{"id":246,"date":"2022-02-24T23:15:00","date_gmt":"2022-02-24T23:15:00","guid":{"rendered":"https:\/\/www.cycognito.com\/blog\/?p=246"},"modified":"2024-08-02T14:28:28","modified_gmt":"2024-08-02T21:28:28","slug":"principles-of-attack-surface-protection-part-three-prioritize-risks-that-endanger-your-business","status":"publish","type":"post","link":"https:\/\/www.cycognito.com\/blog\/principles-of-attack-surface-protection-part-three-prioritize-risks-that-endanger-your-business\/","title":{"rendered":"Principles of Attack Surface Protection: Prioritize Risks that Endanger Your Business"},"content":{"rendered":"\n<p>In recent months, billions of people have become hyperaware of the importance of prioritization. With a global pandemic affecting everyone, prioritization has determined Covid-19 vaccination eligibility and in what order people receive their vaccine. The elements of who gets vaccinated and when are complex and definitions of \u201cfair\u201d can vary. But it\u2019s the only way to address remediation of an utterly massive problem.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Prioritization is Critical for Protecting the Attack Surface<\/h2>\n\n\n\n<p>Prioritization is also critical for protecting an organization\u2019s attack surface, and even if you do everything else right yet fail to prioritize, you&#8217;ll still get breached. Hence, the third principle of attack surface protection: prioritize. A report by Enterprise Strategy Group that our company commissioned shows that, for a large enterprise, the mean number of assets in their attack surface is 100,000. Monitoring and protecting a giant attack surface like this is an enormous task, especially in today\u2019s world where attack surfaces keep growing, changing and getting ever more complex.<\/p>\n\n\n\n<p>As&nbsp;<a href=\"\/blog\/principles-of-attack-surface-protection-part-two-assess-all-assets-to-detect-all-risks\/\">security testing options<\/a>&nbsp;increase, the volume of discovered risks does as well, but outcomes aren&#8217;t improving. Say your team has 10,000 security gaps to close but can reasonably address 100; where should it start? How should remediation proceed? Prioritizing helps answer these questions by analytically weighing risks based on material impact to the business. Let\u2019s consider three fundamental points that will help you in this quest.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Think like an Attacker<\/h2>\n\n\n\n<p>A useful strategy for prioritization is to ask, \u201cWhat\u2019s the path of least resistance into our IT ecosystem?\u201d Attackers look for the gaps that are easily exploited and most lucrative. Consider&nbsp;<a href=\"https:\/\/www.wired.com\/story\/accellion-breach-victims-extortion\/\" target=\"_blank\" rel=\"noreferrer noopener\">Accellion&#8217;s File Transfer Appliance<\/a>&nbsp;or&nbsp;<a href=\"https:\/\/www.infosecurity-magazine.com\/news\/microsoft-exchange-server-zeroday\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Exchange zero-days<\/a>&nbsp;discovered a few months ago. In these cases, attackers built automated tools to take advantage of unpatched systems. After patches were released, attackers dramatically ramped up exploit activity to leverage lag time for patch deployment. With automation, they were able to impact or threaten tens of thousands of organizations. Then, the race was on at those organizations to find the risks before attackers could prioritize the most lucrative targets.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Get Context \u2013 Classify Assets by Business Importance<\/h2>\n\n\n\n<p>Understanding the business context surrounding your risks will help your team play out potential attack paths, including those involving subsidiaries, suppliers and other connected business partners. Evaluating risks through the lens of business importance and attractiveness to attackers is one of the most vital yet neglected elements in security. It lets organizations know whether there&#8217;s a legitimate threat to a material business process.<\/p>\n\n\n\n<p>Determining business purpose and public exposure of assets related to an organization entails many factors. Typically, the legacy approach is a manual process that evaluates anywhere from five to 20 data sources, consuming many hours for every single IT asset. That pace is too slow given the size of an attack surface and an attacker\u2019s head start on finding vulnerabilities and too expensive in terms of resources. Sophisticated attackers build robust infrastructure and automation to find vulnerabilities. To effectively defend against them, your team should leverage automation as much as possible. Look for context data in places an attacker could easily find, such as:<\/p>\n\n\n\n<p><strong><em>Device-related data&nbsp;<\/em><\/strong>like IP address data, subdomains, DNS records and company and product logos and names. This helps teams understand which organization or department owns the asset.