Back in the day, networks used to be likened to castles – with strong, impenetrable walls and entrance strictly limited to authorized users through the drawbridge (i.e. firewall).
But today in the hybrid workplace, we need to see our networks like an average suburban house. You’ve got a front door. You’ve got a back door. There’s a garage, usually with two doors – at least one remotely operated. There might be a dog door. And windows, lots of windows – not all of which exactly close and lock hermetically. Finally, in keeping with the season, there’s probably even a chimney (nice to have for Santa, less nice if we’re talking about intruders).
All these potential entry points, and then how someone could move once inside, are attack vectors. Together, these vectors comprise your house’s attack surface. In this blog, we’ll take a deep dive into attack surface management, and share some tips from our experts about how you can mitigate attack surface risk for your house…uh, network.
What are Your Attack Vectors?
Leaving our house analogy behind, let’s take a quick look at what attack vectors actually comprise your attack surface. Think of attack vectors as potential pathways into sensitive resources – possible methods by which threat actors could gain unauthorized access to a network or computer system. How hackers accomplish this can take many forms, including:
- Ransomware or malware attacks via phishing or other social engineering
- Unpatched zero-day vulnerabilities
- Misconfigured infrastructure or services
- Data that has been transferred, shared, or stored in a third-party service
- Distributed Denial of Services (DDoS) attacks
- Compromised credentials – frequently resulting from weak or compromised passwords
- Malicious insiders who intentionally leak sensitive data or credentials
- Poor encryption practices – expired SSL certificates, insecure data transfer protocols, and more
Whatever the attack vectors chosen by threat actors, each is a potential soft spot that needs to be addressed when considering how to secure your overall attack surface.
What are the attack surfaces in your environment?
An organization’s attack surface comprises the assets that a hacker could exploit to gain entry to your systems. Clearly, the smaller the attack surface, the easier it is to protect. Yet for even a SME – not to mention a large enterprise – the attack surface is usually huge and includes physical, digital, and human elements:
- Digital – Your digital attack surface includes all the firmware and software connecting to your organizational network – applications, code, ports, servers, websites, social media, IoT devices, and more. It also includes shadow IT assets – unauthorized applications which users use to bypass IT.
- Physical – Your physical attack surface includes any endpoint device an attacker can gain physical access to – laptop or desktop computers, hard drives, mobile phones, tablets, and USB drives. It also includes discarded hardware that still has user data and login credentials, shadow IT hardware (like unauthorized personal devices), passwords written down on paper by employees, and other assets accessible via physical break-in.
Human – Your human attack surface is what your people do – how closely they follow your digital and physical security policies, how they respond to social engineering threats, and more.
How to defend your attack surface?
Since defending your attack surface is key to maintaining an overall effective cybersecurity posture, here are 7 tips from our in-house experts on keeping your attack surface safe:
- Get a comprehensive view of possible attack paths
Start by building attack graphs to map and manage your attack surface and all possible attack paths on an ongoing basis. The process should identify the exploitable vectors of attack that lead to your most critical assets, prioritize the most efficient ways to reduce risk and have an operational element built in that results in remediation actually being deployed. This process should be agreed on with IT teams.
- Start with quick wins – easy remediation of high impact issues
Instead of trying to fix everything (and often ending up fixing nothing), focus your efforts on identifying quick wins and fixing them. Quick wins are issues which pose a high risk to the organization yet are easily remediated.
For example, consider mapping all the attack paths which an attacker could potentially use to infiltrate, identifying a major “choke point” (a junction within these attack paths) resulting from a specific vulnerability, then addressing just that vulnerability. For some vulnerabilities, you won’t even need to patch. There are frequently virtual patching options. For example, in PrintNightmare (CVE-2021-1675; CVE-2021-34527), a server vulnerability, you can mitigate by disabling the spooler service or block remote printing with simple configuration change – a quick win!
- Measure your security posture risk score and its reduction
Sometime, somewhere, a wise person said, “if you can’t measure it, you can’t manage it.” To start the measuring process, understand your security posture risk score. Zero in on high risk choke points and see which critical assets are most at risk. Learn which attack techniques have the biggest risk to your business and understand over time whether your score is trending up or down because of network changes, M&A activity, new third parties connecting to your environment, etc. and what critical assets are at risk. And then, instead of measuring numbers of fixed issues, start measuring risk reduction.
- Focus on what matters the most
Your attack surface is dynamic and so is the threat landscape. Focus your security efforts on risk to critical assets, by considering the attack surface as a whole. This includes cloud as well as traditional desktop/server environments. Many organizations are blind to the hybrid (cloud and on-prem) attack surface and can’t see how attackers can move between environments.
- Create comprehensive visibility through graph-based mapping
Implement visual mapping of all attack paths across AWS, Azure, GCP, multi-cloud, on-prem, SaaS and hybrid environments to gain insights into the most effective remediation actions. Calculate all relationships between vulnerabilities, misconfigurations, user privileges, security gaps and user actions just like an attacker would to reach your critical assets.
- Empower security operations to mitigate real-world threats
Provide solid and clear reasoning behind remediation recommendations to align IT ops and cybersecurity teams. Sift through the noise and empower IT and security teams with step by step remediation guidance to focus on fixing real issues versus just responding to another alert.
- Make sure your teams are working correctly with a remediation methodology in place
Prepare for the next cyberattack with a tiering model that makes sense for your organization. Back this up with operational models on business as usual – not only after an attack begins. Empower the IT team with knowledge for prioritizing mitigation activities by providing them with business context for risk.
What Can be Done?
According to XM Cyber’s research, 80% of issues lead to dead ends, i.e. can’t actually compromise the business. This means that while the attack surface is enormous, the relevant attack vectors are actually limited. However, the issue is finding out which one are the choke points – i.e., the points where attack paths meet up – that will allow attacks to proceed. Adopting a solution that effectively directs your limited resources to fix issues at specific choke points quickly reduces your overall attack surface risk and dramatically shrinks the number of potential attack paths.