In almost all coverage of modern breaches you’ll hear mention of the “cyberattack surface” or something similar. It’s central to understanding how attacks work and where organizations are most exposed. During the pandemic the attack surface has grown arguably further and faster than at any point in the past. And this has created its own problems. Unfortunately, organizations are increasingly unable to define the true size and complexion of their attack surface today—leaving their digital and physical assets exposed to threat actors.
Fortunately, by executing a few best practices, these same defenders can also improve their visibility of the attack surface, and with it, gain enhanced understanding of what’s necessary to minimize and manage it.
What is the corporate attack surface?
At a basic level, the attack surface can be defined as the physical and digital assets an organization holds that could be compromised to facilitate a cyber-attack. The end goal of the threat actors behind it could be anything from deploying ransomware and stealing data to conscripting machines into a botnet, downloading banking trojans or installing crypto-mining malware. The bottom line is: the bigger the attack surface, the larger the target the bad guys have to aim at.
Let’s take a look at the two main attack surface categories in more detail:
The digital attack surface
This describes all of an organization’s network-connected hardware, software and related components. These include:
Applications: Vulnerabilities in apps are commonplace, and can offer attackers a useful entry point into critical IT systems and data.
Code: A major risk now that much of it is being compiled from third-party components, which may contain malware or vulnerabilities.
Ports: Attackers are increasingly scanning for open ports and whether any services are listening on a specific port (e.g., TCP port 3389 for RDP). If those services are misconfigured or contain bugs, these can be exploited.
Servers: These could be attacked via vulnerability exploits or flooded with traffic in DDoS attacks.
Websites: Another part of the digital attack surface with multiple vectors for attack, including code flaws and misconfiguration. Successful compromise can lead to web defacement, or implanting malicious code for drive-by and other attacks (e.g., formjacking).
Certificates: Organizations frequently let these expire, allowing attackers to take advantage.
This is far from an exhaustive list. To highlight the sheer scale of the digital attack surface, consider this 2020 research into firms on the FTSE 30 list. It found:
- 324 expired certificates
- 25 certificates using the obsolete SHA-1 hashing algorithm
- 743 possible test sites exposed to the internet
- 385 insecure forms of which 28 were used for authentication
- 46 web frameworks featuring known vulnerabilities
- 80 instances of now defunct PHP 5.x
- 664 web server versions with known vulnerabilities
The physical attack surface
This comprises all endpoint devices that an attacker could “physically” access, such as:
- Desktop computers
- Hard drives
- Mobile phones/devices
- Thumb drives
There’s also a case for saying that your employees are a major party of the organization’s physical attack surface, as they can be manipulated via social engineering (phishing and its variants) in the course of a cyberattack. They’re also responsible for shadow IT, the unauthorized use of applications and devices by employees to circumvent corporate security controls. By using these unapproved—and often inadequately secured—tools for work, they could be exposing the organization to additional threats.
Is the attack surface getting bigger?
Organizations have been building out their IT and digital resources for many years. But the advent of the pandemic saw investment on a massive scale, to support remote working and maintain business operations at a time of extreme market uncertainty. It expanded the attack surface in several obvious ways:
- Remote working endpoints (e.g., laptops, desktops)
- Cloud apps and infrastructure
- IoT devices and 5G
- Use of third-party code and DevOps
- Remote working infrastructure (VPNs, RDP etc)
There’s no going back. According to experts, many businesses have now been pushed over a digital tipping point that will change their operations forever. That’s potentially bad news for the attack surfaces, as it could invite:
- Phishing attacks exploiting a lack of security awareness in employees
- Malware and vulnerability exploits targeted at servers, apps and other systems
- Stolen or brute forced passwords used for unauthorized log-ins
- Exploitation of misconfigurations (e.g., in cloud accounts)
- Stolen web certificates
…and much more. In fact, there are hundreds of attack vectors in play for threat actors, some of which are hugely popular. ESET found 71 billion compromise attempts via misconfigured RDP between January 2020 and June 2021.
How to mitigate attack surface risks
The attack surface matters fundamentally to best practice cybersecurity because understanding its size and taking steps to reduce or manage it is the first step towards proactive protection. Here are some tips:
- First, understand the size of the attack surface with asset and inventory audits, pen testing, vulnerability scanning and more.
- Reduce the size of the attack surface and associated cyber-risk where you can via:
- Risk-based patching and configuration management
- Consolidating endpoints, ditching legacy hardware
- Upgrading software and operating systems
- Segmenting networks
- Following DevSecOps best practices
- Ongoing vulnerability management
- Supply chain risk mitigation
- Data security measures (i.e., strong encryption)
- Strong identity and access management
- Zero trust approaches
- Continuous logging and monitoring of systems
- User awareness training programs
The corporate IT environment is in a constant state of flux—thanks to the widespread use of VM, containers and micro services, and the continuous arrival and departure of employees and new hardware and software. That means any attempts to manage and understand the attack surface must be undertaken with agile, intelligent tools that work from real-time data. As always, “visibility and control” should be your watchwords on this journey.