WEBVTT 1 00:00:00.000 --> 00:00:01.380 In this lesson, 2 00:00:01.380 --> 00:00:04.440 we will learn about Attack Surface Management. 3 00:00:04.440 --> 00:00:08.100 Attack Surface Management is identifying, monitoring, 4 00:00:08.100 --> 00:00:12.090 and reducing avenues of attack within the enterprise. 5 00:00:12.090 --> 00:00:14.190 Attack surface management concepts 6 00:00:14.190 --> 00:00:18.000 include attack surface monitoring and reduction. 7 00:00:18.000 --> 00:00:21.300 Attack surface monitoring is continuously observing 8 00:00:21.300 --> 00:00:26.100 and analyzing all potential network entry points, services, 9 00:00:26.100 --> 00:00:29.730 and interfaces of a system to detect vulnerabilities 10 00:00:29.730 --> 00:00:31.890 and unauthorized changes. 11 00:00:31.890 --> 00:00:35.280 Attack surface reduction minimizes these potential 12 00:00:35.280 --> 00:00:38.700 entry points by removing unnecessary services, 13 00:00:38.700 --> 00:00:40.230 closing unused ports, 14 00:00:40.230 --> 00:00:43.890 and implementing security measures to limit exposure. 15 00:00:43.890 --> 00:00:47.010 Let's learn more about Attack Surface Monitoring 16 00:00:47.010 --> 00:00:49.500 and Attack Surface Reduction. 17 00:00:49.500 --> 00:00:52.890 First, we have attack surface monitoring. 18 00:00:52.890 --> 00:00:54.780 Attack surface monitoring focuses 19 00:00:54.780 --> 00:00:58.350 on the continuous observation and analysis 20 00:00:58.350 --> 00:01:01.920 of all potential entry points into a network. 21 00:01:01.920 --> 00:01:05.670 This includes services, interfaces, devices, 22 00:01:05.670 --> 00:01:07.740 and exposed endpoints. 23 00:01:07.740 --> 00:01:10.800 The main goal of attack surface monitoring is 24 00:01:10.800 --> 00:01:14.100 to detect vulnerabilities, misconfigurations, 25 00:01:14.100 --> 00:01:16.110 and unauthorized changes 26 00:01:16.110 --> 00:01:18.900 that could be exploited by attackers. 27 00:01:18.900 --> 00:01:20.790 Think of attack surface monitoring, 28 00:01:20.790 --> 00:01:24.360 like having security cameras positioned at every door, 29 00:01:24.360 --> 00:01:27.270 window and access point of a building. 30 00:01:27.270 --> 00:01:29.940 But, these cameras don't just record. 31 00:01:29.940 --> 00:01:32.670 They constantly analyze what they see, 32 00:01:32.670 --> 00:01:36.270 checking for anything unusual, like an open door, 33 00:01:36.270 --> 00:01:39.990 a broken lock, or someone tampering with a window. 34 00:01:39.990 --> 00:01:41.370 In the same way, 35 00:01:41.370 --> 00:01:45.000 attack surface monitoring constantly checks the network 36 00:01:45.000 --> 00:01:48.000 for signs of weakness, unauthorized changes, 37 00:01:48.000 --> 00:01:51.060 or anything that could provide an opportunity 38 00:01:51.060 --> 00:01:53.070 for an intruder to get in. 39 00:01:53.070 --> 00:01:57.540 This continuous vigilance helps identify security gaps 40 00:01:57.540 --> 00:02:00.900 as soon as they appear, allowing the security team 41 00:02:00.900 --> 00:02:02.730 to quickly address issues 42 00:02:02.730 --> 00:02:07.260 before attackers can take advantage of vulnerabilities. 43 00:02:07.260 --> 00:02:08.910 In network environments, 44 00:02:08.910 --> 00:02:12.810 attack surface monitoring can use tools like Nmap, 45 00:02:12.810 --> 00:02:16.710 the network mapper, to scan the network for open ports 46 00:02:16.710 --> 00:02:18.720 and active services. 47 00:02:18.720 --> 00:02:23.220 Nmap scans can provide a snapshot of what is exposed, 48 00:02:23.220 --> 00:02:26.550 helping security teams keep track of all entry points 49 00:02:26.550 --> 00:02:28.080 that need attention. 