Principles of Attack Surface Protection: Discover Everything

Imagine a cybersecurity team that is working hard with the usual tools and best practices. All seems on course for protecting the enterprise attack surface. But there’s an attractive path for attackers to assets the security team doesn’t manage and may not even be aware of.

In this case, which happens to be a true story, a Fortune 500 financial services company prevented exploitation of hidden danger from ransomware. Global operations entailed more than 200 subsidiaries and almost half a million IT assets. By using new techniques to probe hidden risks across the entire extended attack surface, this company found it was vulnerable to a critical Pulse Secure VPN CVE, CVE-2019-11510, in three of its 30 VPN gateways. One gateway was in a subsidiary and two came with an acquired company. Discovery was in the nick of time!

Scenarios like this are common and often undiscovered because security controls and their operators cannot see all risks to the entire external attack surface. Let’s take a closer look at how such exposure impacts most large organizations today.

Defining the Attack Surface

The concept of an “attack surface” includes any asset that an attacker may see on or with a path to your network. For a large enterprise, the modern externally exposed attack surface can include thousands of segmented networks, tens or hundreds of thousands of devices, thousands of applications and dozens or hundreds of connected partners. 

Talk about endless exposure! Some of these elements are not systematically addressed by typical security tools and processes. We call these omissions an area of “shadow risk.” 

Shadow risk is a huge lure for attackers who seek the path of least resistance to your assets and data. The main attraction is these targets are unlikely to have any protection from security controls — especially unknown or unmanaged assets. Let’s consider why shadow risk is a major unaddressed liability.

Why Legacy Approaches Don’t See the Extended Attack Surface

Security practitioners use a variety of tools and processes to map and assess risk exposure. For example, deployment of vulnerability scanners, penetration testing, threat intelligence feeds, security rating services and others are common — so much so that security frameworks and compliance regimes, such as the Payment Card Industry Data Security Standard (PCI DSS), specify their systematic use. Despite adherence to these requirements, we frequently read about successful exploits. Why?

I believe there are two reasons why popular tools are unhelpful in seeing the extended attack surface. The first reason is these tools are only good at seeing the targets you focus them on. 

Consider how you configure a legacy vulnerability scan: by entering a target range of IP addresses. That’s where the tool looks. If you want it to look somewhere else, you must tell it where to execute its processes, what to look for and when to run scans. A recent ESG study commissioned by our company offers clues on why many risks are unseen by organizations surveyed:

• 47% don’t include SaaS application.
• 45% don’t include workloads running in the public cloud.
• 45% don’t include third parties.

Another reason for limited visibility is that tools are often used in “a stand-alone capacity and not holistically,” according to Gartner. For instance, a vulnerability scanner can easily spot thousands of potential vulnerabilities in a mid- to large-sized organization. However, a penetration testing team usually focuses on a tiny subset, manually creeping for hours through the “to-do” list that barely scratches the surface of potential exploits. Doing the usual run of one, two or even a handful of pen tests each year might provide low single-digit coverage of risks. The other 95% of shadow risks are very attractive to attackers.

Siloed tools are another major liability. The European Union Agency for Cybersecurity advises: “New approaches will be required during the next decade to stay away from silo analysis and move closer to a matrix-type of interconnected factors, variables and conditions.” 

Discovering All Risks Automatically

The manual aspects of using many security tools and processes may be the biggest challenge to the discovery of risk on the enterprise attack surface. Attackers use automation and the economy of scale it delivers to probe the attack surface for easily exploitable risks andto execute attacks. Their offensive strategy of using automation to pursue the path of least resistance is cost-effective and efficient. A viable strategy for getting ahead of continuous threats is to think and act like an attacker.

Note that attackers are not seeking just any unprotected asset. They don’t waste time on noncritical assets. An attacker’s fastest payoff is to find and penetrate critical assets, such as payment mechanisms or production databases. Breaching critical assets results in a faster, better payoff.

So, what does this mean for you and your security team? Your mission of protecting the attack surface requires discovering the same information sought by enemies. Unfortunately, reliance on legacy discovery techniques means organizations are often unaware of 30% or more of their assets. 

For enterprise security, managing risks requires the discovery of all risks on your attack surface. My next article will explore the second principle of attack surface protection: how to assess what you’ve discovered — and know if those risks are material to your business.