Managing Your Attack Surface

DOWNLOAD PDF

Group 26, Grouped object

Every point in your organization that provides access to data is what’s known as your attack surface. Your attack surface includes both digital and physical endpoints. It’s vital to understand what it is and how to protect it. This guide explores the breadth of the attack surface and how organizations can effectively manage it to reduce risk. 

What Is Meant by the Attack Surface? 

An attack surface encompasses all assets that store or process sensitive or business-critical data. This includes the points of entry in your infrastructure that could be accessed by a malicious actor to extract data – from software to hardware to cloud assets. 

From a high-level view, the whole attack surface has 3 components, on-premises assets, cloud assets, and external assets. Infrastructure is shared for cloud and external assets, limiting your organization’s ability to harden the attack surface. In these cases, it is crucial to know what assets reside in these areas, so your organization can take appropriate measures to mitigate risk as much as possible. 

Cybercriminals are constantly scouring the accessible attack surface of an organization, looking for ways to leverage vulnerabilities to gain access to your network. Once they are in, they seek out sensitive information that could be valuable to steal or look to set up infrastructure to launch more significant attacks down the road. 

Understanding Your Assets 

Many organizations are unaware of what assets they have or how much effort they need to secure them. Part of your business- critical assets includes the data that is stored or processed. Sensitive data types might be covered under governance or regulatory and compliance mandates. 

Additional assets include systems and services that provide core functionality to the organization, such as access and authentication or email. A thorough asset inventory is essential for determining the risk of exposure to your attack surfaces. 

Understanding Your Attack Surface 

The attack surface constantly evolves and changes, so assessing and determining what is included should not be a one-time affair. A good security strategy should have a periodic re-assessment of the surface and steps taken to reduce the attack surface and protect against threats. 

When defining the attack surface, an organization must consider the broad scope of all possible attacks when determining cybersecurity measures. Leveraging the information gathered from penetration testing, red teaming, and vulnerability  management is necessary to create a thorough evaluation. Many organizations’ attack surfaces are unknown to them , such as the use of SaaS products by a single department or specialized servers used by a team for niche functionality. Various tools and services will help uncover these, creating a more complete assessment. 

Best Practices for Attack Surface Management 

Understanding the best practices around attack surface management comes down to understanding its core functions. Gartner  Defines Attack Surface Management (ASM) as the continuous monitoring, discovery, inventory, classification, and prioritization of sensitive external assets within an IT organization’s infrastructure. 

The best practices of this distill down to understanding your attack surface and remaining aware of changes to it and its underlying resources. ASM is an entire lifecycle of activities that are never completed as the attack surface constantly evolves. Organizations following best practices in ASM build processes to create a baseline of their attack surface and continually review it for changes, adjusting their controls relative to the risk presented. 

Why Attack Surface Management Is Important 

Cybersecurity has long relied on having deep visibility into organizational utilization of data and resources to remain safe because you cannot stop what you don’t know is happening. Without adequate attack surface management, attackers can probe infrastructure and conduct attacks, lurking undetected until it is too late. 

Without attack surface management, new endpoints or resources can be added to the IT infrastructure without being adequately defended. This is why detecting new resources is central to the ASM process. It is imperative to detect Shadow IT resources that may have been created temporarily but never adequately removed. These resources are rarely maintained and quickly become targets for attackers. 

Detecting resources allows appropriate teams to harden them and test them to validate effective controls. Managing the attack surface makes an organization a more challenging target and helps stop attacks early in the kill chain rather than waiting until a breach has occurred. 

Examples of Attack Surfaces

Rather than just talking in generality about what an attack surface is, it helps to see specific examples. Below is a selection of attack surfaces and an explanation of how they fit into your organization: 

  • Cloud resources - The cloud adds a great deal of agility and power to developers, but this comes with the risk of new resources being added without being tracked or hardened. It includes servers, workloads, SaaS apps, or cloud databases that can all be created and destroyed on the fly, circumventing change management processes. 

  • Internal resources - New servers and hardware may be added on-site to augment existing infrastructure or to add new functionality or features. These resources do not have to be externally facing to become an attack surface. Even if they are only available via VPN, they can become a target if credentials are lost or stolen. 

  • Shadow IT - Temporary systems are added either for testing or to provide a service that often gets abandoned after use. It is not usually made maliciously, but other duties and responsibilities create this tech debt that workers intend to “eventually” clean up. 

