The term “attack surface” has been around for a while but has only recently become popularised, with the increase in cyber risk and proliferation of cyberattacks. What is an attack surface? How can you safeguard it? In this article, we look at Attack Surface Management and answer the key questions: What is an attack surface? What is Attack Surface Management, and why is it important? What steps can you take to ensure your organisation is protected?
“Attack Surface” is the term given to your entire digital presence that is potentially exposed to an attacker. It consists of thousands, possibly tens of thousands of IT assets and millions of connections. Your attack surface consists of assets on your premises, e.g., servers and internet-connected devices, and assets in the cloud or with subsidiaries and third parties, such as suppliers or distributors.
Your attack surface is probably much more extensive than you realise. In addition to the assets you are aware of (known assets), most organisations have unknown assets, or “shadow IT”. Shadow IT includes personal email accounts used for business, unauthorised devices, and third-party applications used beyond the control of the IT department. Along with known assets, these make up your attack surface.
Attack Surface Management (ASM) is the process of continually monitoring all of these assets to protect your organisation from cyberattacks. It entails finding, listing, classifying, prioritising and monitoring all the assets that handle sensitive data, everything an attacker might discover as they scan the threat landscape for vulnerabilities. It also involves managing assets that can only be accessed from within the organisation.
It is no longer sufficient to run periodic scans to test your cyber security defences. Attackers are scanning the landscape continuously, and there are many threat actors with a range of motivations. As a result, you need to manage your attack surface on an ongoing basis to reduce your risk of cyberattack and the resulting financial and reputational damage that can be done to your organisation. One of the reasons ASM is so important is because cybercriminals often enter a system via a weakness you didn’t even know about or one you forgot about.
Examples include software you have inherited from a merger or acquisition, legacy software that has been replaced but never decommissioned, or test websites that have been forgotten about. These are known as “abandoned assets”. There may also be rogue assets created by threat actors, such as malware, which has infiltrated your system, and/ or misconfigured assets, legitimate assets whose logins have not been configured correctly.
You are not powerless against the threats that lurk beyond your firewall. ASM consists of a set of logical steps that are undertaken continuously to keep your organisation safe. The five steps are:
Let’s look at each in turn.
To manage your attack surface, you need to know exactly what it looks like. The first step is discovery, identifying all internet-facing digital assets, whether owned and operated by your organisation or by third parties such as suppliers, partners, external contractors, or cloud providers. A modern ASM program uses the same technology that attackers use to ensure no asset is missed in the discovery process.
Your attack surface is growing and changing all the time, so discovery must be an ongoing, iterative activity driven by continuous testing for all potential attack vectors. Additionally, because new malware is being created all the time, and your system is constantly expanding through the addition of devices and users, continuous testing is necessary to ensure your network does not fall prey to a risk you failed to foresee or mitigate.
Not all assets carry the same level of importance or present the same amount of risk. You need to consider their purpose (do they hold customer or employee personal data, for instance?), their technical properties (IP address, type of device), asset owner, importance to business continuity, connections to other assets, and legislative/compliance requirements. Once you have determined the context of each asset, you can prioritise its level of risk and any remediation necessary.
Prioritisation is not only about assigning a risk rating to an asset but deciding how best to deploy your resources. It might be ideal for working through all your assets from high risk to low, fixing all vulnerabilities. But, in reality, it’s probably impossible to fix everything. Instead, you must prioritise the risks that present the most urgent danger to your organisation’s integrity. To do this, you must consider the business context combined with technical factors such as ease of discovery and exploitation, likely attackers’ priorities and difficulty of remediation. Only then will you arrive at a meaningful set of priorities.
Remediation is itself a complex process. There may be conflicting requirements; how do you choose which gap to plug first? It is likely that the team that understands the business context (probably security ops) is not the same as the team that understands the technical context (IT ops). Good communication between the two is vital. For example, IT ops may want to fix the most significant technical weaknesses first, while security ops are focused on the business vulnerabilities. If these two teams can build trust and understanding, you will arrive at a process that strikes the right balance for the overarching good of the business.
NEWORDER offers enterprise-wide Attack Surface Management to keep your systems safe. We will comprehensively view your assets and help you manage your cyber security risks. For more information on ASM and our full range of Information Security and Cyber Security services, contact us today for a no-obligation discussion.