<\/p>\n\n\n\n<p><strong><em>Public information&nbsp;<\/em><\/strong>like news stories, company websites, regulatory documents and industry databases. These will provide clues about business connections, subsidiaries, partner companies \u2014 even which assets are exposed.<\/p>\n\n\n\n<p><strong><em>Third-party services.<\/em><\/strong>&nbsp;Vendor-provided or open-source intelligence solutions can include data feeds and sources of information for context. Be aware that many third-party services are expensive and deliver results too late.<\/p>\n\n\n\n<p><strong><em>Technical links.<\/em><\/strong>&nbsp;Technical links between machines, such as hyperlinks, gateways, usage of third-party code and resources and other tech relationships can also reveal business importance and attractiveness.<\/p>\n\n\n\n<p>Finally, don&#8217;t ignore scalability. Efforts at classifying business context for prioritizing risks must scale to rapidly address an attack surface with hundreds of thousands of assets.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Rate Priority with a Scoring System<\/h2>\n\n\n\n<p>The practical goal of prioritization is coming up with a numeric score for analyzing, sorting and ranking risks. For example, a low score of \u201c0\u201d might be for a certificate about to expire on an abandoned, \u201cempty\u201d Apache server. A high score of \u201c10\u201d could stem from sensitive business documents stored on an unpatched file server where exploitation complexity is low and asset discoverability is high. The priority score rationalizes marching orders for remediation, starting with highest priority risks first. When prioritization works well, high-risk attack vectors can be clearly communicated between teams and to executive management. When this doesn&#8217;t work, even the vulnerability management team can&#8217;t explain why one risk is more prevalent and urgent than the other, and the conversation is purely technical versus business-risk oriented.<\/p>\n\n\n\n<p>Five criteria can help with scoring. These include potential impact of an exploited asset \u2014 both technical and to the business. Business context identifies assets with greater interest to attackers. Exploitation complexity helps you know which vulnerabilities are easiest to exploit \u2014 and are ideal for enabling an attacker\u2019s path of least resistance. Discoverability shows how easy it is to discover the vulnerable asset and the likelihood that a sophisticated attacker will figure out that the asset belongs to your organization. Finally, remediation effort reflects the estimated level of effort required to fix the risk. Weighting these criteria with a scoring system will help accelerate prioritization of risks to your enterprise.<\/p>\n\n\n\n<p>I can&#8217;t overemphasize the importance of prioritizing risks&nbsp;<a href=\"\/blog\/principles-of-attack-surface-protection-part-one-discover-everything\/\">discovered<\/a>&nbsp;across your enterprise attack surface. Most organizations are swamped by thousands, even tens of thousands of so-called \u201curgent\u201d risks. No one has the resources to quickly remediate everything, so a rational, programmatic and automated approach to prioritize risks will help isolate those that truly need quick attention. My next article will turn to the&nbsp;<a href=\"\/blog\/principles-of-attack-surface-protection-part-four-winning-the-remediation-race\/\">principle of remediation \u2014 that vital process required for eliminating material risks to your business.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>With a global pandemic affecting everyone, prioritization has determined Covid-19 vaccination eligibility and in what order people receive their vaccine.<\/p>\n","protected":false},"author":18,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[77,47],"class_list":["post-246","post","type-post","status-publish","format-standard","hentry","category-perspectives","tag-risk-prioritization","tag-vulnerability-prioritization"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Principles of Attack Surface Protection: Prioritize Risks that Endanger Your Business | CyCognito Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cycognito.com\/blog\/principles-of-attack-surface-protection-part-three-prioritize-risks-that-endanger-your-business\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Principles of Attack Surface Protection: Prioritize Risks that Endanger Your Business | CyCognito Blog\" \/>\n<meta property=\"og:description\" content=\"With a global pandemic affecting everyone, prioritization has determined Covid-19 vaccination eligibility and in what order people receive their vaccine.