Get Started with Attack Surface Management: Lessons from a Zombie Infestation

Whether you’re scoping out your strategic survival plan in the event of a potential zombie apocalypse or drafting up your company’s security strategy, you can help increase your chances for a healthy outcome by outlining some key rules of engagement. In either scenario, early detection and advanced preparation will ensure your best chance of survival.

Similar to preventing a zombie infestation, protecting your attack surface includes discovering, evaluating, and mitigating the risks – no chainsaws or tactical knives required.

While many theories on the origins of zombies exist, one of the most credible is that of the contagion, Solanum–a virus that travels through the bloodstream to the brain, infecting its host, as noted in Max Brooks’ book, The Zombie Survival Guide. It is thought that the virus is able to replicate using the cells of the brain’s frontal lobe, and destroying them in the process.

That said, zombies can’t exist without vulnerable hosts to prey upon, and nothing is more vulnerable than an unmanaged, untracked asset. Security teams are doing their best to secure their attack surfaces, but manual, error-prone inventory methods may mean those teams don’t even know about 35% of the assets they own. Each one of those “zombie assets'' is a potential risk that can be targeted by malicious actors.

The distinguishing feature of a threat is that it needs a vulnerable host to operate

Three Anti-Zombie Steps

1. Avoidance/Prevention

As you might guess, the presence of zombies renders an area uninhabitable. Get the heck out of there if you can, and gather essential survival supplies in the event of a lengthy absence. It could be weeks or even months before an area might be cleared for re-entry.

Like any emergency preparedness kit, for the zombie apocalypse or attack surface management (ASM), have a checklist in mind for the essential items to keep you and yours safe. And, when it comes to evaluating an ASM solution, use the following checklist to ensure you’ve done your due diligence when considering options:

• Has the solution demonstrated the ability to scale the size of the organization’s network?
• Does the solution use multiple sources to comprehensively discover and automatically attribute assets that belong to an organization?
• Is the false-positive rate for the assets discovered and attributed by the ASM solution acceptable? (>99% accuracy is ideal)
• Can the solution help identify a wide range of issues like exposed RDP, Telnet, expiring/self-signed certs, etc.?
• Can the solution integrate with your cloud security solutions and identify advanced issues, like co-located assets?
• Does the solution have strong out-of-the-box policies and options for building custom policies?
• Does the solution help uncover both unknown assets in your network and unknown communications to your network?
• Can the solution seamlessly integrate with your existing SIEM/SOAR solution?
• Does the solution provide dashboards or executive-level reporting?
• Do the solutions provide a dedicated support team and not just documentation or email support?

2. Termination/Remediation

The best zombie is a dead (really dead) zombie. While you might be equipped with the most technologically advanced weaponry, a simple garden hoe could suffice in neutralizing the threat. Non-effective termination methods include any trauma to the upper or lower extremities. While a blow to the chest or severing a leg or two might stop or slow a zombie down, these methods remain ineffective in your core objective: complete and utter destruction.

The only known methods for effectively killing a zombie are either cranial penetration (especially to the frontal lobe), blunt force trauma to the head (go for full-on pulverization if you can, but stand clear of any eruptive fluids), or decapitation (an oldie, but a goodie.)

Using attack surface management, organizations can quickly discover and assign risks for remediation, helping to identify, prioritize and route issues to the relevant stakeholders. With all that time freed up, teams can “go to the Winchester, have a nice cold pint, and wait for this to all blow over.”

3. Mitigation/Resilience

The disposal of a “dead” zombie should be handled with caution as much as any hazardous material. Use protective masks and gloves, being careful to cover any open wounds as infection can occur through any fluid exchange. If you can, remove the head just as an extra precaution, because you know…zombies.

Do not attempt to incinerate any remains as this may release airborne toxins. Your best option is to use waterproof material such as a tarp or heavy plastic to seal the remains prior to burial. If you have access to duct tape, use it liberally.