50 00:02:28.080 --> 00:02:31.490 Next, vulnerability scanners like Nessus 51 00:02:31.490 --> 00:02:35.460 and Qualys can be used to analyze identified services 52 00:02:35.460 --> 00:02:38.910 for known vulnerabilities, outdated software 53 00:02:38.910 --> 00:02:41.310 and configuration errors. 54 00:02:41.310 --> 00:02:45.390 Both mapping and scanning tools generate reports 55 00:02:45.390 --> 00:02:48.420 that help prioritize issues they discover 56 00:02:48.420 --> 00:02:52.590 based on the issue's severity, allowing security teams 57 00:02:52.590 --> 00:02:56.220 to focus on the most critical risks first. 58 00:02:56.220 --> 00:03:00.390 Monitoring also involves tracking environmental changes, 59 00:03:00.390 --> 00:03:03.570 such as new devices being added to the network 60 00:03:03.570 --> 00:03:06.540 or changes in existing configurations. 61 00:03:06.540 --> 00:03:08.250 For example, if a new 62 00:03:08.250 --> 00:03:11.610 and unauthorized server is connected to the network 63 00:03:11.610 --> 00:03:15.030 or a firewall rule is altered without permission, 64 00:03:15.030 --> 00:03:17.790 monitoring tools can detect these changes 65 00:03:17.790 --> 00:03:20.670 and provide notifications and alerts. 66 00:03:20.670 --> 00:03:23.850 Automated alerts notify security teams 67 00:03:23.850 --> 00:03:26.100 of unauthorized modifications, 68 00:03:26.100 --> 00:03:29.070 enabling immediate investigation. 69 00:03:29.070 --> 00:03:32.430 Security information and event management platforms 70 00:03:32.430 --> 00:03:36.750 or SIEM platforms, like Splunk, IBM QRadar 71 00:03:36.750 --> 00:03:40.440 and ArcSight collect logs from across the network 72 00:03:40.440 --> 00:03:44.190 to detect unusual patterns just like these. 73 00:03:44.190 --> 00:03:47.910 While configuration management tools like Ansible, Puppet 74 00:03:47.910 --> 00:03:50.520 or Chef ensure that system settings 75 00:03:50.520 --> 00:03:55.200 and configurations remain compliant with security policies. 76 00:03:55.200 --> 00:03:58.320 Finally, endpoint detection and response 77 00:03:58.320 --> 00:04:01.410 or EDR tools such as CrowdStrike 78 00:04:01.410 --> 00:04:04.020 or Microsoft Defender for endpoint, 79 00:04:04.020 --> 00:04:07.770 monitor the behavior of devices on the network, 80 00:04:07.770 --> 00:04:09.990 detecting abnormal activities 81 00:04:09.990 --> 00:04:12.450 like unexpected file access 82 00:04:12.450 --> 00:04:15.030 or suspicious network connections. 83 00:04:15.030 --> 00:04:18.780 These tools add yet another layer of protection 84 00:04:18.780 --> 00:04:22.500 by identifying compromised devices quickly. 85 00:04:22.500 --> 00:04:25.680 In the end, attack surface monitoring acts 86 00:04:25.680 --> 00:04:27.720 as an ever present guard, 87 00:04:27.720 --> 00:04:30.600 continuously checking the network environment 88 00:04:30.600 --> 00:04:31.890 for any weaknesses 89 00:04:31.890 --> 00:04:35.550 or changes that could lead to security breaches. 90 00:04:35.550 --> 00:04:39.270 Second, we have attack surface reduction. 91 00:04:39.270 --> 00:04:42.570 Attack surface reduction takes proactive steps 92 00:04:42.570 --> 00:04:46.050 to minimize the number of entry points available 93 00:04:46.050 --> 00:04:47.670 to attackers. 94 00:04:47.670 --> 00:04:51.660 This process involves identifying unnecessary 95 00:04:51.660 --> 00:04:54.780 or risky elements within the network 96 00:04:54.780 --> 00:04:58.530 and systematically removing or securing them. 97 00:04:58.530 --> 00:05:01.680 The focus of attack surface reduction is shrinking 98 00:05:01.680 --> 00:05:03.960 an organization's attack surface, 99 00:05:03.960 --> 00:05:07.440 making it harder for attackers to find a way in. 100 00:05:07.440 --> 00:05:11.010 The attack surface reduction process often begins 101 00:05:11.010 --> 00:05:14.700 with the same tools used in a attack surface monitoring, 102 00:05:14.700 --> 00:05:17.040 such as Nmap and Nessus, 103 00:05:17.040 --> 00:05:20.070 but used with a different purpose. 