May 9, 2023 | Cyber security education
What is attack surface management (and why is it important)?
By Field Effect
The nitty-gritty details of cybersecurity defense are technical, but the overall goal is quite simple: keep out malicious actors and protect your valuable IT assets.
A critical way to achieve this and manage cyber risk is by considering all areas of exposure or vulnerability that threat actors are looking for, rather than focusing on only specific areas.
Enter attack surface management.
This article offers a primer on attack surface management by describing what an attack surface is, overviewing the key tenets of attack surface management, and more.
What is an attack surface?
Your attack surface is the entirety of all potential points of attack (such as endpoints or cloud applications), and an attack vector is the way an attacker exploits these (such as phishing or brute force attack).
It’s possible to expand this definition into different types of attack surfaces based on the kind of exploited entry point. The simplest breakdown is into two distinct types:
- Digital attack surface—this entails all the digital points of entry into your IT environment (applications, code, ports, websites, login credentials, etc). We'll focus primarily on this type.
- Physical attack surface—this is the entire physical environment containing all the devices that an unauthorized user might physically access, including workstations, server rooms, and offices.
Some sources also like to add social engineering to the mix as a third type of attack surface. Social engineering techniques can use digital or physical entry points.
Are you prepared for tomorrow’s threats?
Dive into the past, present, and future of cyber security with The State of Cyber Security eBook.
Phishing, for example, is a digital attack vector that uses fake emails to dupe users into taking specific actions.
Tailgating, on the other hand, is a physical attack vector in which an unauthorized person gains access to a restricted location (such as an office premises) often by following the victim to the door and impersonating a delivery driver to get access.
Key tenets of attack surface management
Attack surface management (ASM) is a systematic approach to continuously monitor the assets that make up your IT infrastructure, identify anomalies, and remediate any attack vectors. This approach typically involves using tools or even dedicated ASM solutions to complement your organizational processes.
Managing the physical attack surface is fairly simple, with well-established strategies such as physical access controls (e.g. locks), and employee training. Because of this, we will focus on the key tenets of digital attack surface management.
The key tenets of attack surface management are:
- Asset discovery: ASM begins with the idea that you can’t protect what you don’t know about. Exploitable gaps in unknown assets easily slip under the radar. You want to discover all of your IT assets (e.g. cloud storage, web apps, SSL certificates, IP addresses, even shadow IT) to create an accurate inventory of your attack surface. Automating this process as much as possible saves a lot of time and effort.
- Classification: Classification enriches your inventory by adding useful information about each asset, including what it does, who owns the asset, how or if it interacts with sensitive data, and how important the asset is for company operations.
- Vulnerability analysis: Analyse all assets for exploitable vulnerabilities and attack vectors. These vulnerabilities include open network ports, misconfigurations, out-of-date software, unsecured databases, etc.
- Prioritization: Since not all attack vectors carry the same level of risk, ASM requires prioritization. Ideally, you'd use risk scoring to determine where to focus remediation efforts first.
- Continuous monitoring: Continuously monitor your digital assets for new threats and vulnerabilities. This is imperative due to how fast the modern attack surface changes. Employees can create new cloud instances with a few clicks, and previously secure access permissions for an app can become risky overnight.
Why external attack surface management is key
Attack surface management is considered a critical part of cybersecurity due to both technological evolution and a changing threat landscape. In particular, companies face huge challenges in managing an ever-expanding external-facing attack surface.
The external attack surface encompasses all your internet-connected assets and their associated attack vectors. The internal attack surface, however, is all the attack vectors for IT assets located inside your network environment; these systems aren’t directly accessible from the Internet.
With more IT assets connected to and accessible by actors on the internet than ever, this increases the number of possible paths into your environment.
Since internet-connected assets pose the most risks, the field of attack surface management has narrowed down to focus mainly on external attack surface management (EASM).
