In today’s digital age, organizations of all sizes and industries rely on technology to operate and grow their businesses. As a result, the attack surface of an organization—the sum total of all the ways in which an attacker could potentially access or compromise its systems—has grown exponentially.
In order to better understand your organization’s risk profile and defend its attack surface, attack surface management provides a process for your security teams to know and protect the assets, infrastructure, and personnel that threat actors may target.
In this article we:
- Define attack surfaces and attack surface management (ASM)
- Describe the six components of ASM
- Outline the role of intelligence in understanding and defending your attack surface
More to attack, more at stake
It’s no secret that organizations rely extensively on SaaS platforms and other technologies to manage their infrastructure, workflows, and personnel. Recently, the remote work movement (to say nothing of the connective glue of IoT) has further deepened this reliance on software, including native and third-party technologies, as well as hardware. As a result, this has widened organizations’ attack surfaces, providing threat actors more potential to exploit these new and exciting risk apertures.
With broader attack surfaces, organizations must continue to strengthen and expand their defenses: the more ways an organization could be attacked, the more challenges security teams must overcome in order to mitigate those risks.
Cyber threat actors locate and attack technological vulnerabilities—via information systems, networks, domains, devices, and other potentially breachable windows—and then leverage stolen data to accomplish a variety of goals, most commonly for financial gain.
What is an attack surface?
An attack surface is the complete network of an organization’s assets and infrastructure that can be leveraged by a threat actor in the event of an attack. Whether these assets are secure or not, if it’s possible for them to be exploited, they are part of your attack surface.
An organization’s attack surface can change over time depending on the tools they use and the data they have. With many organizations now working virtually, this has caused the average attack surface to grow, since more applications and programs are used and there are more assets for an attacker to attempt to access.
The assets in an attack surface can include:
- Cloud or virtual assets, including cloud servers and SaaS applications
- Physical assets, including hardware and servers
- External assets, including online services obtained from external vendors that require the storage and processing of company data or integrate with your organization’s own network.
- Shared networks, including networks shared by more than one organization, as is the case when a company is acquired or merges with another.
As devices are added to your networks, new users are introduced, and new softwares and applications are added, your attack surface grows. It is critical to continually assess what your attack surface is and make changes needed to fully secure it.
What is attack surface management?
Attack surface management is the continuous discovery, monitoring, inventory, and classification of an organization’s IT infrastructure. Ultimately, its goal is to remediate the potential attack vectors a threat actor could leverage, and constantly assess the attack surface to verify that it is being fully secured.
It differentiates itself from discovery and asset management by approaching things from the attacker’s perspective, allowing teams to gain strong awareness of all possible ways into their network and better understand the risks presented by both known assets and unknown elements that may be exploitable.
Attack surface management is meant to take into account all parts of your attack surface, from secure or insecure and known and unknown assets, to those managed by external vendors. If it’s in your network, it’s part of the attack surface and must be secured.
The components of attack surface management
Attack surface management is a process that can be broken into phases for security teams to effectively execute.
Discovery
The first step of attack surface management is to understand your attack surface and the vulnerabilities and risks that come with it. It’s critical for your organization to identify and map out all of its assets and discover unknown, rogue, or external assets to have the full picture.
Attack surface management is rooted in thinking like the attacker, which means that security teams should consider how a threat actor would approach gaining access to their system. This can help them uncover unknown or unsecured exploitable assets and improve visibility across the attack surface, giving your team a solid foundation to build the rest of its attack surface management on.
Monitoring
The attack surface is constantly evolving and growing as devices are added and removed and softwares and apps are deployed or retired. Continuous monitoring of the attack surface is required to confirm that these changes are represented in the attack surface map you initially created in the Discovery phase.
Organizations should have the tools needed to monitor and analyze assets constantly in order to prevent new vulnerabilities and identify security gaps that may arise from new components of the attack surface.
Inventory
While virtually every asset is exploitable and presents a potential attack vector, different assets pose different levels of risk. Great attack surface management programs are able to take the information from the attack surface and contextualize it, helping your teams understand the risk any particular asset has. How the asset is used, who uses it, how frequently it’s used, and how it fits into your broader network all contribute to its risk level and can help you categorize its risk severity.
Prioritization
It is expected (and intended) that as you map out your attack surface, you will find existing vulnerabilities that must be addressed. To manage this, it’s important to have a way to prioritize these newly discovered weaknesses so your teams have a strategic way to approach fixing them that helps you eliminate the biggest or most imminent risks first.
Your team should take into account how visible the vulnerability is, its history of being exploited, and how complicated it is to patch, in order to rank it among all of the others and decide what should be addressed first. Attack surface management is meant to be objective and calculated, so having pre-decided criteria for prioritization is important to keep prioritization clear.
Remediation
With the previous steps done, your team is now in a good position to begin fixing existing weaknesses and continually discover new ones. Sharing new discoveries and the status of vulnerabilities and your overall attack surface is important, since attack surface management is often a cross functional initiative and requires transparency in order to stay aligned.
The importance of attack surface management
Attack surfaces are growing, and even for small organizations, it can be a large landscape to defend. Keeping it secure is critical, and as hackers and other threat actors find new ways to analyze your attack surface and target it, proactively performing attack surface management is necessary for your organization to stay ahead.
The continuous monitoring of attack surface management is critical to counter threat actors’ constant probing into your networks, and helps your security teams stop thinking as defenders and start thinking as attackers. This lends clarity to how you prioritize existing weaknesses and helps your teams innovate new ways to discover unknown vulnerabilities.
Protect your attack surface with Flashpoint threat intelligence
Attack Surface Management relies on threat intelligence to provide organizations with a deeper understanding of the types of threats they are facing and the tactics, techniques, and procedures used by attackers. Flashpoint helps teams identify and prioritize vulnerabilities in the organization’s systems and infrastructure, allowing for more effective mitigation and risk management strategies. Sign up for a free trial to inform incident response and incident management processes, helping your security teams respond more quickly and effectively to cyber attacks.