In today’s fast-paced economic landscape, organizations have little choice but to implement a growing number of digital solutions to keep up with the competition. Unfortunately, this technological innovation comes at a price as it leaves them increasingly vulnerable to a larger variety of cyber threats. As an organization’s IT infrastructure expands, so does its attack surface.
More importantly, organizations increasingly rely on cloud-based technology, open-source software, and third-party and fourth-party services. Each brings its own set of vulnerabilities or attack vectors that malicious actors can exploit. Worse still, the methods employed by bad actors grow ever more subtle and sophisticated, making it harder for organizations to detect breaches and react in good time.
Consequently, it’s no longer sufficient for organizations to perform regular security assessments on their IT infrastructure. An organization’s rapidly-expanding portfolio of digital assets and their corresponding widening attack surface requires them to monitor its infrastructure for vulnerabilities and mitigate cyber threats continuously.
This article explores the causes and consequences of a growing attack surface, how organizations can better manage their expanding IT ecosystems, and how continuous monitoring can help organizations reduce their attack surface.
What is an Attack Surface?
An attack surface refers to any area of an organization, whether physical or digital, that’s vulnerable to unauthorized access or a cyberattack. The attack surface comprises all access points through which a cybercriminal could deploy an attack vector to extract or modify sensitive data or otherwise damage the organization’s IT infrastructure.
Types of Attack Surfaces
Attack surfaces typically fall into one of three categories:
- Digital Attack Surfaces: Vulnerabilities in organizational assets accessible through the internet.
- Physical Attack Surfaces: Vulnerabilities in an organization’s hardware.
- Social engineering attack surfaces: vulnerabilities in an organization’s employees.
Here are examples of attack surfaces in each category:
Digital Attack Surfaces
- Websites, i.e., DNS Domains and Subdomains
- Web Servers
- Email servers
- Operating systems
- In-house applications
- Third and fourth-party applications and services
- Cloud storage
Physical Attack Surfaces
Social Engineering Attack Surfaces
- Phishing attacks
- Identity theft, i.e., impersonating personnel to gain access to an organization’s assets
- USB drop attacks
What is an Attack Vector?
An attack vector is a cybercriminal’s method to exploit a vulnerability, penetrate an organization’s attack surface, and carry out a cyberattack.
Common attack vectors include:
- Compromised Credentials: Weak and/or stolen usernames or passwords can be used in brute force or credential stuffing attacks.
- Phishing: Whereby attackers send messages containing links to fraudulent websites to obtain sensitive data.
- Malware: Whereby a hacker gains access to a system and installs malicious code or applications. This includes ransomware, which sees cybercriminals seize control of a device or system until the victim pays them.
- Domain and Subdomain Hijacking: Hackers take over a part of an organization’s website, intercept their traffic, and point visitors to their fraudulent site.
- Poor Encryption: Resulting in the interception of traffic and sensitive data, i.e., man-in-the-middle (MITM) attacks.
- Zero-day Attacks: Exploiting previously unknown vulnerabilities in software.
- Misconfiguration: Incorrectly configured internet-facing assets or devices are susceptible to a breach.
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks: Whereby a hacker bombards an organization’s server or website with requests, causing it to significantly slow down or crash.
So, now that we have a better idea of attack surfaces and the attack vectors cybercriminals use to breach them, what does this mean for organizations?
The Dangers of a Growing Attack Surface
As if the diversity of their attack surface wasn’t enough of a challenge, organizations also have to contend with the problem of a growing attack surface. There are several reasons for this:
- Digital Transformation: Although digitizing its processes makes an organization more efficient and productive, it also increases the size of its attack surface. Similarly, digital transformation involves the increased digitization of data, including, in many cases, Personally Identifiable Information (PII).
- Increased Use of Vendor Services: As part of their digital transformation, organizations increasingly rely on services provided and managed by third and fourth parties. This includes applications, cloud storage, and open-source software. This opens the door for more supply chain attacks, in which hackers attack the vendor services used by organizations instead of attacking the organizations directly.
Additionally, the speed and ease with which organizations can add vendor services to their IT ecosystem creates a dynamic attack surface, where assets are added and removed regularly and are harder to track.
- Speed and Scale of Development: The rapid rate that organizations develop digital solutions, and the scale of this innovation, increase the likelihood that potential vulnerabilities go unnoticed.
- Growth and Acquisitions: As an organization grows, its IT infrastructure expands – and so does its attack surface. Similarly, a merger or acquisition results in an organization inheriting another company’s infrastructure, security controls, and vulnerabilities.
What does a growing attack surface mean for an organization?
An organization’s fast-changing and dynamic attack surface exposes the limitations of conventional cybersecurity tools and assessments. More specifically, performing regular security assessments, such as Static Application System Testing (SAST) and penetration testing, is no longer sufficient for protecting an organization’s digital assets. Because they collect data at a single point in time, static testing paints an inaccurate, out-of-date picture of an organization’s cybersecurity posture.
The increased use of vendor software is one of the main reasons periodic, static testing is increasingly ineffective. Each new third or fourth-party service added to an organization’s IT ecosystem makes it more vulnerable to more supply chain attacks which are especially difficult to mitigate if an organization can’t keep up with new assets.
