Understanding your organization's attack surface and why it poses a risk
As business infrastructures continue to increase in breadth and complexity, it's important to keep ahead of changes within your own organization's attack surface and stay ahead of attackers.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Vincent Thiele
Deputy CISO
Share
02
Jun 2021
What is the attack surface of an organization?
Your attack surface is the sum of the exposed and internet-facing assets, and the associated risks a hacker can exploit to carry out a cyber-attack. Over the past decade or so, that attack surface has changed dramatically. Long gone are the days when the only things exposed to the outside world were your website and your mail server.
Today, increased complexity means that many organization often have huge attack surfaces – in fact, we believe that the attack surface has grown by around 1000% in the past 10 years.
Definition and components of the attack surface
The attack surface of an organization refers to the sum of all points where an unauthorized user (the attacker) can try to enter data to or extract data from an environment. Reducing the attack surface is a fundamental aspect of cybersecurity. Here are some components of the attack surface:
Exposed Assets:
Endpoints: Devices like computers, smartphones, tablets, and IoT devices that connect to the network.
Servers: Including web servers, database servers, application servers, and cloud-based servers.
Applications: Software applications, including those running on the network, desktop applications, and cloud applications.
Network Infrastructure: Routers, switches, firewalls, and other network devices.
Internet-Facing Assets:some text
Websites and Web Applications: Publicly accessible websites and web services.
APIs: Application Programming Interfaces that can be accessed over the internet.
Email Servers: Servers responsible for handling incoming and outgoing emails.
Cloud Services: Services hosted on cloud platforms like AWS, Azure, or Google Cloud.
Evolution of the attack surface
If that wasn’t enough of a challenge in itself, the modern attack surface is constantly evolving. The explosion of connected technologies means there are a host of new threat points within organizations: from third-party SaaS and IaaS providers, to VPNs, and from marketing partners who run campaigns and build infrastructures for you to the challenges of BYOD and shadow IT.
On top of this, the agile development world of DevOps is an additional challenge with apps being central to most financial institutions’ business models. The use of bi-weekly sprints and continuous deployments means infrastructures are in an almost constant state of change.
Below is just a quick snapshot of some of the areas where different departments can make changes to your attack surface under the radar and that you need to be aware of when trying to protect your data:
Cloud adoption, migrations – Exposed assets and storage buckets
Development Team – New Assets and Testing
Networks – New Netblocks and advertisements
Marketing – New subdomains for landing pages hosted at design companies
Sales – Campaigns and e-Commerce
IT operations – Configuration Changes, Patching, New Assets, and services
Security – Fixes, Agent deployments, new assets
Mergers and Acquisitions – Risk associated with newly acquired assets
Subsidiaries – Complexities of assets not controlled
Supply Chain Risk – Hosting providers, third parties
And that’s without taking into account the effects of the Covid pandemic. Changing infrastructure due to new working practices alongside the turbo-boost that digital transformation has been given resulting in a rapid shift to the cloud of everything from HR services to core business applications, have added a whole new layer of possible weak points and attack vectors for organisations. Every one of these factors increases the risk of your business’s data being compromised in some way.
Attackers are changing too
But it’s not just the proper indexing and management of new assets that you need to be concerned about. Attackers are getting more and more sophisticated in the techniques and technologies they use to locate and exploit vulnerabilities, and different areas of exploitation are appearing all the time.
Many companies already deploy a range of both defensive and offensive techniques to defend their networks from cyber attacks, including advanced, complex and expensive Threat Intelligence teams that track campaigns run by cyber criminals.
However, even if you do have the money and resources to create skilled teams like this, something as simple as a web server with an exploitable vulnerability can easily go unnoticed, leaving it open for a threat actor to exploit that asset. And in the end, manually checking and fixing every little misconfiguration is not the kind of repetitive work you employ an expert team for.
Don't be undone by simple mistakes
Malicious or just simple mistakes are almost impossible to track and control, and they can result in the most extensive exposures to a business. There are constant examples of configuration changes implemented that resulted in regulatory breaches or opening vulnerabilities that have been exploited. Security teams will focus on external and internal actors, but monitoring resulting changes requires an external view.
