Introduction
Not everything on the attack surface is an outright vulnerability. Each organization has their own security workflows and criteria on what is an acceptable risk in their business context. The challenge for many security teams is: how do you ensure that your attack surface is adhering to these internal policies? This is doubly challenging as the attack surface is messy and constantly evolving.
Security teams in today’s organizations are enablers, not gatekeepers. New assets and technologies added to an organization’s attack surface get there without the security team ever being aware. However, they are still accountable for ensuring these assets are secured. This lack of insight creates many policy breaches that go unnoticed for months, sometimes even years. This is why our customers use Custom Policies to bring visibility back to the security team and alert them as soon as an asset does not comply with any of their policies.
Adding a policy to your attack surface
In the left side menu you will find the Custom Policies tab. From here you can create your first policy by clicking Add policy. Here you can start specifying the conditions that, if satisfied, will constitute a policy violation and thus trigger an Alert. Start by specifying the if statements that should be fulfilled for an alert to be created. Wrap up by naming your policy in a manner that makes sense to you and will allow you to understand what is meant by this policy.
What dimensions can I build my policy on?
The current version of Custom Policies allows policies to be defined with the port number as the main variable. This can be used to alert if a port other than the typical http and https (80 and 443) are open, see image below. Another alternative is to provide a list of ports that should trigger an alert by selecting "is one of". Some ports that are known to be more risky are: 21, 22, 23, 25, 137, 139, 445, 1433, 3306, 3390, 3389, 5432, 33060. For a more complete list of risky ports, see the bottom of this article.
It is also possible to trigger an alert as soon as any port is found to be open by using the "is any" alternative.
Custom policies is a feature that is currently under very focused development. This means that more dimensions to create policies on will be added regularly. If you have something in particular that you would like, please reach out to support or your CSM.
Finding alerts generated by a policy
As soon as a policy has been created our policy service will start monitoring changes to your attack surface and will generate an alert for any asset where the conditions are satisfied. Alerts will not be created for the current state of the attack surface, i.e. assets that today match these conditions will not have alerts created for them only if there is a change to the current state.
Alerts created by a specific policy can be found from the Custom Policies page by clicking a specific policy.
Notifications
We don't currently support any notifications for our Custom Policies, however, that is something that we are currently working on.
Some ports to consider for Custom Policies
Here's a list of ports from different categories that are good to consider monitoring as part of Custom Policies:
Routing:
* DNS: 53, 5353
* SMTP: 25, 465, 587, 2525
* BGP: 179
NetBIOS & CIFS:
* NBNS: 137, 138
* NetBIOS Session Service: 139
* SMB: 445
* NFS: 2049
VOIP:
* SIP: 5060, 5061
* Ventrilo: 3784
* Viber: 4244, 5242, 5243, 7985
Remote management:
* FTP: 20, 21, 2121
* SSH: 22, 2022, 2122, 2222
* Telnet: 23, 107, 992
* RSH: 514
* RDP: 3388, 3389, 3390
* VNC: 5800, 5900, 5901, 10348
* SNMP: 161, 162
* Portmapper: 111
* Ident: 113
* MSRPC: 135, 445, 593
Databases:
* LDAP: 389, 636
* Aurora/MySQL/MariaDB: 3306, 33060
* PostgreSQL: 5432
* MSSQL: 1433, 1434
* MaxDB: 7210
* Oracle DB: 1830, 1521, 2483, 2484
* Pervasive SQL: 1583, 3351
* OrientDB: 2480
* SAP SQL Anywhere: 2638
* Firebase/Interbase: 3050
* Sybase: 4100, 5000
* CouchDB: 5984
* Redis: 6379
* Cassandra: 7000, 7001, 9042
* Neo4J: 7473, 7474
* Apache Solr: 8983
* Riak: 8087, 8098
* ArangoDB: 8529
* ElasticSearch: 9200, 9300
* memcache: 11211
* MongoDB: 27017, 27018, 27019, 28015, 28017, 29015
Industrial Control Systems:
* Siemens S7: 102
* modbus: 502
* Red Lion: 789
* Niagara/Tridium: 1911, 4911
* PCWorx: 1962
* IEC 60870-5-104: 2404
* CODESYS: 2455
* MELSEC-Q: 5006, 5007
* HART: 5094
* BACnet: 7808
* FINS: 9600
* GE-SRTP: 18245, 18246
* DNP3: 20000
* ProConOS: 20547
* EtherNet/IP: 44818
Sensitive (Risky) Ports:
* Java RMI: 1090, 1098, 1099, 4444, 10999, 11099, 11111, 47001, 47002
* Docker: 2375, 2376
* JBoss: 4445
* Cisco Smart Install: 4786
* Oracle GlassFish: 4848
* Atlassian Crowd: 4990
* Apache Spark: 5000, 6066
* HP Data Protector: 5555, 5556
* Redis: 6379
* WebLogic: 7000, 7001, 7002, 7003, 7004, 7070, 7071, 8000, 8001, 8002, 8003, 9000, 9001, 9002, 9003, 9503
* Apache Hadoop: 8088
* Zoho Manageengine Desktop: 8383
* LDAP: 389, 636
* Consul: 8500, 8600
* JMX: 8686, 9012
* JDWP: 45000, 45001, 50500
Alternative Web:
* HTTP: 81, 82, 591, 3000, 5000, 7547, 8000, 8008, 8080, 8089, 8090, 8081, 8082, 8088
* HTTPS: 1443, 4433, 4443, 5443, 6443, 7443, 8443, 9443, 10443
Ephemeral ports:
* RFC6056: 1024, 1025, 1026
* RFC6335: 49152, 49153, 49154
* Linux: 32768, 32769, 32770
If you want to monitor all of these you can easily copy the following list and paste into your policy creation flow:
53, 5353, 25, 465, 587, 2525, 179, 137, 138, 139, 445, 2049, 5060, 5061, 3784, 4244, 5242, 5243, 7985, 20, 21, 2121, 22, 2022, 2122, 2222, 23, 107, 992, 514, 3388, 3389, 3390, 5800, 5900, 5901, 10348, 161, 162, 111, 113, 135, 445, 593, 389, 636, 3306, 33060, 5432, 1433, 1434, 7210, 1830, 1521, 2483, 2484, 1583, 3351, 2480, 2638, 3050, 4100, 5000, 5984, 6379, 7000, 7001, 9042, 7473, 7474, 8983, 8087, 8098, 8529, 9200, 9300, 11211, 27017, 27018, 27019, 28015, 28017, 29015, 102, 502, 789, 1911, 4911, 1962, 2404, 2455, 5006, 5007, 5094, 7808, 9600, 18245, 18246, 20000, 20547, 44818, 1090, 1098, 1099, 4444, 10999, 11099, 11111, 47001, 47002, 2375, 2376, 4445, 4786, 4848, 4990, 5000, 6066, 5555, 5556, 6379, 7000, 7001, 7002, 7003, 7004, 7070, 7071, 8000, 8001, 8002, 8003, 9000, 9001, 9002, 9003, 9503, 8088, 8383, 389, 636, 8500, 8600, 8686, 9012, 45000, 45001, 50500, 81, 82, 591, 3000, 5000, 7547, 8000, 8008, 8080, 8089, 8090, 8081, 8082, 8088, 1443, 4433, 4443, 5443, 6443, 7443, 8443, 9443, 10443, 1024, 1025, 1026, 49152, 49153, 49154, 32768, 32769, 32770