Identify your attack surface and learn how to keep it safe from threats.
Vulnerability Intelligence ReportAn attack surface is, essentially, the overall vulnerability that is created by a business’ digital network over which it conducts certain operations. The network in this case is the “surface.” Threat actors attempt to penetrate this surface at any point they believe access can be gained.
According to the National Initiative of Cybersecurity Careers and Studies of the United States Government, the attack surface of an application represents the number of entry points exposed to a potential attacker of the software. The larger the attack surface, the larger the set of methods that can be used by an adversary to attack. The smaller the attack surface, the smaller the chance of an attacker finding a vulnerability and the lower the risk of a high impact exploit in the system.
Securing a business’ attack surface may seem like an exercise in futility or a game of whack-a-mole when a security organization has put one threat down only to have to address another threat somewhere else along the attack surface.
However, modern security providers have created suites of solutions and evolved them to address just this type of pervasive onslaught of suspicious activity so that an organization can effectively thwart threats en masse to help keep the business running and moving forward.
In starting to think about what an attack surface actually looks like, it helps to contextualize it in terms of individual organizations. Every organization has different goals, therefore each one's attack surface management methodologies will look different.
A digital attack surface comprises all of the web applications deployed on any device, APIs, cybersecurity programs, and anything else that can be categorized as “digital” – or non-physical – on a network. If a business contracts with supply chain partners, then their attack surface naturally extends beyond the perimeter of their specific organization.
A physical attack surface encompasses any non-digital hardware that is critical to maintaining a network. This can be an exhaustive list including servers, ports, wiring or network cables, physical endpoints like phones/laptops/smartwatches/smart headphones, and data centers.
Attacks on this type of surface require different behaviors on the part of would-be attackers as they would have to physically acquire or access these tangible assets in order to manipulate them.
As referenced above, humans primarily make up the attack surface tied to social engineering. This includes phishing attacks, honeypots, link spoofing, and piggybacking. This type of attack is designed to convince a human user on a network that what they are seeing is entirely valid.
It could be a fake email designed to get a user to click a link that installs malware on that endpoint; it could be someone piggybacking into an office, attempting to convince an actual employee they forgot their badge; or social engineering could come in the form of a text message sent to a user that appears to be from their manager or someone else in the company.
If there is an attack surface, then what exactly is an attack vector? We know that a “vector” is the means by which one thing accesses another thing. But, what does that mean in terms of cybersecurity and what distinguishes it from the surface as a whole?
An attack vector simply refers to a single pathway through which a threat actor attempts to access a network. An attack surface consists of all of the vectors along an entire network that threat actors can potentially exploit.
An attack vector is essentially the break-in point where the attacker enters a system. From there, the attacker would take a thought out attack path to their desired information or resource. Malware, for example, has three main vector types – trojan horse, virus, and worms – that leverage typical communications like email.
Individual attack vectors create small openings, but the combination of all of those entry points creates a larger vulnerability that can turn common networks into dynamic attack surfaces. If your network has become a dynamic attack surface, then it’s probably a good idea to start thinking about the security program as a whole, including extended detection and response (XDR), cloud security, and vulnerability risk management (VRM).
The humans that operate computers, systems, security, and networks can also be thought of as attack vectors when social engineering attacks like phishing scams come into play.
Identifying the pathways along your attack surface where a threat actor could strike is an exercise in creating the most critical part of a cybersecurity program – one that is dynamic, multifaceted, and continuous.
According to the Open Worldwide Application Security Project (OWASP), attack surface analysis can help to identify:
That last point aligns with the need to analyze and identify the attack surface continuously. It also requires security practitioners to know when company and security objectives have changed so they can then adjust risk profiles. What might have been considered a priority for remediation in order to shore up defenses along the attack path yesterday might fall lower on the list today.
If an attack surface encompasses the collection of points along a network that an attacker could exploit, think about how often that collection can change according to adjusted risk profiles.
Let's dive into a few best practices that can help security organizations to minimize the many vulnerabilities/vectors/break-in points threat actors are looking to exploit.
Leveraging tools like cloud risk management (CRM), extended detection and response (XDR), and now AI-driven cloud anomaly detection can accelerate a security team's attack surface reduction mission and help them eliminate threats with speed and precision.