/ Insights / Attack Surface Analyzer Insights Attack Surface Analyzer May 30, 2019 Concurrency, Inc.Overview and UsesAttack Surface Analyzer, shortened as ASA, is used to compare or track the state of a server as changes are made. It is specifically geared towards DevOps or security engineers for seeing what changes 3rd party software software makes to the system, with the goal of analyzing it for potential security risks. However, ASA can be used for other purposes such as:General understanding of what changes are made by a piece of softwareComparing the server’s state before and after an issue occursTracking down log files or registry settings used or managed by a piece of softwareNo matter how you use it, be aware that ASA can have serious performance implications. Avoid running it on production servers if possible, and instead, use a test or non-production server. If that isn’t an option, only run it on a production server during a maintenance window where decreased performance isn’t an issue.Run ModesAttack Surface Analyzer can be used in two different modes – static scan and live monitoring. In static scan mode, a snapshot of the current configuration of the server is taken, to be compared to a second scan run later. In live monitoring mode, changes to the file system are tracked live while the software is running.Static scan mode is used in a 3 step process. First, you run a scan to get the base state of the system. Next, you make whatever changes you want to analyze, such as recreating an issue or installing 3rd party software. Finally, you run a second scan and compare the results to the first scan.In live monitoring mode, a log of all file system changes is made while it’s running. To use this mode, you run ASA and start a live monitoring scan, install the software, then stop the scan. Afterwards, you can see all file system changes made while the scan was running.WalkthroughAttack Surface Analyzer is fairly easy to use. Let’s take a look at the steps to use it to capture before and after state of a system. In this example, we will be using ASA to determine what changes are made when Google Chrome is installed on a Windows Server 2019 server.First, download Attack Surface Analyzer from https://github.com/Microsoft/AttackSurfaceAnalyzer/releases/latestWe’ll be using the AsaGui-win10-version.zip file as this is the easiest one to get started with.Unzip the downloaded fileNext, download the Google Chrome installer. We do this before running the ASA scan so that the process of downloading and unzipping Google Chrome isn’t logged in our results.For this example, I’m using the Google Chrome MSI installer available at https://cloud.google.com/chrome-enterprise/browser/download/If the Google Chrome installer is zipped, unzip itIn the directory where you extracted ASA, right click asa.exe and choose Run as AdministratorIf prompted by UAC, press Yes to allow it to runOnce ASA opens, switch to the Scan tab, and fill out the formInsure Scan Type is set to Static ScanEnter a descriptive Run Id or leave it blank to use the current date/timeFor Choose Collectors, check the collectors that you want to track data for. Note that the Files collector can take a long time to runPress Collect Data to start the scanWait for the scan to completeWhen the scan is done, go ahead and install Chrome. If you are using the Enterprise Installer linked above, use the GoogleChromeStandaloneEnterprise64.msi file in the Installers folder within the zipWait for the installation to completeNote, don’t open Chrome after installation as that will cause additional changes to be logged.If you closed Attack Surface Analyzer, open it again, ensuring you choose to Run as AdministratorFill in the scan page againEnsure Scan Type is set to Static ScanEnter a descriptive Run Id or leave it blank to use the current date/timeFor Choose Collectors, check the same collectors that were chosen the first timePress Collect Data to start the scanWait for the scan to completeSwitch to the Results tabChoose the before and after run for the Base and Product run ID, then press Run AnalysisAfter the results are computed, use the radio buttons on the left to choose which category you want to view. For example, here are some of the registry settings caused by installing Google ChromeAs expected, a number of new registry entries are getting created during the installationWhen using Attack Surface Analyzer, it’s best to run the installation and second scan as quickly as possible. The longer you wait, the more time there is for unrelated changes to be made in between the scans. Since the scans can’t track where the individual changes originated, this can make the results more difficult to review. For example, if Windows Updates install in the background before the second scan is run, the changes caused by the updates would get captured and clutter up the information.ConclusionOverall, Attack Surface Analyzer is an easy-to-use tool for collecting specific types of data. While it isn’t specifically designed for troubleshooting issues, here are some scenarios where it might be useful:Finding what changes software makes to aid in troubleshooting issues that it might causeFinding if software or an OS patch is making any additional changes that could be causing an issueFinding all changes that a script or other tool is making. For example, determining what changes an OS build script is doing.Comparing a server in its healthy state to its state while an issue is occurringFor more information on Attack Surface Analyzer, see the official GitHub project.
