Defensible Attack Surface Explorer Tool Launch TPS-0100
https://tacticalpermaculture.com/tools-defensible-attack-surface-explorer.html
https://tacticalpermaculture.com/show/TPS-0100-Defensible-Attack-Surface-Explorer-Tool-Launch.html
This is another web application tool that I'm launching and giving a bit of introduction to.
This idea of, you gotta make a visualization tool for for your own use and for other people's use to to like an explorer or a mapping tool that gives you the experience of adding and removing what in cyber securities often called attack surface.
In more traditional tactical education, you might call it just defending a perimeter or defensible space is another word.
Whether it's fire fighting or looking at defending a perimeter, depending on the context it could be a war zone or it could be a website or it could be just your your neighborhood situation dealing with everyday life stuff but the reality is we all have things that are secret we all have things that are sacred, things that are vulnerable, whether they're living or non living.
Creating security for ourselves, our communities, our valuables, our nation, etc. Knowing is half the battle, you have to know and think through what threatens you and what threatens yours.
The idea in cyberspace is very abstract. All the different points that you could be, all the different doors and windows that you could be leaving open or unlocked in cyberspace.
It's almost an infinite, ever changing array of attack surfaces, most of them you have no control over, but the ones that you do, it's worth enumerating them, meaning, numbering them out, listing them, describing them, etc.
So that at least you have your known knowns, and you have some known unknowns.
If you were to hire a cyber security consulting firm, then this is one of the things that they would do, try to sit down with you and whatever tools that they use, I doubt they're gonna use the tool I just made, not in its current form, but I'll certainly be using it and recommending its use because it is helpful to understand and to think about all we think about the "I've got your back", or I've got your six, orienting ourselves around 360 degrees using the clock spatial metaphor.
So having your six means behind you, in terms of the, the clock dial that represents a circle, you always being in the center of a circle whether that's in combat, or driving or whatever it may be. If you and your people are able to share that map of reality and communicate that, it's very helpful.
You're aware that your back is an attack surface, that it's difficult to defend and a defensive strategy may be have a friend that watches your back, watches your six or grow eyes in the back of your head, as they say.
Now we can have digital eyes in the back of our heads. We can have our own dash cams and backup cams and whatever wearable tech soon enough.
I joke about it, but that's a legitimate strategy, something to consider and think about.
I actually helped someone recently get some anti stalker wear type stuff by getting multiple dash cams so that you could have multiple directions covered.
So starting to think strategically, tactically about what threats, what you have at risk, what you have that's vulnerable. You wanna protect what I call a threatened resource. For now the way the tool works, the first thing you do is enter the name of the threatened resource that you're going to explore the defensible perimeter around this defensible resource, give it a name, and then use the form fields.
To extend the example you've got your sides, you've got your front, you've got your back. You've got your top, you've got beneath you. If you wanna take it to the human level, then on a construction site, your attack surface is the top of your head, you're supposed to wear a helmet and then your attack surface is the bottom of your the soles of your shoes if you're walking across a freshly mopped floor and you see the icon of the person slipping and flying in the air and therefore at that point the attack surface is exactly the bottom of your shoes.
Then walking down a dark alley, arguably it would be things creeping up on you behind you, you couldn't see, even if you had a flashlight, driving, it's in front of you. You don't wanna collide with anything while you're driving. That's why we use our turning signals.
But when it comes to cyber security or operational security, or something a little more abstract, the thing that you may be trying to protect is a secret.
What's the top of a secret? What's the bottom of a secret? What are the sides? So in terms of how you would secure, let's say, a password, the idea would be, well, where does it live? Meaning. is it in a note pad in the drawer? Is it on a sticky note on the computer screen? Is it in your memory in your own mind? Is it in a password manager? Is that password manager on the Internet, or is it offline?
So situating the threatened resource or for now I'm using the idea of a secret piece of information, then once you have a concept in your mind of where that's situated and you name it then doesn't really matter whether it's in physical space or not.
