Why Understanding Your Attack Surface is Imperative
We live in a world of constant change. Digital transformation has fundamentally changed the way we work, play, learn, shop, travel, communicate, connect, collaborate, create, consume media, earn income, and even sleep. These changes have brought about new risks, challenges, and opportunities for innovation, efficiency, and growth. As the pace of change accelerates, organizations must adapt their business models, processes, and technologies to remain competitive.
Digital transformation isn’t just about moving to the cloud, adopting new technologies, or building better apps. It’s also about protecting those investments and ensuring they’re protected from the beginning. This means taking a holistic approach to cybersecurity, including addressing the entire attack chain from end to end.
To do so, organizations need to leverage technology to improve operational efficiencies while ensuring security and compliance. But doing so requires them to rethink many aspects of their current operations — including their network architecture, application development lifecycle, data center design, and cybersecurity strategy.
Increasing Concerns and Challenges
With the rapid expansion of cloud computing, mobile devices, social networking, big data analytics, and virtualized environments such as private clouds, public clouds, and hybrid clouds, enterprises now face significant challenges in managing all the various components involved in their IT infrastructure. They are forced to reevaluate their existing approaches to manage their networks, servers, applications, storage systems, and endpoints. And yet, despite the growing complexity, plenty of things still need to be clarified about the required solutions and how to deploy them efficiently.
In addition to the traditional concerns regarding performance, availability, scalability, reliability, and security, organizations must consider the effects of digital transformation on their physical environment. For instance, as companies move toward using software-defined everything (SDX), the attack surface expands exponentially. Even if a company has a robust SDN solution, it may not be enough to protect itself from an advanced persistent threat (APT) or a targeted attack. There are many ways to classify APTs, but they share one common characteristic — they are highly targeted, stealthy, and extremely effective.
Cyber Attacks and Attackers Evolving
Today’s sophisticated attackers can exploit vulnerabilities in any aspect of the organization’s IT infrastructure, whether it’s a desktop operating system, server, router, firewall, VPN gateway, endpoint device, or cloud provider. A successful attacker could compromise an employee’s computer, gain access to sensitive corporate files, steal intellectual property, destroy critical production assets, disrupt operations, or cause catastrophic damage.
As the number of connected devices continues to grow, the sophistication of cyber attacks targeting these devices is increasing. Advanced persistent threats are often referred to as “one-stop shops” because they simultaneously aim at multiple targets. Many APTs operate continuously without ever stopping to download updates or install patches.
Defining Your Attack Surface
Attack surfaces are comprised of all the technology that exists inside an organization. This includes computers, mobile devices, applications, networks, operating systems, browsers, network infrastructure, cloud computing platforms, email servers, databases, storage, and many others.
Attack surfaces represent the potential vulnerabilities that could allow attackers to gain unauthorized access to internal resources and data. For example, a typical company might use a combination of Microsoft Windows XP, OS X 10.7 Lion, iOS 5.0, and WebKit browser versions 4.0 – 6.0. Each of these components represents a point of entry for malicious code, including viruses, spyware, Trojans, worms, exploits, denial-of-service attacks, account hijacking, theft of personally identifiable information (PII), fraudulent transactions, and countless other types of malware.
Defining Your Digital Footprint
A digital footprint is a collection of data about an individual or organization outside that person or entity. This includes everything from what people say about you on social media sites like Facebook and Twitter to what information is stored in databases.
The concept of a digital footprint is nothing new. It dates back to the early days of computing when people used to talk about “footprints” left behind by computer viruses. But today, the term is being applied to much broader concepts, including how businesses are perceived by customers, employees, partners, and even competitors.
While there are many different types of digital footprints, one thing they all have in common is that they’re growing larger every day.
Why Your Digital Footprint Matters
Your digital footprint is part of your attack surface. In addition to understanding your attack surface and attacker behavior, companies must identify where their digital footprint lies. This includes identifying the digital assets, people, processes, technologies, and policies that make up their digital presence.
Once you know where your digital footprint resides, it becomes easier to defend against malicious activity by taking steps such as:
* Identifying and managing the assets that comprise your digital footprint
* Monitoring changes to those assets
* Maintaining visibility into the status of your assets
Risks of an Unknown Attack Surface
Most organizations need to prepare for what lies beyond their network perimeter. Some may lack visibility into things happening inside their environment, like applications running on servers, mobile phones, laptops, and desktops; the people interacting with those systems; and the data being stored, transmitted, and processed. This exposes businesses to attacks that could compromise customer information, intellectual property, and physical safety.
