Attack Surface Management

What is attack surface?

Your attack surface is the sum of all of the points on your enterprise network where an attacker can attempt to gain unauthorized access to your information systems. Basically, this represents the number of different ways/techniques that an adversary can use to gain unauthorized access to your company’s data (via any of your assets). It includes all vulnerabilities or security issues at any of your endpoints that can be exploited to carry out a security attack. Your enterprise attack surface also includes your users and the various permutations and combinations of ways in which they can be tricked by an attacker to result in a breach of your enterprise.

The amount of cyber risk is different at different parts of the attack surface, which means that different parts of your attack surface are not equally important from a business viewpoint.

Attack Surface
The Enterprise Attack Surface

The picture below is a more detailed illustration of your your attack surface. The x-axis represents all your assets – everything from servers, desktops, laptops, network infrastructure such as WiFi access points, network switches and routers, to managed and unmanaged devices, IoT devices and cloud applications, and more. The y-axis represents the hundreds of attack vectors available to your adversaries, ranging from simple things like weak passwords, to more complex things like phishing, unpatched software, encryption issues, mis-configuration, etc.

 

Attack surface: The x-axis represents your assets and the y-axis represents attack vectors. 

For a medium to large-sized enterprise, the attack surface can be gigantic- hundreds of thousands of assets times hundreds of attack vectors. This means that your attack surface is made up of tens of millions to hundreds of billions of elements that must be monitored continuously by your cybersecurity team  – no easy feat! 

The enterprise attack surface is also constantly expanding, and the threats that target it continuously shape-shift and adapt to the latest in network defenses. Understanding and managing an organization’s enterprise attack surface is a truly daunting task. Most security leaders, despite their best efforts, can only see a subset of the risks their organizations face and only know some fraction of the assets that exist on the network.

Attack surface management

Attack surface management refers to the continuous processes required to mitigate cyber risk. It includes risk assessments tasks such as asset discovery, vulnerability assessments, penetration testing and cyber risk quantification, as well as the deployment and management of security controls, vulnerability management processes – everything that cybersecurity teams do to map and protecting the attack surface.

The goal of attack surface management is to mitigate cyber risk to acceptable levels by reducing the likelihood and impact of future cyber attacks.

When designing an attack surface management program, here are some of the key questions you need to ask:

  • What are the specifics of our attack surface (asset inventory and the scope, breadth, complexity of our attack surface)?
  • Where are our most valuable assets whose compromise will significantly impact the business?
  • How do we best protect the enterprise from cyber attacks?

Here are 5 steps to attack surface management:

1. Know what to protect

Bad actors are constantly looking for ways to hack into organizations. They hunt for vulnerabilities on websites, exposed data servers in the cloud, and systems that are connected directly to the Internet with little or no protection. They are essentially probing your attack surface.

Knowing authorized and unauthorized devices on your network is the #1 control on the CIS Critical Controls List, yet most organizations are very lax about conducting regular asset audits. To keep the organization safe, it is essential to enumerate your attack surface e.g., all of the ways that the your enterprise assets are exposed and vulnerable to attack. Then you must prioritize activities that will reduce your attack surface and mitigate risk at each point of the remaining or residual attack surface.

2. Gain real-time visibility into your attack surface

Because your attack surface and breach risk are dynamic and highly complex, real-time asset visibility is a crucial component of any attack surface management program. If you can’t see a risk, you’re not going to be able to manage it. And if you rely on static assessment tools, you are going to miss serious vulnerabilities as they crop up across your ever-changing risk landscape.

For this reason, it’s important that you continuously monitor your attack surface in order to discover, track, and manage the vulnerable assets that attackers target across your entire Internet, mobile, and cloud environments.

3. Understand the Business Impact of Asset or App Compromise

Not all parts of the attack surface are equally important, so it is crucial that you perform a thorough analysis of the potential impact (in money terms) if a particular asset is compromised. It is also important to see how assets are related to each other, where the compromise of one asset essentially compromises another asset or significantly impairs the performance of another asset.

4. Make your attack surface smaller and harder

In cybersecurity, just like everything else, the smaller the target, the harder it is to hit. You also want to make each point of your attack surface more difficult to compromise.

