7 Surefire Ways to Reduce Your Attack Surface: A Hacker’s Perspective

In the realm of IT ecosystems and the digital landscape that organizations live in, the best defense is a proactive offense. The hackers at Rotas, have spent many years hacking into different systems and networks, and are uniquely qualified to discuss the practical steps organizations can take to thwart malicious actors. We’ve seen firsthand the vulnerabilities, configurations, and business logic flaws criminals exploit. This article aims to turn the tables, offering insights from a hacker’s perspective on how to reduce your attack surface and fortify your digital defenses effectively.

In the realm of IT ecosystems and the digital landscape that organizations live in, the best defense is a proactive offense.

1. Embrace Multi-Factor Authentication

The More Layers, The Better

Criminal hackers thrive on simplicity. Single-layer defenses, like basic passwords, are their playground. Implementing multi-factor authentication (MFA) significantly complicates unauthorized access. MFA requires users to provide two or more verification factors to gain access to a resource, making an adversary’s job exponentially harder. When an attacker either guesses a password via password spraying or password stuffing, or tricks a user into giving their credential away via phishing, that credential is useless without the second factor.

Ideally, you would implement an authenticator app, like Google authenticator, Duo, or one of the other many purpose-built applications meant for MFA. Less ideal would be using SMS or email as the second factor. But, when it comes to MFA, something is far better than nothing.

2. The Power of Passphrases and Long Passwords

Complexity Entropy is Key

Forget the old “eight characters, one number, one special character” password formula. In today’s digital age, length and uniqueness are the keys to a strong password. Opt for passphrases – a sequence of words or a sentence that’s easy to remember but hard to crack. The longer and more unique, the better. Ideally not leveraging common “go together” dictionary words and numbers or characters. Something like thespiceygreggfeelsfarfromhome is much less likely to fall to a password cracking campaign than $piceyGregg23. Also, as a protip: avoid password re-use, if possible. Use unique passwords based on the application in use, and leverage a password manager. I’ll let you decide on cloud-based, or local password managers on dropbox… we prefer the latter but do see value in the former.

3. Secure Your Connections with VPNs

Every Network is Hostile

In a world where remote work is the norm, securing data in transit is crucial. VPNs (Virtual Private Networks) provide an encrypted tunnel for your data, shielding your activities from prying eyes. This is especially important when using public Wi-Fi networks, which are hotspots for cyber attacks. Whether its full VPN via clients, split tunnel SSL VPN using browser plugins; protect the data and users by ensuring the applications and data they access is protected by all of the safeguards you have invested time and money in, no matter where the users are connecting from.

4. User Account Activity and Anomaly Monitoring

Vigilance is Vital

Continuous monitoring of user account activities can flag anomalies that indicate a breach. This includes unusual login times, locations, or patterns of behavior. Early detection of these anomalies can thwart potential attacks and minimize damage. When criminals breach accounts and are connecting during odd hours, or making many hundreds of network probes, or when specific user accounts are having thousands of passwords attempted against them, it would behoove IT operations personnel to be made aware of this activity. You can invest in open source or off-the-shelf solutions that can help you detect and even automatically perform activities against anomalous account activity. As a bonus, implement canaries in your network: accounts designed to be weakly protected. Put an account in active directory that has the password in the description field, or a purposefully weak password. Then, setup monitoring so if that account is used at all, it will alert you to nefarious activity!

5. OS Patching: Keep Your Guard Up

Update Regularly

Operating systems are not infallible. Vulnerabilities in OS’ are discovered constantly and attackers are eager to exploit them. Regularly updating your OS with the latest patches is a “simple” yet effective way to seal these security gaps. I realize I just said it’s simple, but the task is not really simple at all. It’s a tough job: ensuring the updates are compatible with your environment and don’t break things when applied. The job of a vulnerability management (VM) program operator or manager is an important one. Also, don’t forget updating those third-party applications as well. Those hosted on endpoints, as well as the outlier operating systems in your environment like VxWorks, ESXi/Vsphere, etc. If there is a vendor supplied update for it, your VM personnel should have it in some patching window.

6. Secure System Build Standards

Foundation Matters

Secure system build standards are the blueprint for cybersecurity. These standards ensure that systems are configured with security in mind right from the start. This includes disabling unnecessary services, securing admin accounts, and applying the principle of least privilege. The number of huge attacks that have been successful in Rotas’ history because of factory default admin credentials were not changed before systems were moved to production is pretty staggering. Also, having build standards is important: verifying those build standards are being followed appropriately is equally as important.

7. Continuous Monitoring

Always on the Lookout

Continuous monitoring of your network and systems can detect and respond to threats in real-time. This involves analyzing network traffic, checking for unauthorized changes, and keeping an eye on system logs. It’s not just about finding the threats; it’s about finding them fast. There are many industry terms for this: continuous assessment and testing, always-on testing, attack surface management, pentesting-as-a-service (well… kinda), etc. Some put more emphasis on asset inventory, others put emphasis on logging and alerting to systems vs an external perspective. At Rotas, we espouse both! The idea is to constantly be surveying your environment, monitoring for changes and anomalies. Whether you do that from the outside in, or from the inside out, just do it!

Conclusion

Reducing your attack surface is not a one-time fix but a continuous process of vigilance and adaptation. By implementing these strategies, you’re not just setting up defenses; you’re actively deterring potential attackers by making the job too tough to be worth their while. Remember, in the world of cybersecurity, knowledge is power, and the best way to defeat criminal hackers is to think like one.