With your attack surface moving and changing all the time, it is crucial to be in control of this on a day-to-day basis, and to understand the risks posed to your organization. Yet, having the comprehensive overview that allows you to be in control and to protect against threat actors has seemingly never been more difficult to achieve.
Attack surface management
If your organization continues to take an inside-out approach to your security, you will not be able to see the blind spots that will ultimately introduce the brand's biggest risk. Instead, you can see how a threat actor sees your business and your brand by deploying an effective attack surface solution that gives you a comprehensive view of where your possible threats are.
Ultimately, this allows you to take back control of your attack surface by monitoring risk, confirming changes have been made, and monitoring security policy governance. Such an automated solution will not only help detect the biggest security threats, but will also provide the insights into your overall attack surface, giving you all the data needed to take your security to the next level.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
From Exploit to Escalation: Tracking and Containing a Real-World Fortinet SSL-VPN Attack
Threat actors exploiting Fortinet CVEs
Over the years, Fortinet has issued multiple alerts about a wave of sophisticated attacks targeting vulnerabilities in its SSL-VPN infrastructure. Despite the release of patches to address these vulnerabilities, threat actors have continued to exploit a trio of Common Vulnerabilities and Exposures (CVEs) disclosed between 2022 and 2024 to gain unauthorized access to FortiGate devices.
Which vulnerabilities are exploited?
The vulnerabilities—CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762—affect Fortinet’s SSL-VPN services and have been actively exploited by threat actors to establish initial access into target networks.
The vulnerabilities affect core components of FortiOS, allowing attackers to execute remote code on affected systems.
CVE-2022-42475
Type: Heap-Based Buffer Overflow in FortiOS SSL-VPN
This earlier vulnerability also targets the SSL-VPN interface and has been actively exploited in the wild. It allows attackers to execute arbitrary code remotely by overflowing a buffer in memory, often used to deploy malware or establish persistent backdoors [6].
CVE-2023-27997
Type: Heap-Based Buffer Overflow in FortiOS and FortiProxy
Impact: Remote Code Execution
This flaw exists in the SSL-VPN component of both FortiOS and FortiProxy. By exploiting a buffer overflow in the heap memory, attackers can execute malicious code remotely. This vulnerability is particularly dangerous because it can be triggered without authentication, making it ideal for an initial compromise [5].
CVE-2024-21762
Type: Out-of-Bounds Write in sslvpnd
Impact: Remote Code Execution
This vulnerability affects the SSL-VPN daemon (sslvpnd) in FortiOS. It allows unauthenticated remote attackers to send specially crafted HTTP requests that write data outside of allocated memory bounds. This can lead to arbitrary code execution, giving attackers full control over a device [4].
In short, these flaws enable remote attackers to execute arbitrary code without authentication by exploiting memory corruption issues such as buffer overflows and out-of-bounds writes. Once inside, threat actors use symbolic link (symlink) in order to maintain persistence on target devices across patches and firmware updates. This persistence then enables them to bypass security controls and manipulate firewall configurations, effectively turning patched systems into long-term footholds for deeper network compromise [1][2][3].
Darktrace’s Coverage
Darktrace detected a series of suspicious activities originating from a compromised Fortinet VPN device, including anomalous HTTP traffic, internal network scanning, and SMB reconnaissance, all indicative of post-exploitation behavior. Following initial detection by Darktrace’s real-time models, its Autonomous Response capability swiftly acted on the malicious activity, blocking suspicious connections and containing the threat before further compromise could occur.
Further investigation by Darktrace’s Threat Research team uncovered a stealthy and persistent attack that leveraged known Fortinet SSL-VPN vulnerabilities to facilitate lateral movement and privilege escalation within the network.
The attack on a Darktrace customer likely began on April 11 with the exploitation of a Fortinet VPN device running an outdated version of FortiOS. Darktrace observed a high volume of HTTP traffic originating from this device, specifically targeting internal systems. Notably, many of these requests were directed at the /cgi-bin/ directory, a common target for attackers attempting to exploit web interfaces to run unauthorized scripts or commands. This pattern strongly indicated remote code execution attempts via the SSL-VPN interface [7].
