The Anatomy of an Attack Surface: What Security Leaders Should Know
Digitization has brought about greater connectivity, greater convenience, and, unfortunately, a greater attack surface. With so many assets out in the open, organizations can feel as vulnerable as fish in a barrel, waiting for some forgotten asset to fall into the wrong hands and wind up exploited. Knowing that attackers can only access our resources through the digital pathways we leave unguarded, a deep understanding of the cyber attack surface and how to manage it is crucial for security leaders today.
Defining the Attack Surface
Discussing an organization’s attack surface in cybersecurity refers to all network infrastructure, cloud assets, applications, endpoints, and IoT devices. Essentially, it includes all points, both visible and hidden, where an attacker can gain entry or compromise an organization. Knowing the extent of the cyber attack surface is crucial, as threat actors are likely to be aware of any vulnerabilities. Understanding the attack surface is, therefore, the first step in managing security effectively. Protecting assets remains challenging without a comprehensive awareness of what is exposed.
External Attack Surface: A Closer Look
An organization’s external attack surface includes internet-facing assets, domains, subdomains, and web applications. That means everything on social media, professional networking platforms, and the surface, deep, and dark web - such as an organization's brands, domains, executive posts, key location, intellectual property, and collected company data; often considered the real crown jewels..
Attack Surface Management Tools
Thankfully, there are a variety of tools and techniques to reduce the size of the attack surface before it becomes a permanent liability. It largely comes down to a three-part strategy:
- Asset discovery Identify the components on both private and public attack surfaces. Ensure all internal assets are accounted for and establish their locations. Maintain oversight on configurations and Shadow IT, including Shadow APIs. Additionally, understand external exposures. Map the external attack surface, pinpointing the presence of the brand and the locations of executive postings. Identify which public internet-facing assets require security measures. Defining the scope is essential in this process.
- Vulnerability scanning How much of the publicly exposed assets are currently vulnerable? Ideally, the answer would be 'nothing.' What is the count of Common Vulnerabilities and Exposures (CVEs)? How many legacy vulnerabilities remain unaddressed by the security team, perhaps overlooked in favor of newer concerns? It is important to remember that attackers often target these old vulnerabilities first for these very reasons.
- Threat intelligence Are there exposed credential lists from the organization being sold on the Dark Web? Consider the results of a Google search of executives' names; do their home addresses appear? Assess whether any edge devices are vulnerable to Log4j vulnerabilities. These considerations are just a few examples of the many aspects to be mindful of.
These tools assist security leaders in gaining visibility into their organization's digital footprint and play a direct role in managing the external attack surface. Forrester defines external attack surface management (EASM) as 'a tool or capability that scans for, discovers, and enumerates unknown internet-facing assets, establishes the unique fingerprints of discovered assets, and identifies various exposures.' In other words, EASM provides a comprehensive view of the entire cyber attack surface, both public and private. This includes discontinued third-party services, shadow IT (or IoT), and stale systems that have not been decommissioned, offering a complete perspective of the entire digital footprint
Attack surface management can also enable data loss prevention as it enables organizations to identify and evaluate risks posed by known assets as well as unknown. With the average global cost of a data breach, according to IBM, at $4.54 million, preventing data loss is a necessity.
The Dynamic Nature of the Attack Surface
It is vital to recognize that the attack surface is not static; it evolves alongside the digital presence of an organization. The expansion occurs with the adoption of more services, addition of devices, recruitment of personnel, posts by executives on LinkedIn, and inheritance of systems. With every acquisition, new product launch, and third-party integration, the attack surface experiences growth. This dynamic aspect of the attack surface necessitates ongoing care, oversight, as well as continuous monitoring and management to keep pace with changes.
The Role of Security Teams
It is the responsibility of security leaders to manage the attack surface, and that entails ongoing pruning and attack surface reduction. ZeroFox’s Jeff Foley notes, “Sadly, I’ve yet to meet a company that is confident their asset inventory is 100% accurate. When talking privately, few (if any) will even claim to have confidence their inventory is even 75% complete. This is just one of the ugly but accepted norms of cybersecurity that people have grown to accept.” The fact that so many are stuck on step one underscores the importance of collaboration between security, IT, and business units. It takes resources and buy-in to implement the proactive risk assessments and mitigation strategies that will tame the attack surface, and that requires collaboration, cooperation, and participation across teams, security and otherwise.
Incident Response and Attack Surface Reduction
The most effective method to ensure safety is to halt any immediate threats. It is widely acknowledged that reducing the attack surface minimizes the potential impact of incidents, and sometimes rapid action is necessary. An organization needs both proactive and reactive strategies. Proactive measures, such as vulnerability scans, have been outlined previously. Reactive measures, also known as incident response, include the rapid detection and removal of offending content, accounts, or posts – often referred to as 'takedowns'.
These adversary disruption capabilities are essential to incident response, positioning attack surface management a critical solution for data loss prevention. The ability to proactively pursue threats through the internet's darker spaces and retrieve compromised information is a critical aspect where attack surface management proves its effectiveness.
How To Proactively Manage Your Organization's External Attack Surface
ZeroFox is proud to be a pioneer in the attack surface management space, focusing on securing the vast expanse of public internet-facing assets that companies unknowingly have lying around. It’s a difficult job to attend to without the right technology, which is why ZeroFox acquired LookingGlass. Now, we can leverage even more unique features that allow organizations to identify and assess threats on their public attack surface, all while continuing to deliver capabilities on a single end-to-end platform.
As part of our mission, we also support the OWASP Amass Project by providing more advanced tooling to identify publicly exposed assets and resources. Cybersecurity should be taken holistically and include all facets of a company’s digital identity. When so many of those resources reside outside of the network, we’re here to make sure the entire digital footprint is protected.
Learn about preventing data loss with attack surface management.