Attack Surface Management: a framework for cyber resilience

David Thomas - ITHQ
October 19, 2022

An attacker is looking at your network right now. What do they see? If you are thinking back to that audit you did last year, you could be dangerously exposed.


Your network is an expanding universe

An attacker’s view of your network is likely to be very different from yours. Pre-cloud, most organisations could scope their attack surface quite easily. Regular audits would reveal any vulnerabilities, which could then be patched; it was a world of mapped, static knowns. Even large networks grew manageably and were almost, if not entirely, contained behind a firewall.

Organisations now operate in a world of dynamic unknowns, brought about by advances that both drive efficiencies and introduce new risks.

Cloud computing reduces overheads, offers more flexibility financially, allows efficient remote working and team collaboration. In minutes, you can scale, creating dedicated environments for research, development and experimentation etc.

It also means your entire network is potentially accessible via the internet, and every change made to your environment means your attack surface grows.

The multi-faceted challenge of ASM

The most important thing to understand about attack surface management (ASM) is that it is something you do, not a product you can buy.

ASM requires a combination of people, process and technology. Several new products address areas of ASM; mostly to help visualise network sprawl. Many of these are start-ups destined to be quickly swallowed up by established firms.

In truth, managing your attack surface is a multi-faceted challenge. There is no magic bullet. You don’t necessarily have to replace any of your existing technology. It could be a case of updating, enhancing and integrating existing investments.

Attack surface management is a framework by which you can manage your ongoing cyber resilience. It presents an up-to-date way of visualising your network, of how it grows every day or week, of how it is accessed and protected.

Visualise and prioritise to minimise risk

The focus of ASM is on minimising vulnerabilities: the one area of your environment over which you have full control. Only by getting a true view of your vulnerabilities can you minimise the risk of threats exploiting them.

General external

Misconfigurations represent the most common vulnerabilities in any organisation. Manual configuration, management and updating can leave assets and data exposed to potential attacks.

Unsecured and open APIs are also common. These machine or software identities are assets easily overlooked or forgotten. There is a lack of awareness and understanding of the exposure they present.

Outdated or unpatched software is perhaps the most obvious. Overly focusing on this area can leave other common vulnerabilities neglected.

Shadow IT. Improvements in employee productivity and innovation are often prioritised over the risk factors of using these unsanctioned and unevaluated services, systems, devices, software or applications.

Third party supply chain risk. Visibility should be extended beyond your own boundaries. Gain insights into partners, suppliers and vendors because their risk profile impacts yours.

The Labour party was one of 125 victims of a ransomware attack in 2020, when fundraising and donor management software created by cloud computing provider, Blackbaud, was attacked.

General internal

How do you know if malicious or dangerous activity is occurring on your network?

Your firewall and annual pen test don’t tell you if the enemy has already breached the gates, or if a user is unintentionally exposing you to risk.

User behaviour monitoring should be continuous, with anomalous activity flagged. Credential management and data encryption are also areas often neglected. How do you manage passwords? How do you onboard and offboard employees? How do users move from open to restricted areas of your network?

Often overlooked too, is how you prepare your teams to deal with an attack. If the worst-case scenario happened, how would it impact your daily operations? How would you recover? How long would it take? Simulated attack scenarios are critical in building cyber resilience.

Dark web

Dark web activity is malicious by intent and designed to exploit vulnerabilities, sometimes very creatively. This is where deep fakes are made, covert communications are rooted, and misinformation is born.

How exposed is your business on the dark web? Understanding your vulnerabilities here enriches your overall security posture. Start with a search of employee credentials: prepare yourself for some surprises.

Your realistic ASM action plan

In simple terms, ASM is all about knowledge and prioritised actions.

There are two basic rules:

  1. You can’t fix what you can’t see
  2. You can’t fix everything at once

Your first goal is to clearly see your attack surface as an attacker sees it. Tools can show you in real-time when your environment changes, when new devices log in, and whether software is outdated or vulnerable.

Once you have clarity, prioritise your remediation. Some of the most simple and affordable steps, such as staff awareness exercises, automated patching and password management, can significantly reduce your risk profile.

Dealing with unknown unknowns

We are currently certain of two things: the attack surface is an expanding universe that is only going to get bigger, and cybercrime is always ahead of cyber defence.

Preparing for unknown cyberthreats of the future means nailing attack surface management. Incidents will happen that will leave an impact on your organisation. Your mission is to minimise the blast radius.

Start now.