Be sure to find a safe spot for the grave, away from any water source should seepage of body fluids occur. And dig a hole at least 4 to 6 feet deep to prevent scavenging animals from digging up any remains. While animals have been shown to be immune to Solanum, no one needs to see a dug-up, half-eaten putrefied farmhand with a hatchet stuck in his sternum. Unless that’s your jam.

To Help Prevent a “Cyber Zombie” Attack, Consider an ASM Product like Cortex Xpanse

In the same way, one needs to protect the homestead from hungry ghouls circling the perimeter looking for weaknesses, an ASM solution can provide an outside-in view of a continuously updated and data-rich inventory of all internet-connected assets. This comprehensive asset inventory becomes the foundation for all security processes. If you don’t have complete visibility, it’s impossible to discover, evaluate, and mitigate risks to your organization.

By scanning the internet multiple times per day, Xpanse provides a complete inventory of all assets (including IP addresses, domains, certificates, cloud infrastructure, and physical systems) connected to an organization’s network. It also maps who is responsible for each asset in the organization. This data not only ensures complete visibility, but also becomes the foundation for security processes and managing risk–kinda like Brad Pitt in World War Z, but without the bad CGI.

Cyber-Hygiene Tips to Minimize Exposure and Further Compromise:

ASM is a first line of defense and a critical component of risk management. Remediation and incident response protocols mirror those when faced with a zombie infestation:

• Remain calm.
• Assess the situation.
• Identify the threat/s.
• Identify how the host became infected.
• Identify how it spread.
• Learn what changes were made to the compromised host.
• Determine whether the vulnerability poses an immediate threat to the availability, confidentiality, or integrity of resources and data.

Regardless of how many systems are infected, disconnect from everything except your IR and forensics solutions immediately, isolating them via your EDR/EPP console. If this cannot be accomplished in a timely manner, or if more than a few systems are infected and you have not implemented strong firewall egress filtering and proxy servers, immediately block ALL outbound traffic to external networks.

Implement filters on internal routers, firewalls, and other networking equipment as appropriate to isolate infected segments, and monitor network traffic to ensure internal containment.

Learn from protected systems to detect malicious activity from unprotected systems. Prevent C2 connections from unprotected assets behind the firewall by Identifying indicators of compromise (IOCs) – IP addresses, domains, etc. – from infected or affected hosts, and uploading them to your network/firewall.

Monitor all network traffic in order to address possible multifaceted attacks. Review appropriate log files to attempt to identify the first system infected and what the attack vector was, if possible. It is vital to determine if any of the infected systems successfully connected to any site on the internet and what information, if any, were exposed.

Implement an ASM Plan to Help Reduce Your Chance of Infection

Creating an attack surface management plan can help move beyond the limitations of manual tracking and remediation of misconfigurations and exposures:

• Generate an automated and continuously updated single source of truth for all internet-connected assets.
• Reduce your attack surface by decommissioning or isolating assets that don’t need to be internet-facing.
• Discover and identify account owners for all previously known and unknown assets.
• Find all exposures – vulnerabilities, expired certificates, unsecured remote access protocols, etc.
• Automate risk remediation and reporting with a quality security orchestration, automation, and response (SOAR) platform.
• Continue to monitor, discover, evaluate and mitigate risks as the attack surface changes.

These are the baseline ASM features an organization should expect, yet with Cortex Xpanse CISOs will find all of them and have even more abilities:

• Configure according to company policies to reduce noise in alerts.
• Operationalize via integrations and two-way APIs.
• Better understand assets with internal or external data.
• Automate via XSOAR.
• Automatically and rapidly build new fingerprints and policies according to events in the news.

Don’t Lose Your Head! Happy Halloween 2022! All Treats, No Tricks!

To learn more about Cortex Xpanse and how it can help provide the source of truth your security operations needs, request a demo today.

Plus, download our 2022 Attack Surface Management Report to understand the risks, and learn how automation can help security teams stop chasing a moving goalpost and reduce risks.