly observed non-standard ports running HTTP services are 7547 (2%) and 30005 (1%). These percentages may seem low, but 1% and 2% of millions of services still represent a substantial amount of HTTP.
Which risks did we observe?
Censys next examined the Internet’s attack surface in terms of risks and vulnerabilities across the Internet. Risks encompass those settings or conditions (including vulnerabilities) that increase the potential for data breaches, information leaks, or destruction of assets.
Misconfigurations and exposures represent 88% of the risks and vulnerabilities we observed across the Internet. Misconfigurations make up roughly 60% of Censys-visible risks. Exposures of services, devices, and information represent 28% of observed risks. These numbers are relevant because misconfigurations and exposures are often best addressed through good security hygiene (good hygiene that requires first knowing about everything you own). While CVEs and advanced exploits often make headlines, they represent just 12% of risks we observe on the Internet.
How can Attack Surface Management help?
You can’t protect what you don’t know. Attack Surface Management is the continuous, automated discovery and monitoring of all of the assets that make up your organization’s attack surface. Attack Surface Management gives companies a view of their attack surface from an attacker’s point of view. While understanding your attack surface and the inventory of your company’s Internet-facing assets is paramount, this is just the first step. A good Attack Surface Management solution will also help you identify where to place defensive measures, understand the criticality of all identified risks, and guide you through the remediation process.
“The value of ASM is being able to identify the assets that an attacker is likely to discover and exploit.”
– DIRECTOR, SECURITY ARCHITECTURE & ASSURANCE
Download the full eBook to learn more about the attack surface of the Internet, common risks and vulnerabilities identified, and Attack Surface Management.
- C. There are around 11,000 exposed VNC servers on the internet with absolutely no authentication requirements at all.
- C. 562