Balbix Announces New Integrations with ServiceNow to Further Automate and Improve Cyber Risk Quantification

Two often confused terms in the infosec world are Attack Vector and Attack Surface. These two interrelated terms are important to understand if you want to maintain a strong cybersecurity posture.

What is your Attack Surface?

Your attack surface is the sum of all of the points on your enterprise network where an attacker can attempt to gain unauthorized access to your information systems. Basically, this represents the number of different ways/techniques that an adversary can use to gain unauthorized access to your company’s data (via any of your assets). It includes all vulnerabilities or security issues at any of your endpoints that can be exploited to carry out a security attack. Your enterprise attack surface also includes your users and the various permutations and combinations of ways in which they can be tricked by an attacker to result in a breach of your enterprise.

The amount of cyber risk is different at different parts of the attack surface, which means that different parts of your attack surface are not equally important from a business viewpoint.

Attack Surface
The Enterprise Attack Surface

What is an Attack Vector?

Attack vectors are the specific methods that adversaries use to breach or infiltrate your network. Attack vectors take many different forms, ranging from malware and ransomware, to man-in-the-middle attacks, compromised credentials, and phishing. Some attack vectors target weaknesses in your security and overall infrastructure, others target weaknesses in the humans that have access to your network.

Some of the commonly used attack vectors are:

  1. Compromised or Stolen Credentials
  2. Weak Credentials
  3. Software vulnerabilities aka CVEs
  4. Missing or Poor Encryption
  5. Missing or Poor Authentication
  6. Misconfigurations
  7. Phishing
  8. Malicious Insider
  9. Trust Relationships
  10. Denial-of-Service

For a medium to large-sized enterprise, the attack surface can be gigantic- hundreds of thousands of assets times hundreds of attack vectors. This means that your attack surface is made up of tens of millions to hundreds of billions of elements that must be monitored continuously by your cybersecurity team  – no easy feat!

The picture below is a more detailed illustration of your your attack surface. The x-axis represents all your assets – everything from servers, desktops, laptops, network infrastructure such as WiFi access points, network switches and routers, to managed and unmanaged devices, IoT devices and cloud applications, and more. The y-axis represents the hundreds of attack vectors available to your adversaries, ranging from simple things like weak passwords, to more complex things like phishing, unpatched software, encryption issues, mis-configuration, etc.

Attack surface: The x-axis represents your assets and the y-axis represents attack vectors. 

Attack Vectors in the Equifax Breach

Let’s take the Equifax breach of 2017 as an illustrative example of attack surfaces and attack vectors. It is likely that, when planning the breach, the adversaries looked at all externally exposed assets (the external facing portion of the Equifax attack surface) until they found a weakness. In this case, the weakness was an unpatched vulnerability in a public-facing web server. The initial attack vector targeted that vulnerability. From there, the attackers now had internal access to Equifax and a broader addressable attack surface.

The next vectors in the Equifax breach leveraged trust relationships and compromised credentials. Since Equifax hadn’t properly segmented and isolated assets on their network, the attackers were able to move laterally, eventually finding a server that stored usernames and passwords in cleartext, giving them access to even more assets. On it went, until critical data was eventually exfiltrated from the Equifax network.

Attack vectors used in Equifax Breach
 Example of multiple attack vectors used in Equifax Breach

Types of Attack Surface

There are many ways to classify and categorize the enterprise attack surface. Three of the common methods are by type, by exposure and by attack vector. The table below summarizes the various classifications.

Types of attack surface
Types of attack surface

Other Attack Surface Related Topics

Related topics that might be of interest to you are attack surface management, vulnerability management, asset discovery/inventory and cyber risk quantification.

Contents

    Frequently Asked Questions

    What are attack surface examples?

    The elements that comprise your cybersecurity attack surface are essentially all the software (and firmware) that runs in your enterprise, including on your servers, desktops, laptops, smartphones, tablets, network infrastructure, your applications (in a traditional data center or in the cloud). Each element can be compromised via (often 100s of) attack vectors. Your users – employees, contractors and also part of your attack surface.

    What are the types of attack surface?

    There are various ways to classify your attack surface.

    1. By Type. The three types are Digital Attack Surface (your software), Social Engineering Attack Surface (your users) and Physical Attack Surface (your physical computers/devices). The first two types are more relevant in cybersecurity while the third takes us into the realm of physical security.
    2. By Exposure. External Attack Surface (your attack surface elements that are exposed to the Internet, e.g., public web servers), and Internal Attack Surface (the assets you have placed behind your corporate firewalls, non external facing, e.g., internal servers). Your External Attack Surface can be directly targeted by attackers, while Internal Attack Surfaces are leveraged by attackers to move around (“lateral movement”) within your enterprise network after they have established an initial beachhead.
    3. By Attack Vector. Some people like to classify their attack surface by attack vectors. In 2022, some of the most commonly used attack vectors are:
      • Compromised or Stolen Credentials
      • Weak Credentials
      • Software vulnerabilities aka CVEs
      • Missing or Poor Encryption
      • Missing or Poor Authentication
      • Misconfigurations
      • Phishing
      • Malicious Insider
      • Trust Relationships
      • Denial-of-Service
    What is Attack Surface Management?

    Attack surface management refers to the continuous processes required to mitigate cyber risk. It includes risk assessments tasks such as asset discovery, vulnerability assessments, penetration testing and cyber risk quantification, as well as the deployment and management of security controls, vulnerability management processes – everything that cybersecurity teams do to map and protecting the attack surface. The goal of attack surface management is to mitigate cyber risk to acceptable levels by reducing the likelihood and impact of future cyber attacks.

    How do you limit your attack surface?

    Limiting, reducing/shrinking and hardening your attack surface involves an iterative and continuous process with the following steps:

    1. Enumerate your attack surface (asset discovery, vulnerability assessments, penetration testing)
    2. Prioritize attack surface elements by risk (cyber risk quantification)
    3. Remove apps and devices you don’t need.
    4. Review configurations of all Internet-facing assets to minimize complexity of software exposed. Turn off features and services you don’t need.
    5. Implement rigorous vulnerability management (patching) practices for Internet-facing assets (servers, infrastructure assets and end-user devices)
    6. Implement strong access control (e.g., multi-factor authentication) and protective controls (e.g., web-application firewalls) for Internet facing servers and infrastructure assets.
    7. Implement strong protection for all end-user computing devices (e.g., browser security and EDR)
    8. Repeat for steps 1-7 continuously
    9. Also perform these steps for non-internet assets
    10. Deploy network segmentation and/or zero trust throughout your network to limit the impact of attacks that might compromise a small number of your assets