Once access was gained, the threat actor likely modified existing firewall rules, a tactic often used to disable security controls or create hidden backdoors for future access. While Darktrace does not have direct visibility into firewall configuration changes, the surrounding activity and post-exploitation behavior indicated that such modifications were made to support long-term persistence within the network.
Figure 1: HTTP activity from the compromised Fortinet device, including repeated requests to /cgi-bin/ over port 8080
Phase 2: Establishing Persistence & Lateral Movement
Shortly after the initial compromise of the Fortinet VPN device, the threat actor began to expand their foothold within the internal network. Darktrace detected initial signs of network scanning from this device, including the use of Nmap to probe the internal environment, likely in an attempt to identify accessible services and vulnerable systems.
Figure 2: Darktrace’s detection of unusual network scanning activities on the affected device.
Around the same time, Darktrace began detecting anomalous activity on a second device, specifically an internal firewall interface device. This suggested that the attacker had established a secondary foothold and was leveraging it to conduct deeper reconnaissance and move laterally through the network.
In an effort to maintain persistence within the network, the attackers likely deployed symbolic links in the SSL-VPN language file directory on the Fortinet device. While Darktrace did not directly observe symbolic link abuse, Fortinet has identified this as a known persistence technique in similar attacks [2][3]. Based on the observed post-exploitation behavior and likely firewall modifications, it is plausible that such methods were used here.
With lateral movement initiated from the internal firewall interface device, the threat actor proceeded to escalate their efforts to map the internal network and identify opportunities for privilege escalation.
Darktrace observed a successful NTLM authentication from the internal firewall interface to the domain controller over the outdated protocol SMBv1, using the account ‘anonymous’. This was immediately followed by a failed NTLM session connection using the hostname ‘nmap’, further indicating the use of Nmap for enumeration and brute-force attempts. Additional credential probes were also identified around the same time, including attempts using the credential ‘guest’.
Figure 3: Darktrace detection of a series of login attempts using various credentials, with a mix of successful and unsuccessful attempts.
The attacker then initiated DCE_RPC service enumeration, with over 300 requests to the Endpoint Mapper endpoint on the domain controller. This technique is commonly used to discover available services and their bindings, often as a precursor to privilege escalation or remote service manipulation.
Over the next few minutes, Darktrace detected more than 1,700 outbound connections from the internal firewall interface device to one of the customer’s subnets. These targeted common services such as FTP (port 21), SSH (22), Telnet (23), HTTP (80), and HTTPS (443). The threat actor also probed administrative and directory services, including ports 135, 137, 389, and 445, as well as remote access via RDP on port 3389.
Further signs of privilege escalation attempts were observed with the detection of over 300 Netlogon requests to the domain controller. Just over half of these connections were successful, indicating possible brute-force authentication attempts, credential testing, or the use of default or harvested credentials.
Figure 4: Netlogon and DCE-RPC activity from the affected device, showing repeated service bindings to epmapper and Netlogon, followed by successful and failed NetrServerAuthenticate3 attempts.
Phase 4: Privilege Escalation & Remote Access
A few minutes later, the attacker initiated an RDP session from the internal firewall interface device to an internal server. The session lasted over three hours, during which more than 1.5MB of data was uploaded and over 5MB was downloaded.
Notably, no RDP cookie was observed during this session, suggesting manual access, tool-less exploitation, or a deliberate attempt to evade detection. While RDP cookie entries were present on other occasions, none were linked to this specific session—reinforcing the likelihood of stealthy remote access.
Additionally, multiple entries during and after this session show SSL certificate validation failures on port 3389, indicating that the RDP connection may have been established using self-signed or invalid certificates, a common tactic in unauthorized or suspicious remote access scenarios.
Figure 5: Darktrace’s detection of an RDP session from the firewall interface device to the server, lasting over 3 hours.
Darktrace Autonomous Response
Throughout the course of this attack, Darktrace’s Autonomous Response capability was active on the customer’s network. This enabled Darktrace to autonomously intervene by blocking specific connections and ports associated with the suspicious activity, while also enforcing a pre-established “pattern of life” on affected devices to ensure they were able to continue their expected business activities while preventing any deviations from it. These actions were crucial in containing the threat and prevent further lateral movement from the compromised device.
Figure 6: Darktrace’s Autonomous Response targeted specific connections and restricted affected devices to their expected patterns of life.
