If you play an active role in your organisation’s Information and Cyber security, you are likely to be familiar with the term Attack Surface Reduction (ASR). The attack surface of an organisation is essentially the totality of points in a system and network that can be targeted for exploitation. This includes hardware and software components, applications, network configurations, open ports, user accounts and their associated privileges.
A large attack surface or a surface that is not adequately accounted for, monitored and managed offers greater opportunities for bad actors to exploit vulnerabilities and gain unauthorised access. The role of ASR is therefore to shrink this area, minimise the points of entry which offers attackers less scope to target thus lowering associated risk and contributing to a stronger security posture.
Some of the more common ASR strategies include.
An area that is often overlooked when considering the scope of an ASR strategy is your organisation’s Domain Name System (DNS). The DNS is the backbone of the internet, responsible for translating human-readable domain names into IP addresses that computers use to locate websites and a host of other digital services.
Whilst the DNS has come a long way since its humble beginnings of being a single hosts.txt file maintained and distributed to computers on ARPANET, its evolution has been steered by performance rather than security and it wasn’t until 2005 that we saw DNSSEC introduced as a security extension which allowed zones to be signed with cryptographic keys. Even today however, almost 20 years on from its inception, we have not seen ubiquitous adoption with only 4% of .com domain names have signed DNS zones.
There are many reasons why there has been such a slow take up rate in DNSSEC adoption ranging from implementation complexity, operational overhead, risks associated with mis-configured DNSSEC (e.g., service disruptions) and reliance of the chain of DNS resolution trust.
Despite these challenges, there appears to be a growing awareness and recognition of the importance and role that DNSSEC plays and despite its slow burn adoption since 2005 organisations will start to consider DNSSEC as an important cog in ASR.
Another often neglected area of DNS management which is intrinsically linked to an organisation’s attack surface is the practice of good zone file record management and specifically good practice with respect to subdomain management and having control over “dangling” subdomains.
A subdomain is a part of a larger domain and is typically used to organise and structure a website or network. For example, in my.company.com, “my” is a subdomain of company.com. A subdomain can be further divided into its own subdomains, creating a hierarchical structure.
A dangling subdomain exists in DNS records but is not associated with a specific server or IP address. This can occur when a subdomain is initially created for a specific purpose (e.g., hosting an application or service with a public cloud provider such as Azure or AWS) but not removed from the domain’s zone file when the service is deprovisioned. At this point it’s a dead-end subdomain and bad actors will often scan for their existence in order to take control of them by associating them with their own services. This allows them to host malicious content, launch phishing attacks, or exploit the reputation of the legitimate domain.
A common scenario for a subdomain takeover is outlined below.
The risks associated with dangling domains can be mitigated through a range of tactics which include regular audits and clean up of DNS records, good governance through the creation of organisational subdomain policies and active monitoring of subdomain activity and resolution.
Attack Surface Reduction is undoubtedly a critical component in any security strategy but it’s also important that organisations fully understand the scope and size of their own surface to ensure adequate and proportional coverage. Sometimes DNS gets overlooked from this coverage and that can lead to unnecessary risk which can be addressed through implementation of good practice and housekeeping so be sure not to overlook its relevance and importance.