Your attack surface is the sum of the opportunities within your network that a cybercriminal can attack and exploit. To minimize cyber risk, you need to understand and manage your attack surface.
Your Attack Surface
An organization’s attack surface is often described as the sum of the ways the organization could be breached. That’s a self-limiting viewpoint. It assumes the collection of known attack vectors is a complete list of the vulnerabilities that cybercriminals may try to exploit.
A better definition is that your attack surface is the sum of all IT assets exposed to attackers. Whether they have known vulnerabilities or not, any exposed IT entity–from servers to APIs—should be considered part of your attack surface. A new vulnerability that compromises one of your assets might be discovered at any time.
Anything that is exposed to cyber risk—which mainly equates to the outside world—is a potential target. Your attack surface is the total target area that you present to cybercriminals. Needless to say, the smaller the total target area, the better. But without being completely off the grid, it’s impossible for an organization not to have an attack surface of one form or another.
If you’re going to be stuck with an attack surface the only sensible course of action is to understand it, try to rationalize and minimize it, and secure what remains as best as possible.
Mapping Your Attack Surface
The COVID-19 pandemic of 2020 drove a sudden migration from office-based working to home working for many employees. Calling it a “migration” is perhaps being kind. In many cases what happened was more like abandoning ship. Either way, it was an example of an unforeseen and dramatic change in the IT estate.
Under normal circumstances, non-trivial changes are—theoretically—planned well in advance, and conducted in a controlled and considered fashion. Moving from one critical line-of-business application to another, or moving from on-premise to cloud computing are examples of what is usually meant by “migration.”
Putting aside the differences in execution, in both cases you’ve changed your attack surface. Planned changes and forced changes alike will expose different IT assets to risk. But they may well remove or reduce risks in other areas.
It’s not easy to visualize all of this, nor to appreciate the impact of changes. For multi-site organizations, the problem is even harder. One way to get a handle on it is to plot your IT assets, including software, on one axis of a graph and to plot threats and vulnerabilities on the other. For each vulnerability that applies to an asset, place a marker where they intersect. The resulting plot is an approximation of your attack surface.
Software packages are available that will assist with mapping out your attack surface. Automating the process will ensure you don’t forget about semi-dormant legacy systems, software, or APIs that may easily be overlooked. These packages are particularly useful at uncovering “skunkworks” initiatives and other shadow IT that hasn’t been supplied and rolled out by your IT team. Attack Surface Management (ASM) software also provides monitoring and alerting functionality.
The Open Web Application Security Project (OWASP) has created an open-source Attack Surface Detector designed to uncover a web application’s endpoints, parameters, and parameter data types. It runs as a plug-in for the popular OWASP ZAP and PortSwigger Burp Suite security testing platforms.
Tools like these focus on the digital aspects of your attack surface. They don’t consider the physical security of your premises, nor the cybersecurity awareness of your staff. Physical security and access measures control who can get into your building, and where they can go once they’re inside. Cybersecurity awareness training empowers your staff to adopt best cybersecurity practices, recognize phishing attacks, social engineering techniques, and generally encourages them to err on the side of caution.
Whether you lump these together with your digital attack service in one uber-attack surface or not, physical access and cybersecurity awareness training can neither be ignored nor treated as second-class citizens. They’re all part of your overall security governance. Just be aware that most ASM software only delivers benefits when considering your digital attack surface.
Rationalize and Monitor Your Attack Surface
Armed with the information from your manual attack surface audit or the reports from your ASM software, you can critically review the attributes of your attack surface. Precisely, what makes it the size it is, and how vulnerable is it?
Assets need to be grouped according to their criticality and sensitivity. They’re critical if they’d significantly adversely affect your organization’s operation. if they were compromised. They’re sensitive if they handle personal data or any company-private information.
Are all assets required in their current form? Can some be combined, increasing security and cutting costs? Do shadow IT projects need to be closed down or rolled into the corporate estate? Is your network topology still the optimum layout for your organization’s needs today, in terms of functionality, productivity, and security? Do all of the administrative or other privileged accounts still have a sound business case behind them?
Once you’ve asked all the questions raised by the audit and agreed on the responses there will almost certainly be remedial work required to close vulnerabilities and secure the network. Once that is completed, re-scan or re-audit your network to establish a baseline of your attack surface, and then monitor for changes.
Attack surface management systems provide—to differing degrees—a dashboard showing the real-time status of the assets that make up your attack surface. Alerts notify you of additions or changes that affect your attack surface. The criticality and sensitivity of your IT assets will guide your prioritization of these assets. Make sure the high-priority assets are displayed prominently in the dashboard or, at least, have the most comprehensive alerting mechanisms applied to them.
Gaining insights into your attack surface, rationalizing, securing it, and monitoring it are all important steps, but they mean nothing if you’re not going to react to the information that your ASM software delivers. This might be as simple as applying patches or investigating unexplained events.
You’ll already have a thorough patch management process and schedule in place to handle scheduled patch releases and extraordinary emergency patches. If your ASM flags up that an endpoint with vulnerabilities has been connected to the network, your team can decide whether to remove it from the network or patch it up to date. Handling the exceptions to your regular patching regime makes the process of picking off the outliers much easier.
Evolve To Survive
Attack surface management is becoming a priority for many organizations. The number and type of devices connected to networks are growing and changing. The overnight switch to homeworking is one example. The explosive growth of Internet of Things devices, and hybrid- or cloud-computing are others.
The attack surface is evolving faster than ever. That’s why proactive management and monitoring are a must.