Attack Surface and Attack Vectors: Cyber Know Yourself Series

By Dr. Jonathan Avooske, Vice President of Information Advantage

‍

This is Article 2 in the Cyber Know Yourself Series - covering the critical components that must be understood by all cyber professionals and explained clearly to leadership. Here we are focused on attack surface and attack vectors; the full series covers critical digital infrastructure, attack surface and attack vector dependencies, supply chain, and survivability. For the purpose of this article, a network represents Information Technology (IT) and Operational Technology (OT).

‍

If you have read The Art of War by Sun Tzu, you know that two key fundamentals of military strategy are to first "know yourself," and second to "know your enemy."¹

These basic principles are especially relevant in the cyber world. Note that knowing yourself comes first: becoming too focused on the enemy creates bias in the effort to understand yourself. This means that the focus becomes adapting to what the enemy is doing today in a reactive manner versus planning and strategizing proactively for best practices customized for your individual applications. Viewing yourself through the eyes of a network owner, defender, and attacker means developing an in-depth understanding of all aspects of the network. It requires a detailed understanding of what is normal, to ensure anomalies are more evident. Knowing your network, its attack surface, dependencies, supply chain, and survivability requirements, while also applying the capabilities and traits of adversaries provides the necessary holistic perspective.

‍

This holistic perspective allows you to make the best decisions based upon the right data and the best analytics.

‍

Attack Surface and Attack Vector Defined

The attack surface is defined as the access point that an unauthorized individual or group would use to access the network.² In today’s hyper-connected society, it’s critical to understand the entire attack surface presented by the network and how an unauthorized person or group could attempt to gain access. There are two lenses through which to think about the attack surface: direct or indirect. The direct attack surface is where the adversary directly attacks the targeted network. The indirect attack surface is where the attack is on a connected network to which the target network is connected. This can also be associated to the Adjacent Network from the Common Vulnerability Scoring System (CVSS) calculator. A great example of an indirect attack is the recent article about the TP-Link small office and home office (SOHO) Wi-Fi routers in use across America, even sold to our uniformed military in base exchanges globally.³ Installing these devices on your home network for teleworking could provide an indirect path to government or company networks. The Wi-Fi devices could be used for access to the home network where the government or company device, mobile phone or laptop computer is connected.

To access the attack surface, an actor must use an attack vector. The common vulnerability scoring system (CVSS) calculator identifies and defines four commercial (NIST recognized) attack vectors.⁴ The commercial attack vectors are network, adjacent (includes wi-fi and Bluetooth), local, and physical. The four attack vectors for commercial applications from the CVSS calculator are well defined. DoD systems, due to their scale and complexity, have two additional attack vectors: Radio Frequency (RF) (not wi-fi or Bluetooth) and supply chain.

‍

Radio Frequency (RF)

RF is an attack vector for DoD as expressed in electronic warfare (EW) principles.⁵ The differentiation between EW and cyber is based on the persistence of the effect after the RF source is removed. If the effect stops when the RF is removed, then it is EW. If the RF is a delivery mechanism for a proliferating payload that persists when the RF is removed, then it is cyber. To gain access to a network via RF requires an aperture or window.

There are two categories of apertures: intentional and unintentional. Intentional apertures are those windows through which RF passes during the normal operation of the capability. A great example of this is the 2015 hack of a Jeep Cherokee via its cellular connection.⁶ Unintentional apertures are those that were NOT designed to be present but were instead inserted by other means. These unintentional apertures could be from engineering or production flaws or intentional activities to affect the hardware present in the network.⁷

‍

An Effective Kill Chain

The attack surface and attack vectors are two of three components required to build an effective Kill Chain. The Kill Chain is a necessary tool for understanding efforts an adversary could carry out to gain unauthorized access or deny functionality of critical capabilities. Once they have access, they can harm critical capabilities at any time or location they desire. This reality is why it is so important to "Know Yourself" to understand the what, how, and why of a potential attack.

To successfully defend a network, the owner/defender must first perform a thorough assessment of the network and identify all dependencies. Gaining a deep and holistic understanding of the network is critical because without it dependencies may be overlooked or not well understood. We’ll look at dependencies in more detail in a future article. The importance of understanding all dependencies is illustrated by the far-reaching impact of the recent CrowdStrike incident.⁸

There are some that will say their network is isolated or not connected and therefore has no attack surface. This insinuates they cannot be hacked, but they don’t understand how dedicated and clever adversaries can be. Consider the cyberattack on Iran’s uranium centrifuges using Stuxnet.⁹ The devices were not connected, and they were operated in an underground facility. However, someone figured out how to get to the devices, place an implant, and then exert command and control. This example is what the DoD joint staff categorizes in the Adversarial Threat Tier (ATT) matrix as “extreme” or Tier 5. This designation is reserved for the most advanced of the nation state cyber teams globally, where teams have financial backing, reasonable time, and enhanced technical skills.

‍

‍Time is on the adversary's side. All they need is a single misconfiguration or mistake by someone. The defender must win every time; the attacker only has to win once.

‍

The attack surface and attack vectors form the basis of the kill chain for how an adversary or bad actor would connect to and access the network. There are the external and internal facets of network architecture that allow access to unauthorized personnel for initial entry, subsequent lateral movement, and ultimately the escalation of privilege for follow on actions.

‍

As Sun Tzu said, all those centuries ago: “KNOW YOURSELF.”

‍

About FTI

FTI provides deep data expertise, technology, and services that enhance the ability of the DoD, Intelligence Community, and other agencies of the Federal Government to make the best decisions possible. Drawing on nearly four decades of innovation, FTI's extensive portfolio of intellectual property and operational technologies has been augmented by more than $200 million of U.S. government and FTI R&D investment, and solutions can often be mission-ready in a matter of weeks at a fraction of the cost of alternatives. Headquartered in Beavercreek, Ohio, FTI operates in 34 states, works at all classification levels, and offers seven facilities of varying clearance levels nationwide.

‍

About FTI’s Information Advantage Group

Based on FTI’s Find, Fix, Sustain (F2S) framework, our defensive/resilient cyber solutions offer a portfolio of advanced technologies and services to help maintain and optimize cyber defense, including mission cyber risk analysis, supply chain Illumination, blue and gray space analysis, penetration testing, radio frequency (RF) analysis, and cyber-enhanced threat intelligence analysis. Stay in touch to learn more about how we can assist your organization in strengthening its digital preparedness and positioning for recovery. For further discussion or more information, please e-mail us at Cyber@FTIdefense.com.

‍

More from the Know Yourself Cyber Series

Protecting Critical Digital Infrastructure: A Multi-Layered Challenge

‍