A number of factors explain the importance of EASM, such as:
Expanded attack surface
From the relatively predictable IT environments of the past, companies have moved onto diverse, hybrid environments that greatly expand their attack surfaces. Research shows that 94% of large enterprises and 84% of midsize companies now run a multi-cloud IT architecture.
Add internet-of-things (IoT) devices, remote work, cloud-hosted apps, and increased third-party contractor/vendor access to the mix, and you have a vastly expanded attack surface that’s hard to control or manage without dedicated solutions.
The growth in supply chain attacks also demonstrates how attack vectors might not even stem from weaknesses in your own infrastructure, but rather from vulnerable third-party components or apps. Companies have more entry points for hackers to exploit than they can keep up with on their own.
Shadow IT growth
Shadow IT refers to the use of information technology systems, software, and services without explicit approval or oversight from your IT department. This includes using personal devices, unauthorized cloud services, or third-party applications to perform work-related tasks.
One survey found 80% of workers admitted to using SaaS apps without prior approval from IT.
One of the primary challenges with shadow IT is the limited visibility it provides to your IT department. Since IT is not aware of all the systems, software, and services in use, it becomes difficult to implement proper security measures or close off attack vectors.
As employees use a variety of unsanctioned tools and devices, it becomes more challenging to monitor and secure your entire IT ecosystem.
Plus, since shadow IT apps go unmonitored by IT teams, their setup often misses important configuration settings, such as automatic patching. Not applying the latest updates drastically increases the likelihood of software vulnerabilities that can be exploited by attackers.
Combatting human error
Human error remains a leading cause of many cybersecurity incidents. Phishing scams are becoming extremely realistic and convincing, and well-meaning employees can fall victim easily.
Data leaks are especially problematic here, too. Whether from data left unsecured in the cloud or source code leaked through code repositories like GitHub, there are countless ways for employees to mistakenly leave important data exposed and accessible to anyone who knows where to look for it online.
Also, your employees may not be as vigilant or careful when using personal assets in a remote work environment as they would corporate-issued ones.
The outside-in perspective and continuous monitoring from the external attack surface management help you combat these human mistakes and mitigate leaks before a malicious actor gets hold of the data. You can also flag vulnerable outdated software in use at your company that hasn’t been patched yet.
Evolving threat landscape
Two features of the threat landscape make it more important to get visibility into your attack surface and continuously monitor for new gaps and vulnerabilities that could allow outsiders in.
The first is that cybercrime has lower entry barriers than ever. The emergence of cybercrime as a service means pretty much anyone with an internet connection and the ability to do a little digging can carry out a cyberattack on your environment.
The second feature is that hackers are increasingly adept at finding and taking advantage of weak spots. EASM quickly notifies you about misconfigurations, vulnerable assets, and changes to your IT environment so that you can proactively remediate faster than hackers can get inside.
Attack surface management best practices
While dedicated solutions offer the most thorough method of managing a modern attack surface, here are some best practices to complement the use of any tool:
- Use a firewall to limit the number of open and accessible ports.
- Disable unnecessary functionality, settings, and services within operating systems and applications.
- Ensure you only send sensitive data to websites with valid and up-to-date TLS certificates.
- Carefully test and review third-party apps to ensure they are secure before approving them for use in your IT environment.
- Acknowledge and define the relationships between different IT assets to better understand your attack surface.
- Restrict the number of entry points to internet-connected systems, for example, by enforcing IP restrictions on subdomains or login consoles.
Complement ASM with Covalence
Covalence provides 24/7 monitoring of your network, endpoints, and cloud environments, enabling real-time detection and response to potential threats. This continuous monitoring provides visibility of the assets that need protecting.
Covalence combines advanced analytics and a team of cybersecurity analysts to flag vulnerabilities and weaknesses in your external attack surface. This allows you to proactively address these issues before they get exploited by constantly probing threat actors.
Proactive threat hunting provides you with security experts who use their insight and experience to search for hidden threats and identify potential attack vectors that may not be immediately apparent. See how Covalence can keep your business safe today.