Conclusion
This incident highlights the importance of important staying on top of patching and closely monitoring VPN infrastructure, especially for internet-facing systems like Fortinet devices. Despite available patches, attackers were still able to exploit known vulnerabilities to gain access, move laterally and maintain persistence within the customer’s network.
Attackers here demonstrated a high level of stealth and persistence. Not only did they gain access to the network and carry out network scans and lateral movement, but they also used techniques such as symbolic link abuse, credential probing, and RDP sessions without cookies to avoid detection. Darktrace’s detection of the post-exploitation activity, combined with the swift action of its Autonomous Response technology, successfully blocked malicious connections and contained the attack before it could escalate
Credit to Priya Thapa (Cyber Analyst), Vivek Rajan (Cyber Analyst), and Ryan Traill (Analyst Content Lead)
The content provided in this blog is published by Darktrace for general informational purposes only and reflects our understanding of cybersecurity topics, trends, incidents, and developments at the time of publication. While we strive to ensure accuracy and relevance, the information is provided “as is” without any representations or warranties, express or implied. Darktrace makes no guarantees regarding the completeness, accuracy, reliability, or timeliness of any information presented and expressly disclaims all warranties.
Nothing in this blog constitutes legal, technical, or professional advice, and readers should consult qualified professionals before acting on any information contained herein. Any references to third-party organizations, technologies, threat actors, or incidents are for informational purposes only and do not imply affiliation, endorsement, or recommendation.
Darktrace, its affiliates, employees, or agents shall not be held liable for any loss, damage, or harm arising from the use of or reliance on the information in this blog.
The cybersecurity landscape evolves rapidly, and blog content may become outdated or superseded. We reserve the right to update, modify, or remove any content without notice.
How Organizations are Addressing Cloud Investigation and Response
Why cloud investigation and response needs to evolve
As organizations accelerate their move to the cloud, they’re confronting two interrelated pressures: a rapidly expanding attack surface and rising regulatory scrutiny. The dual pressure is forcing security practitioners to evolve their strategies in the cloud, particularly around investigation and response, where we see analysts spending the most time. This work is especially difficult in the cloud, often requiring experienced analysts to manually stitch together evidence across fragmented systems, unfamiliar platforms, and short-lived assets.
However, adapting isn’t easy. Many teams are operating with limited budgets and face a shortage of cloud-specific security talent. That’s why more organizations are now prioritizing tools that not only deliver deep visibility and rapid response in the cloud, but also help upskill their analysts to keep pace with threats and compliance demands.
Our 2024 survey report highlights just how organizations are recognizing gaps in their cloud security, feeling the heat from regulators, and making significant investments to bolster their cloud investigation capabilities.
In this blog post, we’ll explore the current challenges, approaches, and strategies organizations are employing to enhance their cloud investigation and incident response.
Recognizing the gaps in current cloud investigation and response methods
Complex environments & static tools
Due to the dynamic nature of cloud infrastructure, ephemeral assets, autoscaling environments, and multi-cloud complexity, traditional investigation and response methods which rely on static snapshots and point-in-time data, are fundamentally mismatched. And with Cloud environment APIs needing deep provider knowledge and scripting skills to extract much needed evidence its unrealistic for one person to master all aspects of cloud incident response.
Analysts are still stitching together logs from fragmented systems, manually correlating events, and relying on post-incident forensics that often arrive too late to drive meaningful response. These approaches were built for environments that rarely changed. In the cloud, where assets may only exist for minutes and attacker movement can span regions or accounts in seconds, point-in-time visibility simply can’t keep up. As a result, critical evidence is missed, timelines are incomplete, and investigations drag on longer than they should.
Even some modern approaches still depend heavily on static configurations, delayed snapshots, or siloed visibility that can’t keep pace with real-time attacker movement.
There is even the problem of identifying what cloud data sources hold the valuable information needed to investigate in the first place. With AWS alone having over 200 products, each with its own security practices and data sources.It can be challenging to identify where you need to be looking.
To truly secure the cloud, investigation and response must be continuous, automated, and context-rich. Tools should be able to surface the signal from the noise and support analysts at every step, even without deep forensics expertise.
