How Clean Is Your House, On The Outside?

good afternoon everyone thank you for making it to 5 o' the Afterparty is closing in so hopefully you can hold on for another 20 minutes whilst we talk about external attack surface management this afternoon or in better words how clean is your house on the outside quick bit of housekeeping first um on many of the programs and schedule you may see that this talk is being delivered by Todd gford rmd he's not with us today um he's not dead um he's just on holiday he's just on holiday um I didn't realize how bad that looked um sorry Todd so you're stuck with me I'm Ben Smith I'm head of consultancy at optimizing it and um assured service

provider we are a Southwest Southwest based MSP and um we deal with a large number of businesses of many sizes shapes verticals I think that gives us a real good finger on the pulse as to what's happening in the cyber security space for SMB in the UK today and importantly what people are doing really well from an IT perspective but also as we'll talk about today what people aren't considering and aren't doing so well so without further Ado how clean is your house on the outside and bite odd so anyone recognize this image yeah IT Crowd the presentation is called how clean is your house on the outside I've changed the image today that's normally

a messy living room or something of that nature today it's an office I thought that might resonate with the crowd a little bit more um but metaphorically what we're talking about here is an organization with poor internal cyber security posture and actually what we see much more in the marketplace today is people moving further and further away that's some that looks metaphorically like this do something that looks more like this and how did organizations typically get from the first slide to this it's you standard cyber security technology tooling processes so things I'm talking about there are antivirus EDR MDR firewall rules patching policies maybe even a clean desk policy um but what we consistently see

from it teams whilst they consider what they look like from the inside and are doing really well at getting themselves to look like that what they don't consider often is what they look like on the outside from an attacker's perspective or even client's perspective so back to houses from offices um if you were a thief a burglar an intruder and you had to pick a Target out of hundreds of houses what would you typically what would draw you to one versus another so obviously there we're talking about actually is there a house with an Open Door an open window actually it might not even be open it might be closed but is it a crappy old door with

crappy locks versus a brand new upvc with grade A locks um no gate no CCTV house without a dog um actually importantly is there something were stealing inside and this is a similar approach attackers will take when they're looking at organizations they might know not not know what is inside they might not know there's a mixed martial artist inside waiting at the door or the old man with the shotgun um but they're looking for targets to invest their time and effort into something with a likely outcome I.E cash at the end of the day or data and that's exactly why managing your external attack Services as an organization is important and treated the same way you would treat your house

so what exactly is external attack surface management now there is an official definition which I'll read up Gartner defines this as the processes technology and managed Services deployed to discover internet facing Enterprise assets systems and Associated exposures including misconfigured public cloud services and servers exposed Enterprise data and code vulnerabilities that could be exploited by adversaries look we've got 20 minutes today so we can't talk about all of those things um but I think it's important actually what that is saying is there are many things that make up your external attack surface and importantly as we talked through a couple of the most important ones that I see in the market today again we're discussing these

through a lens of an outside attacker looking in there's no visibility of what an organization's internal infrastructure looks like at this stage so first on the list of attack factors is what is still the number number one attack Vector today email and as the number on attack Vector today email security is something that needs to be treated with the utmost importance and if you don't what are the things an attack an attacker might be able to understand about your organization's email security posture so one what email platform are you using that's really useful to an attacker are you using in Microsoft 365 Google on Prem exchange or some random bespoke system that's from the Dark

Ages maybe based on your MX record they might know you've got a secure email Gateway in front of your email system might look less attractive Up For Debate that one I think have you got SPF dkim dmar configure and configured properly if an attacker sees that your security posture is weak from an email standing actually you look like a really nice juicy Target and again the outcome here is cash so um they're looking for those easy targets now as part of my role in consultancy optimizing it what I do is engage with um new organizations on a regular basis and as part of that process we do run external attack surface scans for most of those

organizations I've taken the last months external attack office scans and put them into a nice little chart so of the 25 smbs that we engaged with just last month

only nine had all SPF dkim and dmark the Triad of email Security in this day and age configured correctly I thought that was pretty scary so next one whilst email may be the largest attack vector actually one of the things that we see which probably is the most impactful attack Vector exposed Services I've given the clue away there so the number one um issue that we see still frighteningly today is RDP open to the internet and this is true for all of the exposure services that we're talking about here it kind of says it on the tin but when we're talking about exposed Services exposed services to the entire internet obviously visible to potential attackers um how RDP is still being

