Microsoft unveiled a new tool this week in conjunction with the Blackhat DC conference — the Attack Surface Analyzer. It’s designed to fit into the verification phase of the Security Development Lifecycle (SDL) but it has some interesting use cases and potential beyond the SDL, and some that I believe are especially relavant to ICS. We’ll get into that more but first let’s look at the basics of this free tool.
The Attack Surface Analyzer uses a baseline snapshot of the Windows OS and then captures and analyzes the differences after a new application is installed. We’ve talked about security baselines in the context of the Security Configuration Manager (SCM) and there’s the Microsoft Baseline Security Analyzer (MBSA). Those are all both toward the user-configurable policy, settings, and patch levels, though. The Attack Surface Analyzer looks way deeper than that – providing analysis of services vulnerable to tampering, application directories with weak ACLs, and processes with impersonation tokens just to name a few. This is much more under-the-hood than those tools.
The process for running the Attack Surface Analyzer reminds me of some automated application deployment tools I’ve used in the past. You simply 1.) Run the tool to take a snapshot of the current system; 2.) Install the application you want to analyze; and 3.) Run another snapshot and generate the “diff” report. The “diff” report in this case, however, includes the security analysis of the changes made by the application. Other tools do pieces of this but I’m not sure any free tool is quite as comprehensive as the Attack Surface Analyzer. Then again, I’m not a developer so perhaps someone will correct me on that. You can see in the screenshot below the types of information the Analyzer collects in its baseline snapshot process.
We’ve been fans of the Microsoft SDL for a while here, and this is one more tool that fits into that process. But, like I said, I think it has some value even outside the SDL process. Since ICS applications have a notoriously checkered past when it comes to even basic application level security features, the Attack Surface Analyzer could be a new way to help hold vendors accountable to a higher standard. For example, you could require that the vendor provides the Attack Surface Report in your procurement language. Or you could run your own reports for any new application that gets installed on the ICS network so you know how it impacts the attack surface and then build in appropriate mitigation strategies or countermeasures.
The Attack Surface Analyzer is still in beta but is available for free download here. Stay tuned for a subsequent post that takes a deeper look at its capability.