Attack Surface Custom Policies

Introduction

Not everything on the attack surface is an outright vulnerability. Each organization has their own security workflows and criteria on what is an acceptable risk in their business context. The challenge for many security teams is: how do you ensure that your attack surface is adhering to these internal policies? This is doubly challenging as the attack surface is messy and constantly evolving.


Security teams in today’s organizations are enablers, not gatekeepers. New assets and technologies added to an organization’s attack surface get there without the security team ever being aware. However, they are still accountable for ensuring these assets are secured. This lack of insight creates many policy breaches that go unnoticed for months, sometimes even years. This is why our customers use Custom Policies to bring visibility back to the security team and alert them as soon as an asset does not comply with any of their policies.


To read about how to get started with your first policy, see this article.


What dimensions can I build my policies on?

The current version of Custom Policies allows policies to be defined with the port number as the main variable. This can be used to alert if a port other than the typical http and https (80 and 443) are open, see image below. Another alternative is to provide a list of ports that should trigger an alert by selecting "is one of". Some ports that are known to be more risky are: 21, 22, 23, 25, 137, 139, 445, 1433, 3306, 3390, 3389, 5432, 33060. For a more complete list of risky ports, see the bottom of this article.



It is also possible to trigger an alert as soon as any port is found to be open by using the "is any" alternative.


Notifications

We don't currently support any notifications for our Custom Policies, however, that is something that we are currently working on.


Some ports to consider for Custom Policies

Here's a list of ports from different categories that are good to consider monitoring as part of Custom Policies:


Routing:
* DNS: 53, 5353
* SMTP: 25, 465, 587, 2525
* BGP: 179

NetBIOS & CIFS:
* NBNS: 137, 138
* NetBIOS Session Service: 139
* SMB: 445
* NFS: 2049

VOIP:
* SIP: 5060, 5061
* Ventrilo: 3784
* Viber: 4244, 5242, 5243, 7985

Remote management:
* FTP: 20, 21, 2121
* SSH: 22, 2022, 2122, 2222
* Telnet: 23, 107, 992
* RSH: 514
* RDP: 3388, 3389, 3390
* VNC: 5800, 5900, 5901, 10348
* SNMP: 161, 162
* Portmapper: 111
* Ident: 113
* MSRPC: 135, 445, 593

Databases:
* LDAP: 389, 636
* Aurora/MySQL/MariaDB: 3306, 33060
* PostgreSQL: 5432
* MSSQL: 1433, 1434
* MaxDB: 7210
* Oracle DB: 1830, 1521, 2483, 2484
* Pervasive SQL: 1583, 3351
* OrientDB: 2480
* SAP SQL Anywhere: 2638
* Firebase/Interbase: 3050
* Sybase: 4100, 5000
* CouchDB: 5984
* Redis: 6379
* Cassandra: 7000, 7001, 9042
* Neo4J: 7473, 7474
* Apache Solr: 8983
* Riak: 8087, 8098
* ArangoDB: 8529
* ElasticSearch: 9200, 9300
* memcache: 11211
* MongoDB: 27017, 27018, 27019, 28015, 28017, 29015

Industrial Control Systems:
* Siemens S7: 102
* modbus: 502
* Red Lion: 789
* Niagara/Tridium: 1911, 4911
* PCWorx: 1962
* IEC 60870-5-104: 2404
* CODESYS: 2455
* MELSEC-Q: 5006, 5007
* HART: 5094
* BACnet: 7808
* FINS: 9600
* GE-SRTP: 18245, 18246
* DNP3: 20000
* ProConOS: 20547
* EtherNet/IP: 44818

Sensitive (Risky) Ports:
* Java RMI: 1090, 1098, 1099, 4444, 10999, 11099, 11111, 47001, 47002
* Docker: 2375, 2376
* JBoss: 4445
* Cisco Smart Install: 4786
* Oracle GlassFish: 4848
* Atlassian Crowd: 4990
* Apache Spark: 5000, 6066
* HP Data Protector: 5555, 5556
* Redis: 6379
* WebLogic: 7000, 7001, 7002, 7003, 7004, 7070, 7071, 8000, 8001, 8002, 8003, 9000, 9001, 9002, 9003, 9503
* Apache Hadoop: 8088
* Zoho Manageengine Desktop: 8383
* LDAP: 389, 636
* Consul: 8500, 8600
* JMX: 8686, 9012
* JDWP: 45000, 45001, 50500


Alternative Web:
* HTTP: 81, 82, 591, 3000, 5000, 7547, 8000, 8008, 8089, 8090, 8081, 8082, 8088
* HTTPS: 1443, 4433, 4443, 5443, 6443, 7443, 9443, 10443


Ephemeral ports:
* RFC6056: 1024, 1025, 1026
* RFC6335: 49152, 49153, 49154
* Linux: 32768, 32769, 32770


If you want to monitor all of these you can easily copy the following list and paste into your policy creation flow:

53, 5353, 25, 465, 587, 2525, 179, 137, 138, 139, 445, 2049, 5060, 5061, 3784, 4244, 5242, 5243, 7985, 20, 21, 2121, 22, 2022, 2122, 2222, 23, 107, 992, 514, 3388, 3389, 3390, 5800, 5900, 5901, 10348, 161, 162, 111, 113, 135, 445, 593, 389, 636, 3306, 33060, 5432, 1433, 1434, 7210, 1830, 1521, 2483, 2484, 1583, 3351, 2480, 2638, 3050, 4100, 5000, 5984, 6379, 7000, 7001, 9042, 7473, 7474, 8983, 8087, 8098, 8529, 9200, 9300, 11211, 27017, 27018, 27019, 28015, 28017, 29015, 102, 502, 789, 1911, 4911, 1962, 2404, 2455, 5006, 5007, 5094, 7808, 9600, 18245, 18246, 20000, 20547, 44818, 1090, 1098, 1099, 4444, 10999, 11099, 11111, 47001, 47002, 2375, 2376, 4445, 4786, 4848, 4990, 5000, 6066, 5555, 5556, 6379, 7000, 7001, 7002, 7003, 7004, 7070, 7071, 8000, 8001, 8002, 8003, 9000, 9001, 9002, 9003, 9503, 8088, 8383, 389, 636, 8500, 8600, 8686, 9012, 45000, 45001, 50500, 81, 82, 591, 3000, 5000, 7547, 8000, 8008, 8089, 8090, 8081, 8082, 8088, 1443, 4433, 4443, 5443, 6443, 7443, 9443, 10443, 1024, 1025, 1026, 49152, 49153, 49154, 32768, 32769, 32770