The Hidden Attack Surface: What’s Missing in Your Cloud Security Strategy?

/by

It happens all the time. A company has the right security policies in place but misconfigures the environment. They think they are protected. Everything looks fine. They locked the doors and boarded up the windows to the room where the crown jewels are kept, but nobody noticed that the safe that holds the jewels is no longer in that room. Accidentally, it was moved to another location, which is left wide open.

Here’s another common scenario. When working in the cloud, someone in your company can easily turn on a policy that allows anyone to gain access to your critical resources. Or, maybe you grant temporary access to a vendor for maintenance or troubleshooting but then forget to revoke the access. There may be legitimate reasons to grant access, but if that resource is compromised, your cloud can be infected.

Cloud Environments Are Constantly Evolving and Easy to Misconfigure

The challenge in today’s cloud environment is that things are never static. Things are spinning up constantly, new endpoints are being added, and new connections are being made. Cloud users can easily misconfigure or forget to revoke access to critical resources. So you lock the front door and think you’re safe when the back door might be open or someone is opening and closing new windows all the time.

Nearly seven in 10 organizations report dealing with cyberattacks from the exploitation of an unknown or unmanaged asset connected to the internet. With today’s complex cloud, multi-cloud, and hybrid cloud environments, uncovering the hidden attack surface is crucial to uncover every potential resource that could be compromised.

What is the Hidden Attack Surface?

Uncovering the hidden attack surface involves knowing all unknown resources in your cloud and finding all attack paths to the resources – not just the most likely paths like most CNAPP/CSPM vendors. Finding all attack paths requires deep intelligence to map the full cloud network and determine every potential exposure point.

Cybercriminals are constantly looking for pathways, or hidden attack paths, to get to your crown jewels. With today’s emphasis on cybersecurity, companies rarely leave the front door open to let hackers walk right in. But there may be vulnerabilities that do allow access and then a pathway to reach the jewels. It may be a twisted and convoluted path, but it gets hackers where they want to go.

An attack path analysis details every endpoint and connection to show how threat actors could enter your house and travel the path to find what they’re looking for. By highlighting every possible path and policy detail associated with these pathways, you gain comprehensive visibility into your network.

This information details the traffic that can enter or exit a hop on the attack path and what controls are enabling them to uncover areas of unintended access to critical cloud resources.

Mapping the Entire Infrastructure

Some other solutions are also inadequate to map the entire infrastructure.

Let’s say you have someone conducting penetration testing. Pen testing focuses on the major attack points but doesn’t identify every single way, inside out, to connect to those resources. Think of it this way: You want to drive from San Jose to San Francisco. Nearly everyone making that drive will use the 101 or 280. But 880 can also connect, and there are thousands of side routes that you could use to make the ride. It may take a long time, but you’ll ultimately get to your destination.

Pen tests focus on the most typical routes. Plus, routes are constantly changing. They don’t take into account that new subdivision that didn’t exist last week that allows through traffic. You may segment your data, but new pathways evolve that suddenly allow lateral movement. Without real-time attack path analysis, you may be secure one moment and insecure the next.

Not All Attack Path Analysis Vendors Work the Same Way

When looking to analyze attack paths, it’s crucial to choose the right vendor. Not everyone approaches attack path analysis the same way, and the wrong solution may give you a false sense of security.

Just like penetration testing, most CNAPP/CSPM companies focus on the same major pathways. For example, if you’re using AWS and want to know which resources may be exposed, most vendors will check AWS security groups, AWS network access control lists (NACL), and AWS gateways. But are they also checking gateways such as AWS Transit Gateways, Third Party Firewalls, Load Balancers and all other cloud networking resources.

Effective security demands that you view everything end-to-end including every endpoint, pathway, and policy. While you may start with the obvious paths, it’s not enough. Attackers know that the most obvious spots are usually protected, so they’re constantly probing for the path that’s not so obvious and less likely to be guarded. This is uncovering the hidden attack surface that results in most cloud security breaches.

Comprehensive Attack Path Analysis with RedSeal

RedSeal uncovers the hidden attack surface by providing a comprehensive attack path analysis of every possible entry point and pathway within your infrastructure to determine what resources may be exposed. Besides end-to-end mapping, RedSeal also shows you how the exposure occurred and provides remediation guidance.

You get:

  • A list of all resources, subnets, and instances that are deemed critical, grouped by AWS accounts, Azure subscriptions, AWS VPCs, Azure VNETs, tags, and subnets
  • Specific ports, protocols, and services that are open and exposed — e.g., HTTPS (443), SSH/TCP (22), SMTP/TCP (25), RDP with exposure details
  • Full attack path analysis to critical resources,  highlighting all possible paths and the security policy details associated with each path
  • Details about what and where traffic can enter, what controls are enabling entry, and the paths attackers can take once they gain entrance

You can complement your cloud service provider’s operational tools by getting a real-time evaluation of all affected resources across multiple cloud environments. Using an agent-less, API-based approach, RedSeal Stratus uncovers all resources deployed within your environment and lets you view them in a single pane of glass.

