Thwarting opportunistic attackers by reducing the public attack surface
Modern organizations have a digital tail a mile long and plenty of footprints in between. Every online resource, every connected IoT device, and every app used by any user spreads the attack surface even further. Overwhelmed, a lot of companies lose track of the loose ends. And this is an attacker’s dream.
Rather than wasting cybersecurity resources attempting to defend an unruly sprawl of corporate assets, attack surface reduction aims to clean up and remove open holes and unused devices, so your security demands shrink down to a more reasonable size.
Easier said than done, and how you do it makes all the difference.
What is attack surface management?
The attack surface, put simply, is anything on the network an attacker could take advantage of. This includes endpoints, cloud-hosted solutions, publicly accessible services, software, apps, and more.
Getting a handle on the depth and breadth of the attack surface is literally step 1 in securing your organization. What does this mean? It means knowing what’s on your network by taking a comprehensive inventory, assessing each device’s vulnerabilities, and keeping all those devices up-to-date with the latest patches. It’s Security 101, repackaged with a relatively new term we call “Attack Surface Management.” (We’ve covered this one ad nauseam in our CIS Controls missives over the years.)
It’s more than that, actually. The attack surface also extends beyond network devices: Think cloud-based SaaS application logins, O365, VPN connections, etc.
One simple example from the recent past? Log4j. This vulnerability took the cyber world by storm and directly targeted services running this common Apache plug-in publicly – these could be 3rd Party web apps, or home-grown web servers. In any case, companies are still scrambling to identify which applications were affected, and working internally or with their vendors to get these servers patched up.
Which brings us to our next point:
Networks change over time
The digital attack surface is constantly growing, and each new change represents a new layer of risk. What may have been safe last year won’t be safe 16 SaaS applications and four new vendors later – not to mention all the Shadow IT (and now Shadow APIs) that can crop up in that amount of time. To maintain consistent protection, the attack surface needs to be continuously checked.
Here are some facts to illustrate the point:
- The 2023 State of Cyber Assets Report (SCAR), released by JupiterOne, reveals a nearly 600% annual growth in vulnerable cloud attack surfaces. Interestingly, organizations also witnessed the number of security vulnerabilities rocket by 589%.
- The average SaaS portfolio now contains no less than 315 apps, per data gleaned at the end of last year, and each comes with the additional burden of managing licenses, compliance requirements, overall spending, and user requests.
- Companies now rely on thousands of APIs – an average of 15,564 to be exact – and enterprises with over 10,000 employees use upwards of 25,000, according to Noname Security’s 2022 API Security Trends Report.
Companies can run themselves ragged trying to deal with it all, especially when you’re dealing with threats reactively. A study from Trend Micro reveals that 43% of overwhelmed respondents end up walking away from the computer or turning off alerts entirely just to cope. While understandable, that can’t be a safe practice.
Attack surface management can cut those risks in half by removing or relocating susceptible services before they can cause trouble to your organization. The trick is finding them first.
Continuous Monitoring
There are various levels of attack surface management, distinguished by the level of cybersecurity maturity of the organization.
An organization with a beginning-stage program will likely do a vulnerability scan and identify all assets once yearly. While this might check a compliance box, that box will give way within a month or two (if not sooner), and the organization will likely blind to new threats until the next one.
A company with a more mature system will probably do this inventory once per quarter, making sure all external assets are monitored and accounted for. While better, this doesn’t cover everything that can happen within those three months and believe us – a lot can. Each time an employee downloads a new app, each new connected device and every new digital initiative bears its own measure of new risk.
Traditional vulnerability scanning companies now offer “continuous monitoring” … basically, a constant scan of the public attack surface to ensure that new devices and vulnerabilities are identified in almost real-time.
Our Outpost and The Public Attack Surface
Our Outpost sits on the “northern”-most edge – as close to the ISP connection as possible. Positioned beyond the firewall, it not only is the first line of defense, it also has a bird’s eye vantage point of all your external assets.
Through our unique Network Cloaking methodology, managed updates of threat feeds, and monitoring of inbound exploits, the Outpost effectively hides a network’s public attack surface and gives you much-needed breathing room to patch vulnerabilities and fix misconfigurations identified by your continuous monitoring services.
Building out a truly effective attack surface management program takes time, dedication, and a commitment to consistent implementation. So, while you continue to implement the basics of asset inventory, patch management, and the reduction of your attack surface, the Outpost has your back.
Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.