May 30 Webinar | SOC Talk: Automating Threat Response
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
May 01, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Attack Surface Reduction is a powerful tool used to protect and harden environments. It’s a broad term that means many things to different people. In this case, we use the OWASP definition: “attack surface describes all of the different points where an attacker could get into a system, and where they could get data out”. Using this definition, it becomes clear that the reduction of this surface is imperative. Removal of unnecessary features is a big part of this process. Why? Because features means code, which means bugs, which means vulnerabilities, which means exploits. Exploitation of vulnerable code is not the only issue; if a feature has credentials associated with it then good credential hygiene must be applied otherwise the risk of default, weak or stolen credentials becomes a major problem. It is also a regular occurrence that features end up being misconfigured, which can also result in security issues.
When discussing modern IT environments, we typically focus on networked services such as web sites, operating systems and associated applications. However, in the modern era, we also have to deal with cloud and mobile environments. In this blog, we’ll look at how each of these conspire to increase our overall attack surface, while also outlining specific tools and measures that can be used to implement an attack surface reduction program.
One of the biggest challenges with reducing the attack surface of cloud deployments is discovering that there is a cloud deployment at all! Often asset inventory systems are not fit for purpose, particularly when it comes to modern cloud features like AWS Lambdas or Azure functions. Development teams need to work with security teams when it comes to spinning up new cloud infrastructure. If API keys are being generated, then they need to be locked down to the minimal set of permissions required to get the job done.
Corporate mobile phones need to be enrolled into a Mobile Device Management (MDM) system so that they can be centrally managed for patching, visibility and application of policies. Employee personal devices can be placed into an internet-only Wi-Fi network separated from the corporate IT network. This allows employees to still access personal resources while not compromising the security of the corporate IT network.
The first step for reducing the network attack surface is to disable all services that are unnecessary. However, in order to do even this first step, it is necessary to know which IP addresses you own, which services are necessary for the business, which are available on these IP addresses, and so on. Many networks we see are locked down to only allow ports 80 and 443 through. Nonetheless, it’s worth keeping in mind that admin panels for Content Management Systems (CMS) are often available over these standard HTTP(S) ports and, similarly, configuration panels for network equipment like firewalls, VPNs, load balancers, etc. can be inadvertently exposed in this way too.
In situations where there is a limited number of IP addresses connecting to a particular service like a business-to-business (B2B) service or a Remote Desktop Protocol (RDP) service, then IP whitelisting can be an effective approach to reducing the attack surface. Obviously, this approach does not scale to consumer-to-business (C2B) services such as retail operations, which require open access.
It is worth considering here that although your network may be sufficiently hardened, connections into your environment from third party suppliers or partners can be a concern. The ACSC 2017 Threat Report states that: “As it has become more difficult for adversaries to directly compromise their targets, adversaries have sought secondary or tertiary access into primary targets”. It is, therefore, worth keeping in mind that an organization may be a target for the sole reason of their connectivity into other environments.
For hosts, such as those running the Windows operating system, there are many built-in tools that can be used to reduce the attack surface. The “hardentools” application from Security Without Borders disables many of the risky features that are part of Microsoft Windows and Office.
Figure 1: HardenTools application used to disable risky Microsoft Windows features (Source: Security Without Borders)
The tool can be used as a standalone tool or simply as inspiration for internal Group Policy Object (GPO) or other policies that can be deployed. Some of the key features it disables are:
As well as the operating system and office applications, browsers are another key attack surface. Exploit kits and other drive-by download techniques are frequently used by both opportunistic and more targeted, sophisticated groups. Browser attack surface can be reduced by the following measures:
By keeping in mind that unnecessary features are providing more options for attackers to enter an environment, an attack surface reduction program helps to increase attacker costs by denying them the straightforward methods for achieving access. Digital Shadows (now ReliaQuest) customers will be informed by our infrastructure incidents product feature of services listening on potentially risky external ports.
To find out more about protecting and hardening your environments, listen to our recent ShadowTalk podcast: Episode 29: Reducing Your Attack Surface: From a Firehose to a Straw.