Not only do you get a comprehensive view of your cloud infrastructure and insight into potential exposure points, but you also get a roadmap for remediation. Stratus identifies and calculates every possible path, port, and protocol — not just active traffic — to help you prioritize your remediation efforts. Security teams can then perform root cause analysis and raise a remediation ticket for resource groups that may be impacted by security policies.

This ticket would include information about the affected resources, verification, remediation steps, and the potential risk if they are not mitigated.

RedSeal mitigates exposure with:

  • Out-of-the-box (OOTB) reporting
  • Simple, agent-less deployment
  • Continuous risk assessment
  • Drill-down capabilities with remediation guidance
  • Seamless integration with ticketing and remediation systems like Jira

RedSeal’s cloud security solutions can bring all multi-cloud environments into one comprehensive, dynamic visualization and know the unknowns. This allows you to protect your cloud, conform to best practices and gain continuous monitoring for compliance.

Learn more by downloading our Solution Brief: Stop Unintended Exposure.

Tales from the Trenches: Vol 10 — You Don’t Know What You Don’t Know

/by

Since 2004, RedSeal has helped our customers See and Secure their entire complex network. And while those customers may have understood the value of understanding their environment, how it was connected and see what’s at risk, there is often an “Aha” moment when the true significance is clear. The stories of these moments are lore within the walls of RedSeal. But these tales so clearly illustrate the value of RedSeal beyond just theory that we think they’re worth sharing. In the words of our team in the field, the ones working directly with our customers, this blog series will share the moments where it all gets real.

In this edition of the series Michael Wilson, Senior Network Security Engineer, explains how RedSeal empowers customers to verify their contractors are following security best practices and have their organization’s best interest in mind.

You Don’t Know What You Don’t Know

In my customer’s environment, the network is segmented and managed by both the customer and several contracted partners. It is a difficult task to have visibility into an entire network that is distributed across several different contracted partners, let alone keep track of all of the devices and changes that can occur across a network. The adage of ‘you don’t know what you don’t know’ is very relevant in a situation like this. RedSeal has the ability to provide my customer with a single pane of glass to see all these network segments that are managed by different contracted partners.

The customer’s RedSeal deployment runs daily collection tasks, and the customer can see any changes that occur to their network from day to day. One morning, I logged into RedSeal and started my daily maintenance tasks, which includes ensuring that data collections ran correctly, and analysis was performed successfully, and I noticed that there was an increase in device count. This was a cause for investigation, as new devices being brought into RedSeal without any new data collection tasks is a possible indicator of compromise.

I notified the customer, and I started to investigate. I noticed that these changes occurred in the customer’s SDWAN environments. This SDWAN environment uses clusters to manage edge devices, and the customer has devices spread around in many different locations. The environment is managed by one of the customer’s contracted organizations and, previously, the environment used 4 clusters to serve all the customer’s edge devices in this SDWAN environment. The additional devices that RedSeal discovered were an additional 20 clusters that upped the total from 4 to 24. Once I started to arrange the new clusters on the map, I started to see that these new clusters were connected in such a way that they were serving specific geographic regions of the customer’s environment. This indicated the contracted partner was making significant changes to the SDWAN environment and the new devices were likely not an indicator of compromise.

Once I determined that this was likely a planned network change, I asked the customer if they were aware that these changes were planned and being implemented to the network. They were not aware of any plans and changes being implemented. I asked the customer to immediately verify that the changes were planned, and the customer discovered that not only were these changes planned, but they had never been notified of these planned changes. This demonstrated a significant lack of communication between the customer and their contracted partners. I was able to use RedSeal not only to discover network changes that occurred on the network, but a fundamental operational flaw of the entire customer’s workflow surrounding network changes. It gave the customer the ability ‘to know what they didn’t know’.

The risks that the customer was unknowingly accepting (and by default, unable to mitigate or remove) through this lack of communication was that the contracted partner was making changes to the customer’s network, which contains devices that have Payment Card Industry (PCI) data running through them. By making changes without consulting the customer, the contracted partner was potentially exposing the customer to a disastrous breach of customer financial information. The reason this could be the case is that the contracted partner does not control the entire customer network and changes in their network segment may unknowingly lead to security holes in other parts of the network that is managed by either the customer directly or another contracted partner. To top it off, the customer would have had no idea of this risk because they were unaware of what was happening on their network. RedSeal was able to become the stop gap and identify that risk and provide the information needed to make an informed and educated decision on what risks to accept, mitigate, or remove.

Interested in how RedSeal can help your team? Click here to set up a demo or an introductory call.