Limiting, reducing/shrinking and hardening your attack surface involves an iterative and continuous process with the following steps:

  1. Enumerate your attack surface (asset discovery, vulnerability assessments, penetration testing)
  2. Prioritize attack surface elements by risk (cyber risk quantification)
  3. Remove apps and devices you don’t need.
  4. Review configurations of all Internet-facing assets to minimize complexity of software exposed. Turn off features and services you don’t need
  5. Implement rigorous vulnerability management (patching) practices for Internet-facing assets (servers, infrastructure assets and end-user devices)
  6. Implement strong access control (e.g., multi-factor authentication) and protective controls (e.g., web-application firewalls) for Internet facing servers and infrastructure assets.
  7. Implement strong protection for all end-user computing devices (e.g., browser security and EDR)
  8. Repeat for steps 1-7 continuously
  9. Also continuously perform these steps for non-internet assets.
  10. Deploy network segmentation and/or zero trust throughout your network to limit the impact of attacks that might compromise a small number of your assets
How to reduce the cyber attack surface?
How to reduce the cyber attack surface?

5. Automate your attack surface management

Perhaps the most important aspect of attack surface management is the need to automate. The rate of discovery of new vulnerabilities and threats, which manifest as cyber risk across tens or even hundreds of thousands of assets is not something we can expect cybersecurity teams to keep up with. Manual processes for discovering, evaluating, dispatching and mitigating vulnerabilities and security issues simply do not work in 2022. We need maximal automation for all of these.

Cybersecurity Posture Automation

How do you analyze your attack surface?

The cyber-attacks are becoming increasingly sophisticated. The adversaries are constantly scanning networks and systems for vulnerabilities that they can exploit to gain unauthorized access to organization’s network. As pointed out in Verizon’s Data Breach Investigations Report 2022

the attackers have a sort of opportunistic attack sales funnel. They start with scanning for IPs and open ports. Then they move to crawling for specific services. They then move on to testing for specific Common Vulnerabilities and Exposures (CVE). Finally, they try Remote Code Execution (RCE) to gain access to the system.”

To protect against such threats, organizations must be able to identify and analyze their cyber-attack surface – the full range of assets, systems, and processes that could be targeted by an attacker. By understanding their attack surface, organizations can proactively identify and address vulnerabilities before they can be exploited by malicious actors and implement effective security measures to safeguard against cyber threats.

How does one analyze the attack surface and build a solid foundation to cybersecurity strategy?

This is where Cyber Asset Attack Surface Management (CAASM) helps. Cyber asset attack surface management (CAASM) is an emerging technology area focused on enabling security teams to overcome asset visibility and exposure challenges. It enables organizations to see all the assets (internal and external), primarily through API integrations with existing tools, query aggregated data, identify the scope of vulnerabilities and gaps in security controls, and remediate issues.

A CAASM solution provides organizations with a real-time up-to-date view of their assets and clearly lays out the attack surface. It enables security teams to improve basic security hygiene by ensuring security controls, security posture, and asset exposure are understood and remediated. Organizations that deploy a CAASM solution reduce their dependence on homegrown systems, manual data collection and aggregation processes and remediate gaps either manually or via maximally automated workflows. The comprehensive, near-real time asset inventory visibility enabled by an suitable CAASM solution is itself an important component of your cybersecurity control framework.

Example of how a CAASM solution helps analyze the attack surface.

“Balbix’s CAASM solution continuously ingests the data from your cybersecurity and IT tools, which is then aggregated, deduplicated, and correlated to provide a unified view of your environment. Security and compliance teams can easily search and manage the entire inventory of assets and create custom views to track metrics and prioritize and remediate issues.

With Balbix, you can monitor your security controls coverage, break down your inventory by asset type (example screenshot below), get visibility into your software inventory, obtain a unified inventory view across your on-premises and multi-cloud environments, and more.”

To learn more: How Balbix Ensures Your Asset Inventory is Accurate and Complete

How to analyze your Attack surface?
Asset categorization based on asset type in Balbix

Key takeaways

Many of today’s data breaches and hacks are caused by basic security lapses rather than highly sophisticated exploits. Starting with good cyber hygiene practices and precautions, users and organizations can keep sensitive data organized, safe, and secure from theft and outside attacks.

Reducing your attack surface starts with understanding your exposure. Having a comprehensive and automated program for discovering, monitoring, and managing your attack surface helps you avoid the most common cybersecurity risks facing organizations today.

