Examining the customer network landscape to identify potential vulnerabilities, misconfigurations and data exposures across the organisation’s digital footprint.
The objectives of the testing a company’s external attack surface are to provide assurance to internal stakeholders that the external infrastructure and any services have been deployed in line with best practices. If you don’t know, you don’t know.
Not knowing your digital footprint should be concerning, issues and exposures could be costly but easily be rectified. Undertaking an assessment would help by providing assurance that there are no exposed vulnerabilities, weaknesses or exploitable artifacts on the exposed external surface. Or that there are exposures but that they can be rectified.
A key goal of the exercise would be to identify issues which could impact on or allow for wider compromise of the internal network, a loss of services and/or the possibility of reputational damage to your organisation.
An assessment will focus on your external attack surface. This includes, but is not limited to, the following components:
The testing methodology is simple. An assessment will typically include the following activities:
Passive reconnaissance involves collecting information about an organisation’s external attack surface without directly interacting with the target systems. This information is critical for understanding an organisation’s exposure to potential threats. Below is an example outline of passive reconnaissance techniques for an external attack surface assessment:
Any port or vulnerability scans are run in a bandwidth throttled configuration; therefore, this can be run on live systems with users present and no impact should be seen from the testing being conducted. The active network mapping phase is to discover the live devices and identify any additional services and ports not previously identified during passive reconnaissance against the address space.
The active enumeration phase is to identify which services are running on the previously discovered live devices. We would attempt to fingerprint and extract version information from banners such as web servers, SSH, VPN, telnet, and FTP servers etc. If identified, we will walk SNMP paths to retrieve information from management services.
Using the previously identified open services and enumeration information, we will proceed to identify any known vulnerabilities on these services and devices. Should devices be successfully fingerprinted at this stage, passive identification and lookup of vulnerabilities will be undertaken in the first instance. In lieu of that, nondisruptive active scanning may be undertaken.
Penetration testing is out of the scope of an External Attack Surface Assessment.
The final report can be used as an informative reference for a future penetration test engagement.
In some instances; where properly defined in the agreed rules of engagement, some acts of active testing against discovered vulnerabilities may be undertaken to confirm validity of external scan. Providing it is non-disruptive.
You get a nice shiny report breaking down and data exposure and leakage risks.
…or you get a very small report and a congratulatory pat on the back for running a tight ship.
An external attack surface assessment is but a statement in time. We can provide ongoing monitoring of breach data and domain phishing attempts for example. It all depends on your risk appetite. What concerns you most?