Preventing and Remediating External Asset Exposures
In the recent The Defender’s Advantage Cyber Snapshot article, Detecting Common Exploitation Paths Exposed on the Internet, Mandiant identified common entry paths exposed on the internet. We recently hosted a webinar to discuss these external asset exposures, why they’re common, and the steps security teams can take to remediate and harden against the exposures. This blog provides a summary of Mandiant’s recommendations for hardening external assets.
Watch the on-demand webinar for more detailed information and to hear the answers to live questions.
External Asset Identification, Enumeration and Exposure Detection
Threat actors can use vulnerable or misconfigured external assets as an entry point, or initial compromise vector, to perform reconnaissance, gain lateral movement, maintain access, or achieve their mission. To effectively protect against initial compromise through the exploitation of an external asset, an organization must identify, enumerate, and harden internet-facing devices, applications and network services.
Consider the following for external asset identification and enumeration:
- Externally focused vulnerability assessments or penetration testing
- Verify that existing technology vendors require patches or updates to known vulnerabilities
- Add a requirement for new technology vendors to patch or update know vulnerabilities
- Leverage a third-party vulnerability scanning technology or external attack surface management solution
All of the above considerations will offer prioritized and recommended remediation actions to help mitigate a potential incident.
At Mandiant, we recommend prioritizing remediation efforts for critical and high severity issues, including CVEs with CVSS scores greater than 8 or CVEs that have been exploited in the wild. However, it is essential that security teams be aware of and monitor for lower severity vulnerabilities, misconfigurations, and exposures that can be used in conjunction with an exploit of a known CVE. Examples of lower severity issues include exposed services, 2FA that can be bypassed, application information leaks, and expired (or almost) certificates.
To get an immediate view of your organization’s external attack surface, try Mandiant Advantage Attack Surface Management Free.
Hardening Against the Exposed Entry Paths
The following guidance provides hardening recommendations for organizations to apply to internet-facing assets.
Exposed Version Control Repository
Exposed version control repositories are typically found on public-facing webservers and can contain sensitive files or source code related to an organization or applications.
- Scan externally facing IP ranges and inventory applications and necessary ports/protocols for said application/systems
- Limit amount of externally accessible information about system/application
- Restrict lateral movement ports outbound from server (e.g., SMB, WMI, RDP)
- Regularly rotate admin and service account passwords that access version control repositories
Potential Leaked Secrets in Code Repositories
Open-source code repositories can contain confidential or sensitive information. As a best practice, security teams should perform the following on a continuous basis:
- Scan code repositories for secrets using professional or open-source tools
- Enforce secrets scanning of repositories on all code that are committed (i.e., create pre-commit hooks)
- Enable logging on code repositories
- Purge commit history to ensure any previous committed code with secrets has been removed
- Enforce multi-factor authentication (MFA) for all users
- Create IP whitelisting to ensure that access to the code repositories is coming from a trusted location
- Disable the ability for users to create a public repository
- Disable the ability for users to fork existing repositories
- Perform regularly SAST & DAST scanning
Subdomains Vulnerable to Takeover (T1584.001 - Compromise Infrastructure: Domains)
Configuring subdomains to point to a third-party service is common practice; however, forgotten subdomains offer threat actors a vector to hijack and use for malicious means. The following guidance serves to help security teams maintain strong DNS hygiene:
- Audit DNS Records
- Amass / Aquatone / Sublist3r
- Remove stale CNAME records from DNS Zone file
- Inspect third-party subdomain records
- Create a unique TXT record
- Enforce entropy in instance names
- Disallow clients from reclaiming name
- Listening to wildcard DNS
- Revamp the provisioning and deprovisioning process for subdomains
- Create the instance first, then create subdomain and point it to instance
- Remove the CNAME record first, then delete the instance
Microsoft Exchange Vulnerabilities
Mandiant reported extensively on the Microsoft Exchange vulnerabilities disclosed in 2021, more information can be found here. The Cybersecurity and Infrastructure Security Agency (CISA) implemented remediation deadlines in 2021. The following guidance will help security teams adhere to the CISA guidance:
- Restrict egress comms from Exchange Server
- Restrict lateral movement ports for internal comms paths
- SMB, WMI, RDP
- Restrict Exchange privilege accounts
- Organization management, Exchange Trust Subsystem
- Configure split permissions
Sensitive information Leaks from S3 Buckets
Misconfigurations that allow for public access and bucket policies that permit unauthorized access are the two most common issues we see with S3 buckets. The following guidance can be implemented within the cyber defense strategy to ensure secure S3 buckets:
Create Bucket Policies to further restrict access to S3 Bucket
- Restrict HTTP Communication and only enforce HTTPS
- S3 Versioning with MFA Delete
- Enable Server Access & Object-Level Logging
- Consider Implementing S3 Block Public Access
- Scan public S3 Buckets for sensitive information
Additional hardening recommendations and detection opportunities are available in the white paper, Proactive Preparation and Hardening to Protect Against Destructive Attacks.
Read the latest insights from Mandiant experts – download your copy of The Defender’s Advantage Cyber Snapshot.