exposed in 2024 I have no idea but if you are doing it please please stop um some other services FTP SSH tnet SMB https now this is something that we see all the time as well actually just not be internal https websites exposed actually so many organizations that we engage with have their file admin console exposed to the internet why well the obvious answer is easy remote admin that's not a good answer there's obviously more there are other key factors that make up external attack surface um as I said we can't talk about them more today but just to mention a couple so website security vulnerable code bases actually data available on the that web given the amount of large scale

breaches that seem to happen on a daily weekly basis now actually I would assume that a good portion of your data unfortunately is on the that we

again same data set 25 organizations in the last month bit better but potentially more impactful 11 of those organizations have exposed services to the internet at varying scales not many of them had RDP thankfully but still some out there now with been through a couple of factors there but I think it would be really useful how we to demonstrate how we used in the real world um external attack surface scanning and monitoring to Aid a customer that was mid Cyber attack who needed some help who gave us a call and during that initial call we were able to complete a very quick external attack surface scan and based on the results we were able to

really Qui quickly make a good guess on the attack methods used I.E if we were the attacker where would we start so what did the attacker do so the attacker just like us using open source intelligence tools evaluated the organization and discovered actually as per the first point they had really poor email security so loose SPF and no dkim no D mark and therefore um the attacker utilized that knowledge to send a targeted fishing attack it's important to note actually that based on these this organization we do believe this was a targeted attack so this was probably a traditional spear fishing rather than widenet approach unfortunately in this instance the user on the end of this

attack failed the security awareness training and submitted credentials and the attacker moves on to the next phase and that was waiting actually evaluating that employees activity waiting for the most impactful time to strike and when they found that what they did is move on to the next attack which was connecting to the client's um client vpm the organization's client vpm using the credentials captured in that first stage unfortunately in this example just as we discovered during that initial scan that organization had the file exposed to the Internet so not only did they know exactly what file file they were using they actually had the VPN client download page published to the internet as well so

using all of those methods obviously once they were in They carried out everyone's worst fear encryption of files run somewhere attack organization crippled so actually this organization was probably closer to that first office I showed you the messy one there was definitely some internal processes that could have been better but the principal still stands actually with some external attack surface scanning we were really easily able to in a matter of minutes determine an actual attack chain which was later proven by the Cyber Insurance vendor um so actually hopefully if they were doing some external attack service management one they would have understood some of the risks and hopefully would have done something about those risks um and been less

likely to suffer such an attack so we've been through a couple of attack factors we've been through an example so hopefully some of the benefits are of external attack surface management are clear but just to cover off a couple of specifics actually identifying your digital assets if you don't know what they are what are what's exposed it's really difficult to do anything about and actually a lot of organizations we engage with following a scan say oh crap we haven't used that system for a long period of time that was retired a long time ago never been decommissioned exposed vulnerability [Music] still and importantly this isn't a point in time thing actually this is something that

needs to be managed on an ongoing basis it's important that you know when your attack surface changes hopefully for the good so you can um report that risk level dropping but also most importantly when something changes for the worst so when something new is exposed who's alerted to it who's going to do something about it and now you know and can identify what's exposed actually evaluating your weaknesses proactively managing your risk and your risk levels and taking action hopefully you've taken action actually the inside of your house is clean and now you're outside of the house is clean external tax office management is really effective and can be extended to now moving on to probably your next

biggest risk your supply chain is a really nice tool to be able to monitor your supply chain risk hopefully start applying the same standards that you hold yourself to to your suppliers or at least get an understand understanding of the risk when working with your suppliers and actually be a less design a Target so there's a few ways you can manage your external attack surface there's plenty of free open source intelligence tools out there for you to use there's many of you that have probably got tools within your current licens in stack um but actually we've chosen to optimize an it and so of many others to use um a purpose built external attack surface management tool

um named fractal SC actually they're here today um and they're across the lobby from us um we chose them for a couple of reasons um Best in Class and numeration actually we've discovered that during the process evaluating tools it found a lot more data than anyone else and that's really important really good knowledgeable team obviously and really easy and intuitive you are and I think that's potentially understated one it's really important that techs and engineering can work in the platform and actually take action but I think more importantly if that data is not easily digestible when you need to report those risks and vulnerabilities to board to management teams what's the point um and there's a few other reasons

there so one of the things that we spoke about join this is actually making yourself a less desirable Target making your house a less desirable Target Target now not everyone will be able to install the home security system Nimbus 300 2.0 X protect but actually with a bit of management a bit of scanning actually can reduce your impact and on that note I think we're getting close to time so I'll leave you with the final quote you don't have to run faster than the bear to get away you just have to run faster than the guy next to you make yourself look less appealing thank you very much [Applause]