Eliminate Your Attack Surface by Becoming InvisibleEliminate Your Attack Surface by Becoming Invisible

Most IT security professionals would agree that the key ingredient for safeguarding networks is reducing the attack surface. Fewer avenues for breaches means reduced risk and fewer incidents for an enterprise: Hackers can't attack what they can't see. Reducing the attack surface is the key to securing your network, applications, and — most importantly — your data.

Calling All Servers

The attack surface comprises the sum of all exposed points through various vectors that an attacker could target to compromise a computing device or network. You can group the attack vectors into three main categories: the channel (a listening TCP/UDP port), assets (which include applications, services, webpages, files, and executables), and access (user credentials).

The channel — typically an exposed-to-the-Internet communications protocol like TCP or UDP — allows all entities on the Internet to communicate with each other. It's how you gain access to networks, applications, and your data. It's also what exposes these same assets to attack.

For example, a TCP SYN handshake consists of a SYN request to a Web server (on port 443), a server SYN/ACK reply, and a final sender ACK. This establishes a connection and allows data to be sent and received before any authentication of the source happens. Bad actors use this connection to compromise the Web server using a known exploit or zero-day vulnerability: Once in, hackers can attempt to move east-west within the network.

Reducing the attack surface requires making sure a Web server does not communicate with unauthorized or unauthenticated entities. In traditional castle-and-moat security architectures, this network connection ensures access to much, if not all of the network assets. Attackers can compromise access credentials or find open ports to exploit.

Going Dark: Camouflage for Your Corporate Network

"Going dark" hides the network from the Internet at large to prevent bad actors from ever accessing the network via a Web server (or other network entity).

Think about your physical house security: Your doors and windows represent the attack surface. Each door or window is literally a channel attack vector similar to an open TCP port on an IT system waiting for someone to connect.

By going dark, you effectively hide all your doors and windows from view. Instead, you create a secure underground tunnel for each valuable asset in your house, and you can enter an asset tunnel only if you pass an identity check.

The user and device identity must be authenticated before a TCP channel connection (or in this analogy, an underground tunnel) is created. With a dark network, you use the peephole to verify identity before you open the door — every time somebody knocks, no matter who is knocking.

Why Not Just Use a VPN?

A VPN does reduce the attack surface, but there are several major issues. One, the VPN concentrator becomes a new attack surface: VPNs are like putting a fence around your house to protect all the doors and windows. But it's a fence with a gate, and that gate is visible and can be breached. If the burglar breaks down the gate, the attacker can see all the doors and windows (which are open because you thought the gate was secure).

Also, VPNs don't protect against two major security risks: east-west movement and IP visibility.

When a user authenticates with VPN, the user generally gets full network IP protocol access — including the Internet Control Message Protocol (ICMP), which hackers can exploit. Attackers can use ICMP for reconnaissance in the attack phase. This allows an attacker to probe your network and data center, or — even worse — steer ransomware to additional targets.

Users can connect to a network using direct IP communication via an IP address. This exposes the network listening port to attackers. An attacker can use a port scan of various subnets to obtain a full list of services that are open on the server. One method to prevent this is by allowing connections only from an authorized and valid DNS request and port number, which ensures the applications and services can't be seen until and unless the user is authenticated. This remediates risk, and it is what the industry has named zero-trust network access (ZTNA).

How Do You Go Dark?

Reducing the attack surface takes four steps:

Start your zero attack surface journey by closing the local Windows firewall for all incoming services and allow trusted incoming connections only from an authenticated trusted source.

How can you reduce the attack surface in the data center? First, ensure users cannot directly connect to the data center. They must connect via a service that renders the network dark. Then reduce peer-to-peer internal data center connections as much as possible using zero-trust technologies that microsegment data and applications using their cryptographic identity fingerprint.

Let's look at the numbers: Assume in your large enterprise, you have 20,000 Windows 10 clients. This equates to 100,000 possible channel attack vectors, assuming each client has the five "standard" Windows ports open (e.g., 135, 445, etc.). Shut down these common inbound listening ports with Windows firewall block rules via a domain group policy, and you'll reduce your attack surface metric by more than 100,000 ports!

Zero-trust principles are based on adopting a least-privilege strategy and strictly enforcing access control. Legacy network security relied on packet exchange to negotiate connections, but you can't trust a packet since it does not contain any identity. Therefore you must first identify packets using ZTNA, establish a connection based on identity and policy, then create secure microtunnels for these packets to flow between users and IT assets.

Learn more at Zscaler.

By Zscaler

About the Company:

Zscaler (NASDAQ: ZS) accelerates digital transformation so customers can be more agile, efficient, resilient, and secure. The Zscaler Zero Trust Exchange™ platform protects thousands of customers from cyberattacks and data loss by securely connecting users, devices, and applications in any location. Distributed across more than 150 data centers globally, the SSE-based Zero Trust Exchange™ is the world's largest in-line cloud security platform. Learn more at zscaler.com.