104 00:05:20.070 --> 00:05:22.110 In attack surface monitoring, 105 00:05:22.110 --> 00:05:24.600 These tools are used to detect, observe, 106 00:05:24.600 --> 00:05:28.380 and alert security teams about vulnerabilities, changes 107 00:05:28.380 --> 00:05:31.170 and misconfigurations within the network. 108 00:05:31.170 --> 00:05:34.770 The focus on attack service monitoring is continuously 109 00:05:34.770 --> 00:05:37.620 watching and understanding the current state 110 00:05:37.620 --> 00:05:39.270 of the network security. 111 00:05:39.270 --> 00:05:42.210 However, in attack surface reduction, 112 00:05:42.210 --> 00:05:46.590 the focus shifts from observation to taking action. 113 00:05:46.590 --> 00:05:51.060 Nmap is not just used to identify open ports, services 114 00:05:51.060 --> 00:05:54.090 and devices, but to make informed decisions 115 00:05:54.090 --> 00:05:56.400 on which ports can be closed 116 00:05:56.400 --> 00:05:59.070 and which should be disabled 117 00:05:59.070 --> 00:06:02.310 to reduce the overall attack surface. 118 00:06:02.310 --> 00:06:06.960 For instance, once Nmap reveals all active services, 119 00:06:06.960 --> 00:06:11.460 security teams analyze this data to identify unnecessary 120 00:06:11.460 --> 00:06:16.460 or risky services and take steps to secure or remove them. 121 00:06:16.530 --> 00:06:20.550 Similarly, Nessus is used in attack surface monitoring 122 00:06:20.550 --> 00:06:24.630 to identify specific vulnerabilities, outdated software 123 00:06:24.630 --> 00:06:26.730 and configuration errors. 124 00:06:26.730 --> 00:06:29.880 However, in attack surface reduction, 125 00:06:29.880 --> 00:06:33.690 Nessus findings guide the remediation process. 126 00:06:33.690 --> 00:06:37.170 For example, after identifying vulnerabilities, 127 00:06:37.170 --> 00:06:41.790 security teams prioritize fixing issues by applying patches, 128 00:06:41.790 --> 00:06:43.290 updating software, 129 00:06:43.290 --> 00:06:46.380 or changing configurations to reduce the risk 130 00:06:46.380 --> 00:06:47.940 of exploitation. 131 00:06:47.940 --> 00:06:51.330 This reduces the attack surface. 132 00:06:51.330 --> 00:06:54.210 Beyond fixing discovered vulnerabilities, 133 00:06:54.210 --> 00:06:55.860 reducing the attack surface 134 00:06:55.860 --> 00:06:59.340 also involves closing unnecessary ports. 135 00:06:59.340 --> 00:07:03.750 Many devices have open ports that do not serve any purpose 136 00:07:03.750 --> 00:07:06.330 in the organization's operations. 137 00:07:06.330 --> 00:07:08.790 Administrators can use firewall rules 138 00:07:08.790 --> 00:07:10.500 and access control lists 139 00:07:10.500 --> 00:07:13.500 to close these ports, effectively blocking 140 00:07:13.500 --> 00:07:16.140 potential entry points for attackers. 141 00:07:16.140 --> 00:07:18.540 Tools like Palo Alto Networks, 142 00:07:18.540 --> 00:07:21.000 Cisco Adaptive Security Appliance, 143 00:07:21.000 --> 00:07:25.530 or the Uncomplicated Firewall on Linux systems are commonly 144 00:07:25.530 --> 00:07:29.790 used to manage and enforce these firewall rules. 145 00:07:29.790 --> 00:07:33.330 Another important tactic in attack surface reduction 146 00:07:33.330 --> 00:07:37.950 is disabling unnecessary services and outdated protocols. 