Attack Surface Custom Policies

Introduction

Not everything on the attack surface is an outright vulnerability. Each organization has their own security workflows and criteria on what is an acceptable risk in their business context. The challenge for many security teams is: how do you ensure that your attack surface is adhering to these internal policies? This is doubly challenging as the attack surface is messy and constantly evolving.


Security teams in today’s organizations are enablers, not gatekeepers. New assets and technologies added to an organization’s attack surface get there without the security team ever being aware. However, they are still accountable for ensuring these assets are secured. This lack of insight creates many policy breaches that go unnoticed for months, sometimes even years. This is why our customers use Custom Policies to bring visibility back to the security team and alert them as soon as an asset does not comply with any of their policies.


Adding a policy to your attack surface

In the left side menu you will find the Custom Policies tab. From here you can create your first policy by clicking Add policy. Here you can start specifying the conditions that, if satisfied, will constitute a policy violation and thus trigger an Alert. Start by specifying the if statements that should be fulfilled for an alert to be created. Wrap up by naming your policy in a manner that makes sense to you and will allow you to understand what is meant by this policy.


What dimensions can I build my policy on?

The current version of Custom Policies allows policies to be defined with the port number as the main variable. This can be used to alert if a port other than the typical http and https (80 and 443) are open, see image below. Another alternative is to provide a list of ports that should trigger an alert by selecting "is one of". Some ports that are known to be more risky are: 21, 22, 23, 25, 137, 139, 445, 1433, 3306, 3390, 3389, 5432, 33060.



It is also possible to trigger an alert as soon as any port is found to be open by using the "is any" alternative.


Custom policies is a feature that is currently under very focused development. This means that more dimensions to create policies on will be added regularly. If you have something in particular that you would like, please reach out to support or your CSM.


Finding alerts generated by a policy

As soon as a policy has been created our policy service will start monitoring changes to your attack surface and will generate an alert for any asset where the conditions are satisfied. Alerts will not be created for the current state of the attack surface, i.e. assets that today match these conditions will not have alerts created for them only if there is a change to the current state.


Alerts created by a specific policy can be found from the Custom Policies page by clicking a specific policy.


Notifications

We don't currently support any notifications for our Custom Policies, however, that is something that we are currently working on.


Some ports to consider for Custom Policies

Here's a list of ports from different categories that are good to consider monitoring as part of Custom Policies:


Routing:
* DNS: 53, 5353
* SMTP: 25, 465, 587, 2525
* BGP: 179

NetBIOS & CIFS:
* NBNS: 137, 138
* NetBIOS Session Service: 139
* SMB: 445
* NFS: 2049

VOIP:
* SIP: 5060, 5061
* Ventrilo: 3784
* Viber: 4244, 5242, 5243, 7985

Remote management:
* FTP: 20, 21, 2121
* SSH: 22, 2022, 2122, 2222
* Telnet: 23, 107, 992
* RSH: 514
* RDP: 3388, 3389, 3390
* VNC: 5800, 5900, 5901, 10348
* SNMP: 161, 162
* Portmapper: 111
* Ident: 113
* MSRPC: 135, 445, 593

Databases:
* LDAP: 389, 636
* Aurora/MySQL/MariaDB: 3306, 33060
* PostgreSQL: 5432
* MSSQL: 1433, 1434
* MaxDB: 7210
* Oracle DB: 1830, 1521, 2483, 2484
* Pervasive SQL: 1583, 3351
* OrientDB: 2480
* SAP SQL Anywhere: 2638
* Firebase/Interbase: 3050
* Sybase: 4100, 5000
* CouchDB: 5984
* Redis: 6379
* Cassandra: 7000, 7001, 9042
* Neo4J: 7473, 7474
* Apache Solr: 7474, 8983
* Riak: 8087, 8098
* ArangoDB: 8529
* ElasticSearch: 9200, 9300
* memcache: 11211
* MongoDB: 27017, 27018, 27019, 28015, 28017, 29015

Industrial Control Systems:
* Siemens S7: 102
* modbus: 502
* Red Lion: 789
* Niagara/Tridium: 1911, 4911
* PCWorx: 1962
* IEC 60870-5-104: 2404
* CODESYS: 2455
* MELSEC-Q: 5006, 5007
* HART: 5094
* BACnet: 7808
* FINS: 9600
* GE-SRTP: 18245, 18246
* DNP3: 20000
* ProConOS: 20547
* EtherNet/IP: 44818

Sensitive (Risky) Ports:
* Java RMI: 1090, 1098, 1099, 4444, 10999, 11099, 11111, 47001, 47002
* Docker: 2375, 2376
* JBoss: 4445
* Cisco Smart Install: 4786
* Oracle GlassFish: 4848
* Atlassian Crowd: 4990
* Apache Spark: 5000, 6066
* HP Data Protector: 5555, 5556
* Redis: 6379
* WebLogic: 7000, 7001, 7002, 7003, 7004, 7070, 7071, 8000, 8001, 8002, 8003, 9000, 9001, 9002, 9003, 9503
* Apache Hadoop: 8088
* Zoho Manageengine Desktop: 8383
* LDAP: 389, 636
* Consul: 8500, 8600
* JMX: 8686, 9012
* JDWP: 45000, 45001, 50500


Alternative Web:
* HTTP: 81, 82, 591, 3000, 5000, 7547, 8000, 8008, 8080, 8089, 8090, 8081, 8082, 8088
* HTTPS: 1443, 4433, 4443, 5443, 6443, 7443, 8443, 9443, 10443


Ephemeral ports:
* RFC6056: 1024, 1025, 1026
* RFC6335: 49152, 49153, 49154
* Linux: 32768, 32769, 32770