  • Externally provided services - Services provided by external vendors that house your data are additional targets. These services could be external insurance processors, contracted IT services, or even auditors with sensitive information access. Awareness of these surfaces, even if they are not controllable by your organization, is vital for ASM. 

Vulnerability Management vs. Attack Surface Management 

Vulnerability management is very similar to attack surface management. They have the same process and end goals in determining new attack surfaces, assessing their risk, and conducting prioritized remediation. It comes down to the tools and solutions used for vulnerability management and finding alignment in the functionality they deliver with ASM. 

  • Monitoring/testing - This is the core section where the two overlap. Assets that are known are tested for exposures, helping to identify areas where remediation must occur. 

  • Discovery - ASM looks for new attack surfaces internally and externally. More advanced vulnerability management solutions may have this functionality, though the extent to which it is done will vary based on the technology. 

  • Inventory - As new assets are discovered, a list of what attack surfaces exist is created. A complete inventory should also include surfaces from external vendors and other non-organizationally controlled spaces. Most vulnerability management solutions and programs stop at what assets the organization maintains. 

  • Classification - Not every issue discovered needs to be addressed. This is another area where ASM and vulnerability management may diverge. More advanced vulnerability management solutions can do this, determining the whole context of the cyber risk, including ownership, exposure, data risk, and utilization, is vital to getting the entire picture here. 

  • Prioritization - Using objective criteria to score vulnerabilities and create a risk-based ranking of priorities. Information from the context is essential for driving the risk rankings. Some advanced vulnerability management tools can do this, while others require human intervention to accomplish this effectively. 

  • Remediation - The end goal of vulnerability management is to rectify any vulnerabilities detected, which is the implied conclusion of the prioritization step of ASM. Non-security teams/IT teams often conduct this process, but good cross- team communication is crucial to helping teams effectively perform remediation efforts. 

How & Why of Reducing Your Attack Surface 

Reducing the attack surface is important for reducing organizational risk and the ability of cybercriminals to harm your organization. It is also important as it is part of the solution for mitigating supply chain management attacks that continue to threaten organizations. 

Why? 

Attackers use supply chain attacks to give attackers a depth of penetration during an attack because they cut to the heart of organizational trust. It bypasses traditional attack surfaces by exploiting trusted systems to gain unprecedented access to internal resources. These attacks often occur at the administrator or root level, allowing attackers to conduct internal pivoting to other resources and set up future attacks, planting embedded rootkits to use later. 

How? 

Attackers manipulate the code of an external organization to insert malicious content such as rootkits, malware, or vulnerabilities to be exploited later. These get added to customer environments in a couple of ways. One way is by installing a software update that includes the malicious code. Alternatively, the code might be inserted into a library that is incorporated into developed software. 

When run, the malicious code is executed, launching whatever content was embedded in the package. The toxic payload is executed using the same level of permissions as the account on the endpoint running it, such as organizational administrative privileges. The payload in this situation will be able to spread well beyond its starting point, wreaking havoc throughout the IT environment. 

Solutions to Harden the Attack Surface 

Fortunately, there are ways to harden the attack surface and identify portions that may be overlooked. 

As previously mentioned, a vulnerability management solution is vital to effectively managing your attack surface. Other helpful tactics include: 

  • Penetration testing - One of the best ways to start hardening the attack surface. Using penetration testing tools and services, organizations can assess their entire organization for assets and accessible systems. 

  • DAST (dynamic application security testing) - Allows teams to test applications for vulnerabilities, even if they don’t have access to the source code. Using techniques such as fuzzing, they can attack APIs as cybercriminals do. It helps teams identify and mitigate previously undiscovered vulnerabilities. 

  • Red teaming - Helps to validate findings from penetration testing, acting on the part of an adversary. In the case of a supply chain attack, they can simulate compromised systems, conducting an attack as if an internal system was compromised. This approach helps to re-envision the whole attack surface and identify areas to harden, minimizing the risk of future attacks. 

  • Dark web monitoring - Monitors the dark web to help organizations identify and defend against future attacks that originate in the dark web. 

Take Control of Your Cybersecurity Strategy

Connect with a member of our team and find out how to get started.

CONTACT US
Related Solutions
Offensive Cybersecurity Penetration Testing
Related Content