Ideally, you will have real-time visibility across your entire risk landscape, systems in place that can spot and stop attacks in their tracks, and processes that enable prioritization so that the serious cyber risks issues are eliminated or sharply mitigated quickly.

Other Attack Surface Related Topics

Related topics that might be of interest to you are attack vectors vs. attack surface, vulnerability management, asset discovery/inventory and cyber risk quantification.

Frequently Asked Questions About Attack Surface

What is attack surface?

Your attack surface is the sum of all of the points on your enterprise network where an attacker can attempt to gain unauthorized access to your information systems. Basically, this represents the number of different ways/techniques that an adversary can use to gain unauthorized access to your company’s data (via any of your assets). It includes all vulnerabilities or security issues at any of your endpoints that can be exploited to carry out a security attack. Your enterprise attack surface also includes your users and the various permutations and combinations of ways in which they can be tricked by an attacker to result in a breach of your enterprise.

If you consider a graph, where the x-axis lists all of the devices and apps on your network (infrastructure, apps, endpoints, IoT, etc.) and the y-axis are the different breach methods such as weak and default passwords, reused passwords, phishing, social engineering, unpatched software, misconfigurations etc. – the plot is your attack surface.enterprise attack surface

What are the types of attack surface?

There are many ways to classify and categorize the enterprise attack surface.

  1. By Type. The three types are Digital Attack Surface (your software), Social Engineering Attack Surface (your users) and Physical Attack Surface (your physical computers/devices). The first two types are more relevant in cybersecurity while the third takes us into the realm of physical security.
  2. By Exposure. External Attack Surface (your attack surface elements that are exposed to the Internet, e.g., public web servers), and Internal Attack Surface (the assets you have placed behind your corporate firewalls, non external facing, e.g., internal servers). Your External Attack Surface can be directly targeted by attackers, while Internal Attack Surfaces are leveraged by attackers to move around (“lateral movement”) within your enterprise network after they have established an initial beachhead.
  3. By Attack Vector. Some people like to classify their attack surface by attack vectors. In 2022, some of the most commonly used attack vectors are:
    • Compromised or Stolen Credentials
    • Weak Credentials
    • Software vulnerabilities aka CVEs
    • Missing or Poor Encryption
    • Missing or Poor Authentication
    • Misconfigurations
    • Phishing
    • Malicious Insider
    • Trust Relationships
    • Denial-of-Service

The table below summarizes the various classifications.

How do you limit your attack surface?

Limiting, reducing or shrinking your attack surface involves an iterative and continuous process with the following steps:

  1. Enumerate your attack surface (asset discovery, vulnerability assessments, penetration testing)
  2. Prioritize attack surface elements by risk (cyber risk quantification)
  3. Implement rigorous vulnerability management (patching) practices for Internet-facing assets (servers, infrastructure assets and end-user devices)
  4. Implement strong access control (e.g., multi-factor authentication) and protective controls (e.g., web-application firewalls) for Internet facing servers and infrastructure assets.
  5. Implement strong protection for all end-user computing devices (e.g., browser security and EDR)
  6. Review configurations of all Internet-facing assets to minimize complexity of software exposed. Turn off features and services you don’t need.
  7. Repeat for steps 1-7 continuously
  8. Also perform these steps for non-internet assets
  9. Deploy network segmentation and/or zero trust throughout your network to limit the impact of attacks that might compromise a small number of your assets
What are attack surface examples?

The elements that comprise your cybersecurity attack surface are essentially all the software (and firmware) that runs in your enterprise, including on your servers, desktops, laptops, smartphones, tablets, network infrastructure, your applications (in a traditional data center or in the cloud). Each element can be compromised via (often 100s of) attack vectors. Your users – employees, contractors and also part of your attack surface.

How is attack vector different from attack surface?

An attack vector is how an attacker attempts to gain access, while the attack surface is where the attack is happening.

Recommended Resources

Cyber Risk Quantification: A CISO Executive Guide
EBook
How to Calculate your Enterprise’s Breach Risk
9 Slides Every CISO Must Use in Their Board Presentation
Guide
9 Slides Every CISO Must Use in Their 2024 Board Presentation
Oerlikon case study
Case Study
Oerlikon Reduces Patch Time and Improves Management-Level Cyber Risk Visibility