What is an Attack Surface? 

An attack surface is, essentially, the overall vulnerability that is created by a business’ digital network over which it conducts certain operations. The network in this case is the “surface.” Threat actors attempt to penetrate this surface at any point they believe access can be gained.

According to the National Initiative of Cybersecurity Careers and Studies of the United States Government, the attack surface of an application represents the number of entry points exposed to a potential attacker of the software. The larger the attack surface, the larger the set of methods that can be used by an adversary to attack. The smaller the attack surface, the smaller the chance of an attacker finding a vulnerability and the lower the risk of a high impact exploit in the system.

Securing a business’ attack surface may seem like an exercise in futility or a game of whack-a-mole when a security organization has put one threat down only to have to address another threat somewhere else along the attack surface.

However, modern security providers have created suites of solutions and evolved them to address just this type of pervasive onslaught of suspicious activity so that an organization can effectively thwart threats en masse to help keep the business running and moving forward.

Attack Surface vs. Attack Vector

If there is an attack surface, then what exactly is an attack vector? We know that a “vector” is the means by which one thing accesses another thing. But, what does that mean in terms of cybersecurity and what distinguishes it from the surface as a whole?

An attack vector simply refers to a single pathway through which a threat actor attempts to access a network. An attack surface consists of all of the vectors along an entire network that threat actors can potentially exploit.

An attack vector is essentially the break-in point where the attacker enters a system. From there, the attacker would take a thought out attack path to their desired information or resource. Malware, for example, has three main vector types – trojan horse, virus, and worms – that leverage typical communications like email.

Individual attack vectors create small openings, but the combination of all of those entry points creates a larger vulnerability that can turn common networks into dynamic attack surfaces. If your network has become a dynamic attack surface, then it’s probably a good idea to start thinking about the security program as a whole, including extended detection and response (XDR), cloud security, and vulnerability risk management (VRM).

The humans that operate computers, systems, security, and networks can also be thought of as attack vectors when social engineering attacks like phishing scams come into play.

Types of Attack Surfaces

In starting to think about what an attack surface actually looks like, it helps to contextualize it in terms of individual organizations. Every business has different goals, and so their attack surfaces will look different and should be secured according to each organization's unique composition. 

Digital Attack Surface

A digital attack surface comprises all of the web applications deployed on any device, APIs, cybersecurity programs, and anything else that can be categorized as “digital” – or non-physical – on a network. If a business contracts with supply chain partners, then their attack surface naturally extends beyond the perimeter of their specific organization.

Physical Attack Surface

A physical attack surface encompasses any non-digital hardware that is critical to maintaining a network. This can be an exhaustive list including servers, ports, wiring or network cables, physical endpoints like phones/laptops/smartwatches/smart headphones, and data centers.

Attacks on this type of surface require different behaviors on the part of would-be attackers as they would have to physically acquire or access these tangible assets in order to manipulate them.

Social Engineering Attack Surface

As referenced above, humans primarily make up the attack surface tied to social engineering. This includes phishing attacks, honeypots, link spoofing, and piggybacking. This type of attack is designed to convince a human user on a network that what they are seeing is entirely valid.

It could be a fake email designed to get a user to click a link that installs malware on that endpoint; it could be someone piggybacking into an office, attempting to convince an actual employee they forgot their badge; or social engineering could come in the form of a text message sent to a user that appears to be from their manager or someone else in the company.

How to Identify Your Attack Surface

Identifying the pathways along your attack surface where a threat actor could strike is an exercise in creating the most critical part of a cybersecurity program – one that is dynamic, multifaceted, and continuous.

Attack Surface Management 

Attack surface management (ASM) is the process of maintaining visibility into an ever-changing network environment so that security teams can patch vulnerabilities and defend against emerging threats along the network.

External Attack Surface Management 

External Attack Surface Management (EASM) is the process of identifying internal business assets that are public-internet facing and monitoring for vulnerabilities, public-cloud misconfigurations, exposed credentials, or other external information and processes that could be exploited by attackers.

Cyber Asset Attack Surface Management

Cyber asset attack surface management (CAASM) provides a unified view of all cyber assets so security personnel can identify exposed assets and potential security gaps through data integration, conversion, and analytics. It is intended to be an authoritative source of asset information complete with ownership, network, and business context.

Digital Risk Protection

Digital risk protection (DRP) is the process of safeguarding digital assets and brand reputation from external threats. DRP solutions operate on the premise that organizations can use threat actor activity to their advantage to identify attacks before they happen. DRP leverages insights derived from cyber threat intelligence (CTI) monitoring to surface actionable areas of protection.

Attack Surface Reduction Best Practices

Let's dive into a few best practices that can help security organizations to minimize the many vulnerabilities/vectors/break-in points threat actors are looking to exploit. 

  • Leverage automation: Security organizations can use automation to institute removal of outdated data (old passwords, former employee data, old backups, etc.) or identity and access management (IAM) policies that rather simply can keep out a significant percentage of would-be threat actors attempting to gain access. Automated vulnerability scanning can also help to reduce weak points, and thus the attack surface.
  • Educate employees: Employees are often the weakest link in the security chain. There’s no replacement for training a team on how attackers use digital footprints to steal credentials in attempts to breach an attack surface. For example, it’s important not to use any personally identifiable information (PII) or publicly accessible information. It also helps to identify key employees who have access to the most sensitive systems and invest the time to educate them in further protecting those critical systems.
  • Understand the digital attack surface: To know where weak points lie, security organizations should understand their complete digital footprint and look at it as an attacker would. It is, of course, critical to take an exhaustive look internally at digital assets and how they tie together and affect each other on the backend. But, with basic internet search techniques, organizations can also start to map and quickly understand their internet presence like a non-employee or attacker would.
  • Insititute continuous threat exposure management (CTEM): CTEM is a framework that focuses primarily on surfacing and helping security teams remediate the ongoing and/or immediate threats that matter most to their specific businesses. This framework can include attack simulation so that the security organization can prioritize threats according to their severity.

Leveraging tools like cloud risk management (CRM), extended detection and response (XDR), and now AI-driven cloud anomaly detection can accelerate a security team's attack surface reduction mission and help them eliminate threats with speed and precision.

Read More About Attack Surface Security 

Blog: Cyber Asset Attack Surface Management 101

Attack Surface Security: Latest Rapid7 Blog Posts