147 00:07:37.950 --> 00:07:41.190 For example, older protocols like Telnet 148 00:07:41.190 --> 00:07:44.940 or FTP, which are insecure, should be replaced 149 00:07:44.940 --> 00:07:48.750 with more secure alternatives, such as Secure Shell 150 00:07:48.750 --> 00:07:52.710 and secure file transfer protocol or SFTP. 151 00:07:52.710 --> 00:07:55.890 Tools, like PowerShell Desired State Configuration 152 00:07:55.890 --> 00:08:00.480 for Windows or Ansible for Linux, can automate the process 153 00:08:00.480 --> 00:08:04.920 of disabling risky services like these across the network. 154 00:08:04.920 --> 00:08:06.960 Next, system hardening 155 00:08:06.960 --> 00:08:10.230 is used to reduce the network attack surface. 156 00:08:10.230 --> 00:08:13.920 System hardening involves securing the configuration 157 00:08:13.920 --> 00:08:17.220 settings of operating systems, applications, 158 00:08:17.220 --> 00:08:20.520 and databases to eliminate default settings 159 00:08:20.520 --> 00:08:23.070 that could be exploited by attackers. 160 00:08:23.070 --> 00:08:24.720 In hardening systems, 161 00:08:24.720 --> 00:08:28.050 organizations often follow benchmarks like those 162 00:08:28.050 --> 00:08:32.940 provided by the Center for Internet Security or CIS. 163 00:08:32.940 --> 00:08:35.550 CIS benchmarks are comprehensive, 164 00:08:35.550 --> 00:08:37.680 detailed guidelines designed 165 00:08:37.680 --> 00:08:41.190 to help secure operating systems, applications, 166 00:08:41.190 --> 00:08:42.990 and network devices. 167 00:08:42.990 --> 00:08:46.890 However, these benchmarks are not small documents. 168 00:08:46.890 --> 00:08:51.360 They're usually extensive, often exceeding 1000 pages. 169 00:08:51.360 --> 00:08:55.260 Additionally, tools like Microsoft's Group Policy Object 170 00:08:55.260 --> 00:08:57.060 for Windows and Chef 171 00:08:57.060 --> 00:09:01.200 for cross-platform configuration management, can automate 172 00:09:01.200 --> 00:09:03.720 system hardening security settings, 173 00:09:03.720 --> 00:09:07.470 applying them consistently across network devices. 174 00:09:07.470 --> 00:09:11.430 For example, one type of system hardening setting 175 00:09:11.430 --> 00:09:15.420 that can be automated is disabling unnecessary services 176 00:09:15.420 --> 00:09:17.880 on workstations and servers. 177 00:09:17.880 --> 00:09:19.620 In Windows environments, 178 00:09:19.620 --> 00:09:22.380 Group Policy Objects can be configured 179 00:09:22.380 --> 00:09:26.460 to disable services like remote desktop protocol 180 00:09:26.460 --> 00:09:30.660 if it's not needed, reducing potential attack vectors. 181 00:09:30.660 --> 00:09:34.020 Similarly, Chef can automate the disabling 182 00:09:34.020 --> 00:09:37.740 of legacy protocols like Telnet on Linux servers, 183 00:09:37.740 --> 00:09:40.890 replacing them with more secure alternatives, 184 00:09:40.890 --> 00:09:43.980 such as Secure Shell or SSH. 185 00:09:43.980 --> 00:09:47.640 This automation ensures that all devices adhere 186 00:09:47.640 --> 00:09:51.150 to security standards without requiring manual 187 00:09:51.150 --> 00:09:54.660 configuration, significantly reducing the risk 188 00:09:54.660 --> 00:09:58.770 of misconfiguration and potential vulnerabilities. 189 00:09:58.770 --> 00:10:02.460 Finally, patch management plays a critical role 190 00:10:02.460 --> 00:10:07.020 in attack surface reduction by keeping systems up to date. 191 00:10:07.020 --> 00:10:10.740 Attackers frequently exploit known vulnerabilities 192 00:10:10.740 --> 00:10:15.120 in outdated software, making timely patching critical. 