Cybersecurity and Attack Surface Lessons from the Death Star

The Empire got sloppy and the Rebel Alliance got lucky. It’s a hard truth to admit, but if it hadn’t been for a single open port on the surface of the Death Star, Yavin 4 would be no more, Emperor Palpatine would rule the galaxy, and the disaster that was the Skywalker Trilogy would never have happened.

All the Empire needed to do to avoid the destruction of its ultimate weapon was to take an attacker’s view of the Death Star — perhaps using those ubiquitous probe droids that they sent out all over the galaxy after their loss on the attack surface of the space station instead. Having noticed the exhaust port as a potentially fatal Issue in the design of an otherwise invincible weapon, Grand Moff Tarkin could have engineered a solution to close the vulnerability or, at the very least, scrambled defenses to mitigate against the ragtag rebel fleet.

Cybersecurity in a large organization is a bit like building a Death Star — the unflinching focus on its grand strategy will necessarily mean that “little” things get forgotten, and the more they tighten their grip on their market, the more unknown and obscure IT will slip through their SOCs’ fingers. Whether it’s through this mission-first, security-second neglect of an intrepid engineer spinning up servers with the elegance of Jar Jar Binks or the insider threat of Galen Erso creating openings for attackers, it’s almost inevitable that even the most technically proficient companies will have vulnerable portions of their Internet Attack Surfaces. Being too forward-leaning and operationalizing development environments, like the second Death Star, can also introduce vulnerabilities so big that attackers could fly a Millenium Falcon through it.

Some of the most common ways we see this concept of unknown or misconfigured IT popping up in the real world include creation of Internet-facing development servers that were intended for short-term use but were neither taken down nor patched to standards. This problem is frequently exacerbated in mergers and acquisitions, where the IT inventories from acquired companies end up incomplete or incompatible with existing asset management systems. It is also particularly acute in agile development of Internet-facing applications and datasets, where the speed of operations sometimes results in servers and services being inadvertently placed outside the VPN or being excluded from documentation that informs patch hygiene and other regular cybersecurity practices within companies.

And — as Young Skywalker taught us with the help of many rebels who died to bring some important plans to Princess Leia and the guidance of an old Jedi knight — one open port can cause catastrophic damage. Although we don’t know what ingress methods attackers may have used to compromise SolarWinds, the damage done not only to one company but also to networks around the world remains a stark lesson in the importance of keeping intruders out of networks.

By taking an outside-in view of customers’ networks and letting them know about the exposures that attackers might leverage, Cortex Xpanse makes sure that your company knows about that open exhaust port. Once you understand where these risks and exposures are in your network, you can focus your SOC resources to closing them off to the Internet altogether or creating mitigating controls to minimize the risk of exploitation. After all, you wouldn’t want some farm boy shooting womp rats in your network, would you?

May the 4th be with you!