Increasing compliance pressure
With the rise of data privacy regulations and incident reporting mandates worldwide, organizations face heightened scrutiny. Noncompliance can lead to severe penalties, making it crucial to have robust cloud investigation and response mechanisms in place. 74% of organizations surveyed reported that data privacy regulations complicate incident response, underscoring the urgency to adapt to regulatory requirements.
In addition, a majority of organizations surveyed (89%) acknowledged that they suffer damage before they can fully contain and investigate incidents, particularly in cloud environments, highlighting the need for enhanced cloud capabilities.
Enhancing cloud investigation and response
To address these challenges, organizations are actively growing their capabilities to perform investigations in the cloud. Key steps include:
Allocating and increasing budgets:
Recognizing the importance of cloud-specific investigation tools, many organizations have started to allocate dedicated budgets for cloud forensics. 83% of organizations have budgeted for cloud forensics, with 77% expecting this budget to increase. This reflects a strong commitment to improving cloud security.
Implementing automation that understands cloud behavior
Automation isn’t just about speeding up tasks. While modern threats require speed and efficiency from defenders, automation aims to achieve this by enabling consistent decision making across unique and dynamic environments. Traditional SOAR platforms, often designed for static on-prem environments, struggle to keep pace with the dynamic and ephemeral nature of the cloud, where resources can disappear before a human analyst even has a chance to look at them. Cloud-native automation, designed to act on transient infrastructure and integrate seamlessly with cloud APIs, is rapidly emerging as the more effective approach for real-time investigation and response. Automation can cover collection, processing, and storage of incident evidence without ever needing to wait for human intervention and the evidence is ready and waiting all in once place, regardless of if the evidence is cloud-provider logs, disk images, or memory dumps. With the right automation tools you can even go further and automate the full process from end to end covering acquisition, processing, analysis, and response.
Artificial Intelligence (AI) that augments analysts’ intuition not just adds speed
While many vendors tout AI’s ability to “analyze large volumes of data,” that’s table stakes. The real differentiator is how AI understands the narrative of an incident, surfacing high-fidelity alerts, correlating attacker movement across cloud and hybrid environments, and presenting findings in a way that upskills rather than overwhelms analysts.
In this space, AI isn’t just accelerating investigations, it’s democratizing them by reducing the reliance on highly specialized forensic expertise.
Strategies for effective cloud investigation and response
Organizations are also exploring various strategies to optimize their cloud investigation and response capabilities:
Enhancing visibility and control:
Unified platforms: Implementing platforms that provide a unified view across multiple cloud environments can help organizations achieve better visibility and control. This consolidation reduces the complexity of managing disparate tools and data sources.
Improved integration: Ensuring that all security tools and platforms are seamlessly integrated is critical. This integration facilitates better data sharing and cohesive incident management.
Cloud specific expertise: Training and Recruitment: Investing in training programs to develop cloud-specific skills among existing staff and recruiting experts with cloud security knowledge can bridge the skill gap.
Continuous learning: Given the constantly evolving nature of cloud threats, continuous learning and adaptation are essential for maintaining effective security measures.
Leveraging automation and AI:
Automation solutions: Automation solutions for cloud environments can significantly speed up and simplify incident response efficiency. These solutions can handle repetitive tasks, allowing security teams to focus on more complex issues.
AI powered analysis: AI can assist in rapidly analyzing incident data, identifying anomalies, and predicting potential threats. This proactive approach can help prevent incidents before they escalate.
Cloud investigation and response with Darktrace
Darktrace’s forensic acquisition & investigation capabilities helps organizations address the complexities of cloud investigations and incident response with ease. The product seamlessly integrates with AWS, GCP, and Azure, consolidating data from multiple cloud environments into one unified platform. This integration enhances visibility and control, making it easier to manage and respond to incidents across diverse cloud infrastructures.
By leveraging machine learning and automation, Forensic Acquisition & Investigation accelerates the investigation process by quickly analyzing vast amounts of data, identifying patterns, and providing actionable insights. Automation reduces manual effort and response times, allowing your security team to focus on the most pressing issues.
Forensic Acquisition & Investigation can help you stay ahead of threats whilst also meeting regulatory requirements, helping you to maintain a robust cloud security position.
