Does your organization understand its attack surface? Gartner, Inc., a technological research and consulting firm, recently published the top trends in Cybersecurity for 2022, with attack surface expansion coming in at number one. Changes in the way we work combined with greater use of public cloud, highly connected supply chains, and use of cyber-physical systems have uncovered new and challenging attack surfaces.
An internet presence means your organization is connected with everyone else, including those that want to inflict harm. In simple terms, an attack surface represents all the gaps in your security controls that could be exploited or avoided by an attacker.
Terminology
Before discussing the types of attack surfaces, the risks, and mitigations, it is important to understand some terminology:
| Term |
Definition |
| Attack Surface |
- As defined by the National Institute of Standards and Technology (NIST): “The set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, or environment”
- Comprised of all the digital assets that could be compromised by remote or local threat actors
|
| Attack Path |
- The identification of one or more vulnerabilities that attackers can exploit to gain access to specific assets and move between them in a network, thus, forming an exploitable path between the assets
- Present in essentially all networks within an organization
|
| Attack Vector |
- A pathway or method used by a hacker to illegally access a network or computer in an attempt to exploit system vulnerabilities
- Hackers use numerous attack vectors to launch attacks that take advantage of system weaknesses, cause a data breach, or steal login credentials
- Common attack vectors include malware, viruses, email attachments, web pages, pop-ups, instant messages, text messages, social engineering, and third-party attacks
|
| Choke Point |
- Key intersections through which most attack paths must traverse to reach the critical assets
- Represent the most significant risk to the critical assets and the rest of the environment
- The greater the number of attack paths of an asset’s involvement, the more the asset is a choke point
|
| Critical Asset |
- People, processes, or technology in an organization that has possible value to an attacker or the organization
|
Note that the term attack surface is often confused with the term attack vector, but they are not the same. The surface is what is being attacked; the vector is the means by which an intruder gains access.
Types of Attack Surfaces
There are three main types of attack surfaces:
- Digital:
- Everything that lives outside of the firewall that is accessible through the Internet
- Comprised of laptops and PCs, IoT endpoints, mobile/web apps and websites, remote desktop protocol (RDP) endpoints, virtual private networks (VPNs), servers, cloud services, supply chain infrastructure and services, operational technology (OT), shadow IT, swipe bards and biometric access control systems to avoid tailgating and other elements which are often exposed to remote threat actors
- Attacks target these via various tools and techniques – from phishing to vulnerability exploitation. Once inside networks, criminals may move laterally to other parts of the attack surface
- Physical:
- Typically exploited by insider threats such as rogue employees, social engineering ploys, untrusted or BYOD devices on secure networks, or simply intruders posing as service workers
- Comprised of all endpoint devices that an attacker can gain physical access to, such as desktop computers, hard drives, laptops, mobile phones, and universal serial bus (USB) drives, carelessly discarded hardware that contains user data and login credentials, users writing passwords on paper, and physical break-ins
- Social Engineering:
- Exploits human psychology and susceptibility to manipulate victims into divulging confidential information and sensitive data or performing an action that breaks usual security standards
It is often easier for cybercriminals to break into your organization by exploiting poor cybersecurity than through physical means. Beyond your digital attack surface, additional risks occur when an attacker gets physical access to your office or a device. If the bad actor has physical access, it does not matter whether the device is connected to the internet or not. With that said, the most common way people gain physical access is through people.
Risks To Your Attack Surface
Attackers typically must go through a series of steps to steal assets. They often breach defenses, move laterally, escalate privileges, evade detection, then exfiltrate data. When an attacker gains physical access to a device, they may be able to:
- Map out all the networked devices, ports, and services the device has or is connected to
- Inspect source code open on or running on the device
- Check for databases containing sensitive information
- Install malicious software designed to infect the operating system. This is particularly considerable risk if other connected devices have vulnerabilities
- Use privilege escalation to gain unauthorized access to privileged areas or devices
The visibility challenges of the attack surface continue to grow as threat actors employ a range of tactics, techniques, and procedures (TTPs) to target various corporate attack surface components. To do so, hackers exploit hidden connections between misconfigurations, vulnerabilities, credentials, and user activities throughout the network. These connections produce an attack path, which attackers use to move laterally throughout the network and between on-prem and cloud assets until they reach the intended assets.
Attack Surface Reduction
There is a truism in cybersecurity that we have all heard: you cannot protect what you cannot see. Therefore, obtaining visibility into the assets of the various attack surfaces is a vital first step to mitigating the risk of serious compromise.
By understanding your network through the attacker’s view, you can see all existing attack paths to your critical assets, identify the choke points where multiple attack paths converge, and implement action to reduce the risk of cyberattacks succeeding. Visualization begins with identifying and mapping the attack surface. This involves identifying potential weaknesses, assessing vulnerabilities, and determining user roles and privilege levels. Organizations can assess potential vulnerabilities by identifying the people, processes, and technology that comprise their attack surface.
There are many best practices and/or regulations that can help guide organizations in improving their cybersecurity posture. At a minimum, however, organizations should consider the following to protect their attack surfaces:
- Implement security awareness training since it is the first line of defense in what is frequently the weakest link in otherwise secure organizations
- Map and prioritize the choke points that attackers move through when launching attacks. Prioritization of choke points is calculated by the number of paths that traverse through a single choke point, the complexity of reaching the choke point, and the extent to which it puts the critical assets at risk
- Allocate the resources needed to prioritize and fix issues at individual choke points throughout the network to help lower the number of attack paths
- Prevent, detect, and respond to threats across critical assets
- Protect the physical attack surface through access control and surveillance around their physical locations
- Implement and test disaster recovery procedures and policies
- Implement patch management – cyber criminals actively search for potential vulnerabilities in operating systems, servers, and software that have yet to be discovered or patched by organizations. This gives them an open door into organizations’ networks and resources
- Conduct regular network scans to spot potential issues quickly
- Limit access to sensitive data and resources both internally and externally
- Close unnecessary ports – although open ports are not necessarily dangerous, they can be if the service listening on the port is misconfigured, unpatched, vulnerable to exploits, or has poor network security rules
- Monitor third-party vendors because although you may not manage the assets of your vendors, they still represent part of your attack surface
- Audit your software, network, and traffic to help detect misconfiguration, outdated software, unprotected systems, and rogue employees
Closing Thoughts
By understanding how attackers can exploit security gaps like misconfigurations and vulnerabilities in your critical assets, you can disrupt the opportunity for lateral movement across the network and pinpoint the changes required to promptly eliminate the risk of compromise. The best way to mitigate cybersecurity risks is through attack surface reduction. By securing vulnerable attack vectors and removing unnecessary access points, your security team can protect your company’s sensitive data. Want to continue the conversation surrounding your organization's attack surface? Feel free to reach out to our team of highly certified consultants for an unbiased expert opinion!
.webp?width=2169&height=526&name=Compass%20white%20blue%20transparent%202%20website%20(1).webp "Compass IT Compliance")
-1.webp?width=2169&height=620&name=Compass%20regular%20transparent%20website%20smaller%20(1)-1.webp "Compass IT Compliance")
No Comments Yet
Let us know what you think