Most IT security professionals would agree that the key ingredient for safeguarding networks is “reducing the attack surface.” Fewer avenues for breaches mean reduced risk and fewer incidents for an enterprise: Hackers can’t attack what they can’t see. Reducing attack surface is the key to securing your network, applications, and—most importantly—your data.
Calling all servers . . .
The “attack surface” comprises the sum of all exposed points through various vectors that an attacker could target to compromise a computing device or network. You can group the attack vectors into three main categories: the channel (a listening TCP/UDP port), assets (which include applications, services, webpages, files, executables, etc.), and access (user credentials). Below is a breakdown of the various attack vector options available to attackers.
The channel—typically an exposed-to-the-internet communications protocol like TCP or UDP—allows all entities on the internet to communicate with each other. It’s how you gain access to networks, applications, and your data. It’s also what exposes these same assets to attack.
For example, a TCP SYN handshake consists of a SYN request to a web server (on port 443), a server SYN/ACK reply, and a final sender ACK. This establishes a connection and allows data to be sent and received—before any authentication of the source happens. Bad actors use this connection to compromise the web server using a known exploit or zero-day vulnerability: Once in, hackers can attempt to move “east-west” within the network.
Reducing the attack surface requires making sure a web server does not communicate with unauthorized or unauthenticated entities. In traditional castle-and-moat security architectures, this network connection ensures access to much, if not all the network assets. Attackers can compromise access credentials or find open ports to exploit.
Going “dark”: Camouflage for your corporate network
“Going dark” hides the network from the internet at large in order to prevent bad actors from ever accessing the network via a web server (or other network entities).
Think about your physical house security: your doors and windows represent the attack surface. Each door or window is literally a channel attack vector similar to an open TCP port on an IT system waiting for someone to connect..
By going dark, you effectively hide all your doors and windows from view. Instead, you create a secure underground tunnel for each individual valuable asset in your house, and you can only enter an asset tunnel if you pass an identity check.
The user and device identity must be authenticated before a TCP channel connection (or in our analogy, an underground tunnel) gets created. With a dark network, we use the peephole to verify identity before we open the door—every time somebody knocks, no matter who is knocking.
Why not just use a VPN?
Great question! A VPN does reduce the attack surface, but there are several major issues. The VPN concentrator itself becomes a new attack surface: VPNs are like putting a fence around your house to protect all the doors and windows. But it’s a fence with a gate, and that gate is visible and can be breached. If the burglar breaks down the gate, the attacker can see all the doors and windows (which are open because you thought the gate was secure).
Also, VPNs don’t protect against two major security risks: east-west movement and IP visibility.
When a user authenticates with VPN, the user generally gets full network IP protocol access—including the Internet Control Message Protocol (ICMP), which hackers can exploit. Attackers can use ICMP for reconnaissance in the attack phase. This allows an attacker to probe your network and data center, or—even worse—steer ransomware to additional targets.
Users can connect to a network using direct IP communication via an IP address. This exposes the network listening port to attackers. An attacker can use a port scan of various subnets to obtain a full list of services that are open on the server. One method to prevent this is by only allowing connections from an authorized and valid DNS request and port number, which ensures the applications and services can only be seen once the user is authenticated. This remediates risk, and is what the industry has named Zero Trust Network Access (ZTNA).
How do you go dark?
Reducing attack surface takes four steps:
Closing the firewall
Eliminating peer-to-peer communication
Obscuring the data center
Establishing progress measurement
Start your zero attack surface journey by closing the local Windows firewall for all incoming services and only allow trusted incoming connections from an authenticated trusted source.
How can you reduce the attack surface in the data center? First, ensure users cannot directly connect to the data center. They must connect via a service that renders the network dark. Then reduce peer-to-peer internal data center connections as much as possible using new Zero Trust technologies that microsegments data and applications using their cryptographic identity fingerprint.
Let’s look at the numbers: Assume in your large enterprise, you have 20K Windows 10 clients. This equates to 100K possible channel attack vectors, assuming each client has the five “standard” Windows ports open (e.g., 135, 445, etc.). Shut down these common inbound listening ports with Windows firewall block rules via a domain group policy and you’ll reduce your attack surface metric by more than 100K ports!
Zero Trust principles are based on adopting a least-privilege strategy and strictly enforcing access control. Legacy network security relied on packet exchange to negotiate connections, but you can’t trust a packet since it does not contain any identity. Therefore you must first identify packets using ZTNA, establish a connection based on identity and policy, then create secure microtunnels for these packets to flow between users and IT assets.
Learn more at zscaler.com/security.
Zscaler
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5tcyNkDr4lqeP29jJNeCWF7kpEp9LwP3RzzSWfuUOFMaPW7S8-zchAQOKHwKACLloe355K90RHstIaWvrnkJuxGoJQtCKP44XS5JJQU36WGArLSf7QXCUE3MRASA1Qk_MZ3AxYBq_C12RjVs9WiQi7aloY8ydnL8_kU40-XLZkTUDpw4BgmMMOrjAMnA/s728-rw-e365/zz.png