Traditional approaches to security that do not include external monitoring miss a large part of the picture. By focusing solely on the perimeter, organizations need to account for the massive amount of data generated daily by employees and customers. They often overlook that people communicate via email, messaging apps like Slack, and social media platforms like Facebook and Twitter. These channels are all potential avenues for attackers to communicate with each other and potentially compromise an organization.
Understanding Your Attack Surface
Understanding your attack surface enables you to better protect yourself against threats from attackers, cybercriminals, disgruntled employees, and/or competitors. It also helps to identify any gaps in your security program that could open a door for an attacker.
A common misconception is that once an application or software has been deployed, it cannot be compromised again. However, new vulnerabilities continue to be discovered after initial deployment. In addition, attackers frequently develop new techniques for exploiting known weaknesses even if no new vulnerabilities are identified. Consequently, continuously monitoring your infrastructure, including existing software, is critical to ensure that patches are applied promptly so that vulnerabilities do not become exploitable.
Monitoring Your Attack Surface
Monitoring an organization’s digital footprints and attack surface enables security teams to proactively identify, mitigate, and prevent threats beyond merely monitoring endpoints and networks. With continuous visibility into cyber threats, security teams can make better decisions about where to focus resources and take proactive steps to protect against future attacks.
Organizations are vulnerable to attack without continuous monitoring and actionable threat intelligence to defend against potential threats. Attackers can leverage known vulnerabilities to access and steal sensitive data. They can also use unknown vulnerabilities to bypass traditional defenses and security controls to move laterally throughout an environment. This makes detecting and responding to attacks much harder because there is no way to anticipate what vulnerabilities might be exploited next.
Additionally, without continuous monitoring and actionable intelligence, it becomes increasingly difficult to stop ongoing attacks once they begin. Once an attacker gains initial access to a system, it becomes tough to determine whether they are actively exploiting a vulnerability or passively observing the activity. In either case, the attacker can remain undetected while continuing to exfiltrate data.
Using Attack Surface Management to Defend Your Organization
Attack Surface Management (ASM) helps organizations assess their risk exposure and develop strategies to mitigate those risks.
ASM should start with a comprehensive inventory of all the resources and technologies used within the organization. This includes identifying all the hardware, software, and third-party vendors that provide connectivity between the organization and the outside world.
Next, it identifies each component’s purpose and determines its role in the organization’s operation.
Finally, it analyzes each resource’s potential vulnerabilities and determines the likelihood of exploitation. With this information, organizations can ensure that their technology investment is secure and reliable.
An effective Attack Surface Management solution includes:
Asset Identification: Taking inventory of your assets allows you to prioritize the most valuable and business-critical ones. It can also help reduce technical complexity by flagging redundant assets, products, or solutions.
Vulnerability Discovery: Identifying vulnerabilities in your attack surface allows you to eliminate potential attack vectors and counter emerging threats.
Risk Assessment: Performing a risk assessment is crucial in determining how and where adversaries are likeliest to strike. A risk assessment typically goes hand in hand with vulnerability discovery.
Technology Implementation: When implementing a new product or service, you should first assess how the implementation will impact your attack surface.
Continuous Monitoring: Implementing a solution for continuously monitoring all assets represents a core goal of attack surface mapping, building on the foundation established by the previous steps.
Managing Your Attack Surface
Because security risks posed by an attack surface are constantly evolving, it is imperative to review your attack surface and update your defenses accordingly periodically. To manage your attack surface, you should perform the following tasks:
• Review Software Updates – Ensure that all software running on your network is up to date. New updates fix bugs and add features but also introduce unknown risks. You must, therefore, regularly apply software updates.
• Conduct Security Audits – Perform periodic security audits to verify that your enterprise has adequate protection measures to mitigate risk. For example, you might check to see if all firewalls are properly configured and that patch levels are current.
• Create a Strategy – Once you have reviewed your attack surface and determined which areas require additional attention, devise a plan to address those needs. Develop a strategy that will enable you to assess risks, prioritize efforts, deploy solutions, track progress, and measure success.
Anomali’s Attack Surface Management Solution
Anomali’s Attack Surface Management provides a contextual inside-out and outside-in view that enables organizations to see what’s exposed and understand the attack’s who/what/how and the additional context needed to fix any vulnerabilities.
Anomali’s proprietary data provides a point in time and a historical view with insights that others can’t. This includes identifying vulnerable assets and information on how long they’ve been vulnerable and if they’ve been compromised.
Organizations can uncover vulnerabilities and continuously monitor their environment to call attention to new or emerging threats and respond quickly.
Download our datasheet or reach out to learn more.