Research has revealed, in fact, that 32% of organizations only reassess their vendor services for cyber threats every six months – or more. Worse, a 1/3 of organizations went on to further reveal that they have no way of knowing if one of their vendors suffers a security breach. Consequently, cybercriminals can exploit weaknesses in an organization’s widening attack surface between static assessments – without timely detection.
Worse still, cyber threats, such as social engineering and dark web attacks, are more sophisticated, with some being difficult to detect and others carrying out their purpose over time. Regularly scheduled security assessments can fail to catch such threats in time, by which point the attacker has achieved their malevolent purpose and significantly compromised the organization’s IT infrastructure.
So, what can organizations do about this?
What is Continuous Monitoring?
Continuous monitoring refers to utilizing automated tools and technologies to constantly detect and assess vulnerabilities in an organization’s attack surface and, ultimately, reduce the size of the attack surface. Instead of periodically assessing the status and integrity of their digital assets, continuous monitoring gives organizations the end-to-end visibility they need to identify potential attack vectors persistently.
By providing accurate, real-time insight into an organization’s cybersecurity posture and the efficacy of its information security controls, continuous monitoring not only better secures an organization’s IT infrastructure but ensures it remains compliant with data protection and privacy regulation.
Continuous monitoring gives an organization full, up-to-date visibility over its digital assets and the changing nature of its attack surface, which allows its security teams to quickly and proactively address emerging cyber threats.
Let’s further explore how continuous monitoring can help reduce an organization’s attack surface.
Reducing an Organization's Attack Surface: How To Integrate a Continuous Monitoring Strategy
A continuous monitoring strategy provides a unified, real-time view of an organization’s digital assets and detects potential vulnerabilities. To achieve this, an organization’s continuous monitoring program must collect information from standardized metrics across its entire IT ecosystem via existing security controls and automated scanning.
Here’s a four-step process for implementing a continuous monitoring strategy:
The first stage of building a continuous monitoring plan is for the organization to identify all its digital assets. This creates an accurate overview of an organization’s attack surface and highlights ways to reduce it. This requires an organization to scan its systems, applications, DNS records, and overall architecture to discover its full inventory of assets.
From there, the organization can categorize their digital assets as follows:
- Known Assets: These are digital assets that an organization is aware of, including physical devices, websites, servers, etc.
- Unknown Assets: This encompasses discovered assets that an organization previously had no visibility over. Examples include abandoned websites and landing pages, shadow IT (systems or applications deployed without the IT department’s approval), legacy systems, and other “orphaned” IT resources.
- Vendor Assets: These include apps, services (SaaS), and infrastructure provided by third-party and fourth-party vendors.
- Rogue Assets: The parts of an organization’s infrastructure set up by hackers when exploiting attack vectors. This includes malware, malicious scripts and code, fraudulent domains and subdomains, etc.
After an organization discovers and categorizes its digital assets, the next step is to implement risk analysis and assess them for potential vulnerabilities.
Now, depending on the number of assets identified during the identification stage, this assessment can be complex and time-consuming. Typical methods include scanning application and system logs for changes and anomalies, reviewing code, and various vulnerability tests. Ethical hackers and other security experts can be especially useful in providing the latest vulnerability testing and research for vendor assets.
Having assessed their digital assets for vulnerabilities, organizations need to prioritize all potential threats and determine which poses the highest risk. This establishes where an organization should focus its attention and which parts of its attack surface it needs to reduce most.
An organization will have to determine its own criteria for assessing the severity of each vulnerability based on its processes, stored data, the nature of the threat, etc. These criteria can be vulnerability assessment standards, such as the CVSS (Common Vulnerability Scoring System), Exploit Prediction Scoring System (EPSS), and Stakeholder-Specific Vulnerability Categorization (SSVC).
Having identified and prioritized the threats to its IT infrastructure, the organization can take the necessary steps to mitigate them by reducing its attack surface and implementing continuous monitoring protocols for more efficient security assessments in the future.
The first step is for the organization to reduce its attack surface by eliminating all malicious code and unnecessary entry points and systems. This includes the following:
- Deleting all malicious code, scripts, and applications (malware), i.e., rogue assets
- Removing unused applications and hardware
- Updating and patching applications
- Reconfiguring hardware, i.e., PCs, servers, printers, etc.
- Consolidating legacy and shadow IT systems
- Reducing architectural complexity
Each of the above measures reduces the amount of code for cybercriminals to exploit, which reduces the number of potential vulnerabilities. Consequently, an organization will have a more manageable attack surface which is easier for them to maintain.
At this point, an organization is in the best position to implement continuous monitoring protocols and better secure its remaining digital assets. This requires the integration of security controls, tools, and practices that continuously assess an organization’s cybersecurity posture – instead of carrying out periodic, static assessments.
RiskXchange is an information security firm helping companies of all sizes fight the threat of a cyberattack by providing instant risk ratings for any organization across the globe.
RiskXchange’s AI-assisted platform provides 360° continuous monitoring of companies’ digital attack surface, including their entire supply chain. The data is updated every 24 hours with real-time alerts, letting organizations monitor and mitigate risks to prevent cyberattacks. Find out more about RiskXchange and get a free platform demo here.