A lot of people they do this, which I don't recommend, they use the browser's built in password saving, with or without an extension, the idea of having all of your passwords in one place, a lot of security is needed if all your passwords are in one place. Typically of all the options available to protect passwords, certainly password vaults they have all of the passwords in one place.
If those are ostensibly secured by your browser, it's worth enumerating the browser's attack services and your attack services on the physical plane.
Then anybody who uses your computer, well, you happen to be logged on still if you forget to log off, or they use the browser that you're using within whatever parameters are set up, if physical access to that computer and you have recently been on it...
Let's say you have a heart attack and you leave your computer on and then whoever comes around next, if they if they poke around or happen to know that you have all your passwords in your browser, then that's easy access for convenience. There's always a trade off security versus convenience. It's the ultimate sort of paradoxical tradeoff.
The idea of having all your passwords in a browser is that you wouldn't have to do ten different things and jump through ten hoops to get access to them. You wouldn't even click on them. They just get auto filled for your own convenience.
Well, if somebody in the real world, or somebody on the other side of the world, going through the Internet and taking advantage of vulnerabilities, even in other applications that can give them control over your machine, your device, then they can take a joy ride with your passwords saved in that way.
So the attack surfaces to the browser and then sub attack services of the browser, is it up to date? Does it have unpatched vulnerabilities? Does it have unknown vulnerabilities that are called zero days that could be exploited?
Then what kind of attack surface would be within the operating system level?
Do you segregate other people's use of that computer? Do you have a strong password on your user account of your operating system?
Obviously you get into mitigation strategies and we start to enumerate what the attack services are.
This is a visualization tool, what is the shape of the attack surfaces of whatever I'm trying to secure or protect? Well, if I can enumerate four attack surfaces, then that could be visualized as a square, right? Or if it's three, it could be a triangle. So in my first foray into the use of the canvas feature of HTML five, I was able to use a tutorial on making this sort of iterative, multi shaped polygon.
You can click a button and then it adds another side and adjusts the other sides accordingly. So it's perfect geometry, the way that it's mathematically programmed.
So you name the threatened resource, and then enumerate the attack surfaces that you can imagine, then in addition to that list, the types of attacks that might exploit or take advantage of that or target, that attack surface.
So there's an example to start off, which is, let's say you're trying to protect your home, and one attack surface is the front door, and that may be a target of attack by thieves or solicitors, then you can extend that and go back door, all the windows on the first floor mainly, the fact that there may or may not be some house key hidden somewhere in the vicinity, you get the idea.
What happens every time you enter a new attack surface and its potential attackers, then you see visually a shape that actually has a side adding another surface, or another side added to it in real time on the screen.
At this primitive stage of it, everything that you enter, that list that you enumerate, it's displayed on the left side bar and the object is sort of free floating.
Now that you've enumerated the different types of attacks, and you know what that attack service is, and now you have the responsibility to list procedures for mitigation that attack surface. If it can be eliminated, then it's removed.
Why it's also interesting, the way this can be abstracted, is that in cyber security, there are a lot of attack surfaces when you identify them, the mitigation strategy is to just remove them, right?
So that's where it gets more fun and interesting than defending a house, because there's a relatively finite number of attack services to the house, and you're not really gonna get to a point where you can remove them and change the shape of it.
You're either defending it well, or you're not. If you put bars in the window well, then you won't be able to escape through it in a fire.
It's a useful tool to have fun with and to just build that training experience for thinking in this tactical manner and a lot of permaculture is using these sorts of devices, whether it's just mental or real world tools or on paper tools.
What I'm trying to do is extend that tradition and adapt some of the permaculture tools to these web app environments, and also other tactical thinking training devices and utilities from other fields.
If you check this out and you play with it, you might use it to go do an exercise on your own behalf. But forever after, if someone says, have you thought through what your attack surface is for X-Y-Z then your answer can be yes at that point if it would have been no otherwise.