Watch Jonathan Cran, VP of Research & Engineering, demo how Attack Surface Management discovers external assets and identifies the exposures on them, enabling security teams to uncover shadow IT, remove sprawl, reduce exposure risk, and monitor and enforce security policies.
Legacy attack surface tools designed before the cloud era support static work locations and a limited set of devices and applications running behind a network firewall. Attack Surface Management has the following advantages:
It has rapidly become a top enterprise priority because massive adoption of cloud, SaaS and mobile across a distributed workforce means an expanding, evolving and changing attack surface subject to an increasing number of sophisticated threats.
An external attack surface management solution performs assets and exposure discovery on internet-facing assets. It continuously assesses them for vulnerabilities and generates and prioritizes issues for the security team to remediate.
Eavesdropping occurs when an attacker gains access to the data path in a network and has the ability to monitor and read the traffic. Eavesdropping is also called sniffing or snooping. If the traffic is in plain text, the attacker can read the traffic when the attacker gains access to the path. An example is an attack performed by controlling a router on the data path.
These methods of communication make eavesdropping difficult or impossible to achieve within the time period of a single conversation. TLS authenticates all parties and encrypts all traffic. While TLS doesn't prevent eavesdropping, the attacker can't read the traffic unless the encryption is broken.
Spoofing occurs when the attacker identifies and then uses an IP address of a network, computer, or network component without being authorized to do so. A successful attack allows the attacker to operate as if the attacker is the entity normally identified by the IP address.
TLS authenticates all parties and encrypts all traffic. Using TLS prevents an attacker from performing IP address spoofing on a specific connection (for example, mutual TLS connections). An attacker could still spoof the address of the Domain Name System (DNS) server. However, because authentication in Teams is performed with certificates an attacker would not have a valid information required to spoof one of the parties in the communication.
A man-in-the-middle attack occurs when an attacker reroutes communication between two users through the attacker's computer without the knowledge of the two communicating users. The attacker can monitor and read the traffic before sending it on to the intended recipient. Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all while thinking they are communicating only with the intended user. This scenario can happen if an attacker can modify Active Directory Domain Services to add their server as a trusted server, or modify DNS configuration or use other means to get clients to connect through the attacker on their way to the server.
Man-in-the-middle attacks on media traffic between two endpoints participating in Teams audio, video, and application sharing, is prevented by using Secure Real-Time Transport Protocol (SRTP) to encrypt the media stream. Cryptographic keys are negotiated between the two endpoints over a proprietary signaling protocol (Teams Call Signaling protocol) which uses TLS 1.2 and AES-256 (in GCM mode) encrypted UDP or TCP channel.
A replay attack occurs when a valid media transmission between two parties is intercepted and retransmitted for malicious purposes. Teams uses SRTP with a secure signaling protocol that protects transmissions from replay attacks by enabling the receiver to maintain an index of already received RTP packets and compare each new packet with packets already listed in the index.
Spim is unsolicited commercial instant messages or presence subscription requests, like spam, but in instant message form. While not by itself a compromise of the network, it's annoying in the least, can reduce resource availability and production, and can possibly lead to a compromise of the network. An example is users spimming each other by sending requests. Users can block each other to prevent spimming, but with federation, if a malicious actor establishes a coordinated spim attack, it can be difficult to overcome unless you disable federation from the partner.
Using TLS helps prevent both eavesdropping and man-in-the middle attacks. In a man-in-the-middle attack, the attacker reroutes communications between two network entities through the attacker's computer without the knowledge of either party. TLS and Teams' specification of trusted servers mitigate the risk of a man-in-the middle attack partially on the application layer by using encryption that is coordinated using the Public Key cryptography between the two endpoints. An attacker would have to have a valid and trusted certificate with the corresponding private key and issued to the name of the service to which the client is communicating to decrypt the communication.
Media traffic is encrypted by, and flows between, the caller and callee using Secure RTP (SRTP), a profile of Real-time Transport Protocol (RTP) that provides confidentiality, authentication, and replay attack protection to RTP traffic. SRTP uses a session key generated by a secure random number generator and exchanged using the signaling TLS channel. In most cases, client to client media traffic is negotiated through client to server connection signaling, and is encrypted using SRTP when going directly from client to client.
Teams provides the capability for enterprise users to create and join real-time meetings. Enterprise users can also invite external users who don't have an Azure AD, Microsoft 365, or Office 365 account to participate in these meetings. Users who are employed by external partners with a secure and authenticated identity can also join meetings and, if promoted to do so, can act as presenters. Anonymous users can't create or join a meeting as a presenter, but they can be promoted to presenter after they join.
The term anonymous users means users that are not authenticated to the organizations tenant. In this context all external users are considered anonymous. Authenticated users include tenant users and Guest users of the tenant.
For more information on Guest and External Access in Teams, see this article. It covers what features guest or external users can expect to see and use when they login to Teams. If you're recording meetings and want to see a permissions matrix around accessing the content, consult this article and its matrix.
Federated Users - Federated users have valid credentials with federated partners and are therefore treated as authenticated by Teams, but are still external to the meeting organizer tenant. Federated users can join meetings and be promoted to presenters after they have joined the meeting, but they can't create meetings in enterprises with which they are federated.
Many meetings involve external users. Those same customers also want reassurance about the identity of external users before allowing those users to join a meeting. The next section describes how Teams limits meeting access to those user types that have been explicitly allowed, and requires all user types to present appropriate credentials when entering a meeting.
In Teams, anonymous users can be transferred to a waiting area called the lobby. Presenters can then either admit these users into the meeting or reject them. When these users are transferred to the lobby, the presenter and attendees are notified, and the anonymous users must then wait until they are either accepted or rejected, or their connection times out.
You should not disable the REST API; doing so will break WordPress Admin functionality that depends on the API being active. However, you may use a filter to require that API consumers be authenticated, which effectively prevents anonymous external access. See below for more information.
In this post, we first give an informal description of security, privacy and anonymity in the context of Waku v2.For each definition, we summarize Waku's current guarantees regarding the respective property.We also provide attacker models, an attack-based threat model, and a first anonymity analysis of Waku v2 relay within the respective models.
Waku offers k-anonymity regarding content topic interest in the global adversary model.K-anonymity in the context of Waku means an attacker can link receivers to content topics with a maximum certainty of $1/k$.The larger $k$, the less certainty the attacker gains.Receivers basically hide in a pool of $k$ content topics, any subset of which could be topics they subscribed to.The attacker does not know which of those the receiver actually subscribed to,and the receiver enjoys plausible deniability regarding content topic subscription.Assuming there are $n$ Waku content topics, a receiver has $n$-anonymity with respect to association to a specific content topic.
In summary, Waku offers weak sender anonymity because of Waku's strict no sign policy,which has its origins in the Ethereum consensus specs.17/WAKU-RLN-RELAY and 18/WAKU2-SWAP mitigate replay and injection attacks.
Waku currently does not offer sender anonymity in stronger attacker models, as well as cannot protect against targeted attacks in weaker attacker models like the single or multi node attacker.We will cover this in more detail in later sections.
The Anonymity trilemma states that only two out of strong anonymity, low bandwidth, and low latency can be guaranteed in the global on-net attacker model.Waku's goal, being a modular set of protocols, is to offer any combination of two out of these three properties, as well as blends.An example for blending is an adjustable number of pubsub topics and peers in the respective pubsub topic mesh; this allows tuning the trade-off between anonymity and bandwidth. 153554b96e