Skip to content
kiranmai-nadella edited this page Dec 16, 2022 · 5 revisions

What is Attack Surface Framework?

Attack Surface Framework is a tool designed to protect organizations acting as an attack surface watchdog. It is designed to augment existing cybersecurity efforts with a unique protective layer for an enterprise’s attack surface. Given an "Object" which can be a: Domain, IP Address, or CIDR (Internal or External), ASF will discover assets/subdomains, enumerate their ports and services, track deltas and serve as a continuous and flexible attacking and alerting framework leveraging an additional layer of support against 0-day vulnerabilities with publicly available POCs.

Motivation

Domains, IP Addresses, and CIDR (Classless Interdomain Routing, also known as supernetting) are a vital part of any enterprise ‘surface’ infrastructure. They are also ideal targets for today’s threat actors. Currently, there is no single-pane-of-glass method to automate the discovery of dynamic assets (and their associated vulnerabilities) through continuous scanning or exploitation. Existing solutions are proprietary, designed exclusively for a specific technology or program, and not readily scalable. This makes defending the ever-changing dynamic ecosystem a spotty affair, with varying levels of siloed security that may or may not communicate with other components.

A day 0 in the life

Let’s take a typical scenario involving Day 0 software released on a regular basis. While market demands dictate frequent releases, there are significant security challenges when it comes to discovering affected surface artifacts at scale.

For example, a critical Day 0 advisory outlining potential remote code execution (RCE) and/or distributed denial of service (DDoS) bugs is issued. Attackers may utilize the working knowledge or wait for the Proof of Concept (PoC) / working exploit to be released. They then begin enumerating publicly exposed assets worldwide—using sources such as shodan.io or censys.io—in order to identify vulnerable instances and potentially exploit them. This often involves the creation of automated weaponized worms and bots designed for nefarious attacks such as ransomware.

If an enterprise has an offensive security team, the traditional attack response is to follow the same methodology as the attacker—leverage remediation based on service-level agreements (SLAs) and the severity of the vulnerability in question. Unfortunately, this process usually involves inefficient manual labor, is poorly organized as it is generally reactive in nature, and is not as effective as with proper (defined) expertise.

If the organization does not have an offensive security team, remediation is commonly based on potential detection through vulnerability scanners, antivirus, firewalls, and intrusion detection systems (IDS) or intrusion prevention systems (IPS). The main problem with this approach is that it relies on vendors taking time to release the signature, indicator of compromises (IOC), or a plugin to identify vulnerable assets. This can take anywhere from 24 to 48 hours or longer after an advisory is released, ample time for a sophisticated threat actor to gain a foothold within the corporate ecosystem, often undetected.

On top of that, there is additional time needed to scan and patch all affected assets. This opens another uncomfortable window of exposure for attackers, as well as a potential new threat—bug bounty hunters. Following the same process as threat actors and internal personnel, the primary intention of such bounty hunters is to uncover vulnerable Day 0 assets with publicly available technical information. While this isn’t always a malicious undertaking (many companies have a bug bounty program), there is no guarantee a bug bounty hunter is working in a company’s best interest. Some pride themselves on simply disclosing their findings to public assets or demanding a bounty if there isn’t one—with dire consequences if their demands aren’t met.

A new frame of mind

Attack Surface Framework redefines what’s possible in this arena. We wanted a scalable solution employing open-source surface security tools for every aspect of a full vulnerability lifecycle—all wrapped in a single pane of glass residing on top of a graphical user interface (GUI).