Getting to know your attack surface

In this guide:

• What is an attack surface?
• What is attack surface management?
• Is attack surface management expensive?
• What is attack surface management software?
• What is an attack vector?

What is an attack surface?

Your organisation’s attack surface is made up of all the possible entry points that a threat actor can use to get into your systems and data. It includes all the vulnerabilities and avenues of attack that exist in your organisation’s systems, applications, networks, or its core infrastructure. An attacker can use these to compromise your data, disrupt your operations, or gain financially through other malicious activities.

These vulnerabilities are often called attack vectors.

Common attack surface categories

• Application attack surface: Applications, whether web-based or standalone, have their own attack surfaces. This includes the application code, APIs, databases, user inputs, and third-party libraries or frameworks used in the applications themselves. 

• Vulnerabilities like input validation flaws, code injection, insecure authentication mechanisms, and insecure application configurations contribute to the application attack surface.

• Network attack surface: This includes network devices, such as routers, switches, firewalls, and wireless access points, along with the associated protocols, configurations, and network infrastructure. It also encompasses network services exposed to the internet, including open ports, services, and protocols that are accessible to external entities.

• Online presence attack surface: Your organisation’s online presence can be exploited by attackers. Apart from its websites, an organisation’s online footprint includes everything from social media accounts to public-facing servers, cloud storage, and domain registrations. 

• Weak website configurations, exposed application programming interfaces (APIs), information disclosures, or poor security practices during online interactions (for example payments or video calls) can increase an attack surface.

• People attack surface: People can unintentionally contribute to the size of their organisation’s attack surface by falling prey to social engineering scams like phishing attacks, having weak passwords, or inadvertently sharing sensitive information.

• Physical attack surface: An organisation’s physical infrastructure – think data centres, server rooms, workstations, mobile devices and so on – can also be part of the attack surface. Weak physical security measures, unauthorised access to premises, and physical tampering are all cybersecurity risks.

• System attack surface: This refers to an organisation’s operating systems, servers, workstations, and endpoints. The system attack service includes vulnerabilities and weaknesses in the system configurations, unpatched software, outdated operating systems, insecure default settings, and misconfigured access controls.

If your organisation is to reduce its overall level of risk, understanding and managing your attack surface must be your first priority. Regular assessments, vulnerability management, security testing, and proactive monitoring are essential to reducing the attack surface and strengthening your security posture. This is where the use of an automated risk management system comes into its own.

What is attack surface management?

In simple terms, attack surface management (ASM) is the process of identifying, assessing, and managing your attack surface. It involves understanding your digital footprint and actively monitoring and reducing your organisation’s attack surface to minimise the risk of successful cyberattacks.

The main goals of ASM are, in general:

• Visibility: Gaining a comprehensive understanding of your attack surface by identifying and recording all of your assets, resources, and potential infrastructure vulnerabilities.

• Risk assessment: Interrogating the identified assets and vulnerabilities to assess the potential risks they pose to your organisation’s security posture. This includes evaluating how likely they are to be exploited and what the likely consequences of a successful cyber attack would be.

• Vulnerability management: Prioritising and remediating vulnerabilities to reduce the attack surface. This involves identifying the most critical vulnerabilities and implementing appropriate measures such as patching, configuration changes, or security controls to mitigate the risks.

• Continuous monitoring: The attack surface has to be kept under constant surveillance for changes, new vulnerabilities, or emerging threats. Real-time information is essential if IT security teams are to be able to maintain robust defences.

• Compliance and governance: ASM practices should be aligned with industry standards, regulations, and best practices to ensure ongoing compliance.

Effective ASM requires a combination of manual and automated techniques: 

• vulnerability scanning

• penetration testing

• threat modelling 

• asset discovery

• continuous monitoring

ASM is an essential part of operational resilience. Not only that, but it allows organisations to focus resources on addressing the most critical vulnerabilities and mitigating potential risks. For these reasons, it’s best to engage a specialist that can offer a solution that’s tailored to meet your specific requirements .

Is attack surface management expensive?

The cost of implementing and managing ASM can vary. It will depend on things like the size and complexity of your organisation’s infrastructure, the scope of what you need to achieve, and the tools or solutions you choose. Aspects to consider include:

Expertise and human resources 

ASM must be carried out by skilled cybersecurity professionals with expertise in vulnerability management, penetration testing, risk assessment, and security analysis. The cost of hiring and retaining these professionals can prove prohibitive to many organisations. Additionally, you may need to allocate resources for training employees on ASM practices and technologies. If you can outsource your ASM to a trusted provider with real people to talk to (rather than a chatbot), this could be a far more realistic and efficient option (see Third-party services).

Compliance and regulatory requirements

Your organisation could be in a regulated industry, and/or have specific compliance obligations when it comes to security and risk management. Meeting these requirements may involve additional costs for conducting audits, implementing necessary controls, and ensuring ASM aligns with compliance standards. Look for a cybersecurity partner that understands these issues and is able to monitor your attack surface accordingly.

Infrastructure and resources

ASM involves scanning and monitoring various components of an organisation's IT infrastructure, including networks, systems, applications, and cloud environments. When making your decisions, factor in the cost of setting up and maintaining the necessary infrastructure to support ASM activities, e.g. servers, network equipment, and storage.