193 00:10:15.120 --> 00:10:18.390 Effective patch management involves identifying, 194 00:10:18.390 --> 00:10:20.010 acquiring, testing, 195 00:10:20.010 --> 00:10:23.550 and deploying patches to software, firmware, 196 00:10:23.550 --> 00:10:27.960 and operating systems across an organization's environment. 197 00:10:27.960 --> 00:10:32.250 Patch management tools such as the Microsoft System Center 198 00:10:32.250 --> 00:10:35.490 Configuration Manager or SCCM, 199 00:10:35.490 --> 00:10:39.300 Windows Server Update Services or WSUS, 200 00:10:39.300 --> 00:10:43.110 and Spacewalks for Linux, streamline this process 201 00:10:43.110 --> 00:10:46.500 by automating the detection of missing updates, 202 00:10:46.500 --> 00:10:48.600 the scheduling of patch deployments, 203 00:10:48.600 --> 00:10:51.660 and the monitoring of update status. 204 00:10:51.660 --> 00:10:53.910 These tools can also integrate 205 00:10:53.910 --> 00:10:56.280 with compliance management frameworks 206 00:10:56.280 --> 00:11:00.090 to enforce patch policies, ensuring that systems adhere 207 00:11:00.090 --> 00:11:02.130 to security baselines. 208 00:11:02.130 --> 00:11:03.840 For Windows environments, 209 00:11:03.840 --> 00:11:07.200 Microsoft's System Center Configuration Manager 210 00:11:07.200 --> 00:11:10.950 offers granular control over patch deployment, 211 00:11:10.950 --> 00:11:13.830 including phased deployments, pre 212 00:11:13.830 --> 00:11:18.450 and post installation scripts and rollback capabilities. 213 00:11:18.450 --> 00:11:22.050 Next, the Windows Server Update Service provides 214 00:11:22.050 --> 00:11:25.260 centralized management of Windows updates, 215 00:11:25.260 --> 00:11:28.890 allowing administrators to approve or decline patches 216 00:11:28.890 --> 00:11:32.220 before they are installed across the network. 217 00:11:32.220 --> 00:11:34.170 And for Linux environments, 218 00:11:34.170 --> 00:11:36.810 Spacewalk supports package management 219 00:11:36.810 --> 00:11:40.140 for various distributions, automating updates 220 00:11:40.140 --> 00:11:43.290 and patch deployment across servers. 221 00:11:43.290 --> 00:11:45.150 The automation and oversight 222 00:11:45.150 --> 00:11:49.140 provided by these patch management solutions significantly 223 00:11:49.140 --> 00:11:52.350 reduces the time between patch release 224 00:11:52.350 --> 00:11:55.680 and deployment, minimizing exposure to threats 225 00:11:55.680 --> 00:11:58.410 and ensuring systems remain secure 226 00:11:58.410 --> 00:12:00.288 against the latest exploits. 227 00:12:00.288 --> 00:12:02.700 So remember, 228 00:12:02.700 --> 00:12:06.870 attack surface management is all about finding, monitoring 229 00:12:06.870 --> 00:12:10.860 and reducing the ways attackers can get into a network. 230 00:12:10.860 --> 00:12:12.660 Attack surface monitoring 231 00:12:12.660 --> 00:12:15.930 continuously watches over the network's entry points 232 00:12:15.930 --> 00:12:17.640 like services, devices, 233 00:12:17.640 --> 00:12:20.730 and interfaces to spot vulnerabilities 234 00:12:20.730 --> 00:12:23.040 or unauthorized changes. 235 00:12:23.040 --> 00:12:25.710 Attack surface reduction, on the other hand, 236 00:12:25.710 --> 00:12:27.930 focuses on shrinking entry points 237 00:12:27.930 --> 00:12:32.310 by removing unnecessary services, closing unused ports 238 00:12:32.310 --> 00:12:35.760 and hardening configurations to minimize risk. 239 00:12:35.760 --> 00:12:39.210 Together, these practices work proactively 240 00:12:39.210 --> 00:12:42.090 to keep networks secure by identifying 241 00:12:42.090 --> 00:12:44.910 and eliminating potential security gaps 242 00:12:44.910 --> 00:12:47.313 before they can be exploited.