Ongoing maintenance and updates

ASM is not a one-time activity but an ongoing process. Regular vulnerability scans, continuous monitoring, and timely updates are crucial if you’re to keep pace with the evolving threat landscape. There should be an allocated budget and resources for maintenance work, including patch management, system upgrades, and monitoring tools.

Third-party services

It’s true that outsourcing to a third-party vendor (for anything!) is an additional cost. However, when compared to the cost of building an in-house ASM team, outsourcing the ASM function can be a cost-effective way to gain instant access to specialised expertise, scalability, greater security, and efficiency.

Tools and technologies

ASM may involve the use of specialised tools and technologies for vulnerability scanning, asset discovery, threat intelligence, and risk assessment. The cost of these tools will vary. Some tools may require an upfront investment or recurring subscription fees.

The bill should not be the primary focus of your ASM implementation and management plans. It is important to consider the potential return on investment (ROI) in terms of: 

• improved security posture; 

• reduced risk exposure; and 

• potential cost savings by mitigating vulnerabilities and preventing security incidents. 

Before making any decisions, it’s a good idea to run a cost-benefit analysis, assess your specific needs, and prioritise your ASM activities based on your risk tolerance and available resources.

What is attack surface management software?

ASM software describes specialised tools or solutions that identify, monitor, and manage attack surfaces. ASM software can analyse and assess your organisation’s digital footprint, including its networks, systems, applications, and online presence, and thereby identify potential vulnerabilities (or ‘attack vectors’) and security risks.

Key features and capabilities may include:

• Asset discovery: ASM software scans and identifies all of the assets in your network, including devices, servers, applications, and cloud services. It will give you a full view of your attack surface, including all the potential entry points that could be used by threat actors.

• Attack surface monitoring: Continuous monitoring of your organisation’s attack surface for changes, such as new assets, open ports, or exposed services is only possible with the help of technology, and is vital to minimising risk exposure. 

• Integration with security ecosystem: Attack surface management tools often integrate with other security solutions, such as vulnerability management systems, security information and event management (SIEM) platforms, and patch management systems. Integration enables streamlined workflows, improved collaboration among security teams, and better overall security management.

• Reporting and analytics: ASM software generates reports and provides dashboards to visualise and communicate the security posture of an organisation's attack surface. These reports may include vulnerability summaries, risk assessments, trend analysis, and compliance metrics to assist in decision-making and reporting to stakeholders.

• Risk assessment and prioritisation: ASM software evaluates the identified vulnerabilities and their potential impact on the organisation's assets. It assigns risk scores or ratings to prioritise remediation efforts, allowing organisations to focus on addressing the most critical vulnerabilities first.

• Threat intelligence integration: Many ASM tools integrate with threat intelligence feeds and databases to provide information about emerging threats, known attack patterns, and indicators of compromise. This enables organisations to prioritise their security efforts based on the latest threat landscape.

• Vulnerability scanning: ASM software conducts automated vulnerability scans on discovered assets, identifying known security vulnerabilities and weaknesses. It may use various scanning techniques, such as port scanning, service enumeration, and vulnerability database matching, to assess the security posture of the assets.

The bottom line is that, by continuously monitoring and managing their attack surfaces, organisations can reduce their risk exposure, strengthen their security posture, and protect their critical assets from potential threats.

What is an attack vector?

An attack vector refers to the specific method or pathway that an attacker uses to exploit vulnerabilities or gain unauthorised access to a target system, network, or application. It represents the entry point or technique employed by an attacker to carry out an attack.

Attack vectors come in a wide range of forms to exploit different types of vulnerabilities or weaknesses. Examples of attack vectors include:

• Insider attacks: These are perhaps the most painful form of attack, as they involve trusted individuals inside an organisation who abuse their privileges and access. Insider threats may include data theft, data leaks, unauthorised data access, or even sabotage.

• Malware: A contraction of ‘malicious software,’ attackers make use of things like viruses, worms, trojans, ransomware and spyware as attack vectors. Malware can be delivered through infected email attachments, malicious websites, compromised software, or downloadable/removable media.

• Network-based attacks: Weaknesses in your network protocols, misconfigured network devices, or insecure wireless networks all function as attack vectors. Threat actors on the hunt for these weaknesses are often described as ‘network scanning,’ ‘network eavesdropping,’ or ‘network sniffing.’ Man-in-the-middle (MITM) and denial-of-service (DoS) attacks are often the result.

• Physical attacks: In cybersecurity terms, these will typically involve actions like stealing hardware or tampering with it, gaining unauthorised physical access to premises or systems, or compromising physical security controls.

• Social engineering: This attack vector relies on manipulating human psychology and exploiting trust to deceive individuals into revealing sensitive information, providing access credentials, or performing actions that compromise security. Think of phishing, spear phishing, whaling, pretexting, or impersonation.

• Software vulnerabilities: Vulnerabilities in software applications, operating systems, or firmware can be used by threat actors to gain access or execute malicious code. 

• Web-based attacks: Web applications and their associated vulnerabilities are common attack vectors. Cross-site scripting (XSS), SQL injection , remote code execution, and session hijacking are examples of web-based attack vectors that exploit vulnerabilities in web applications.

Understanding attack vectors is crucial if your organisation is to identify potential weaknesses, implement appropriate security measures, and develop effective defences. By assessing and mitigating specific attack vectors, you can reduce your risk exposure and improve your overall security posture.