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cycognito.com\/blog\/principles-of-attack-surface-protection-part-three-prioritize-risks-that-endanger-your-business\/\" \/>\n<meta property=\"og:site_name\" content=\"CyCognito Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-02-24T23:15:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-08-02T21:28:28+00:00\" \/>\n<meta name=\"author\" content=\"Rob Gurzeev\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Rob Gurzeev\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/principles-of-attack-surface-protection-part-three-prioritize-risks-that-endanger-your-business\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/principles-of-attack-surface-protection-part-three-prioritize-risks-that-endanger-your-business\/\"},\"author\":{\"name\":\"Rob Gurzeev\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/d5cdeba13fde783ae5ebf80d0765b679\"},\"headline\":\"Principles of Attack Surface Protection: Prioritize Risks that Endanger Your Business\",\"datePublished\":\"2022-02-24T23:15:00+00:00\",\"dateModified\":\"2024-08-02T21:28:28+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/principles-of-attack-surface-protection-part-three-prioritize-risks-that-endanger-your-business\/\"},\"wordCount\":1004,\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"keywords\":[\"Risk Prioritization\",\"Vulnerability Prioritization\"],\"articleSection\":[\"Perspectives\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/principles-of-attack-surface-protection-part-three-prioritize-risks-that-endanger-your-business\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/principles-of-attack-surface-protection-part-three-prioritize-risks-that-endanger-your-business\/\",\"name\":\"Principles of Attack Surface Protection: Prioritize Risks that Endanger Your Business | CyCognito Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\"},\"datePublished\":\"2022-02-24T23:15:00+00:00\",\"dateModified\":\"2024-08-02T21:28:28+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/principles-of-attack-surface-protection-part-three-prioritize-risks-that-endanger-your-business\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cycognito.com\/blog\/principles-of-attack-surface-protection-part-three-prioritize-risks-that-endanger-your-business\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/principles-of-attack-surface-protection-part-three-prioritize-risks-that-endanger-your-business\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.cycognito.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Principles of Attack Surface Protection: Prioritize Risks that Endanger Your Business\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"name\":\"Cycognito Blog\",\"description\":\"Research, Product News and Latest Updates\",\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\",\"name\":\"Cycognito\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"contentUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"width\":1720,\"height\":550,\"caption\":\"Cycognito\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/d5cdeba13fde783ae5ebf80d0765b679\",\"name\":\"Rob Gurzeev\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/188f9b5d63c82a731809f453b8cc26f8?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/188f9b5d63c82a731809f453b8cc26f8?s=96&d=mm&r=g\",\"caption\":\"Rob Gurzeev\"},\"description\":\"CEO &amp; Co-Founder\",\"url\":\"https:\/\/www.cycognito.com\/blog\/author\/rob-gurzeev\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Principles of Attack Surface Protection: Prioritize Risks that Endanger Your Business | CyCognito Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.cycognito.com\/blog\/principles-of-attack-surface-protection-part-three-prioritize-risks-that-endanger-your-business\/","og_locale":"en_US","og_type":"article","og_title":"Principles of Attack Surface Protection: Prioritize Risks that Endanger Your Business | CyCognito Blog","og_description":"With a global pandemic affecting everyone, prioritization has determined Covid-19 vaccination eligibility and in what order people receive their vaccine.","og_url":"https:\/\/www.cycognito.com\/blog\/principles-of-attack-surface-protection-part-three-prioritize-risks-that-endanger-your-business\/","og_site_name":"CyCognito Blog","article_published_time":"2022-02-24T23:15:00+00:00","article_modified_time":"2024-08-02T21:28:28+00:00","author":"Rob Gurzeev","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Rob Gurzeev","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.cycognito.com\/blog\/principles-of-attack-surface-protection-part-three-prioritize-risks-that-endanger-your-business\/#article","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/principles-of-attack-surface-protection-part-three-prioritize-risks-that-endanger-your-business\/"},"author":{"name":"Rob Gurzeev","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/d5cdeba13fde783ae5ebf80d0765b679"},"headline":"Principles of Attack Surface Protection: Prioritize Risks that Endanger Your Business","datePublished":"2022-02-24T23:15:00+00:00","dateModified":"2024-08-02T21:28:28+00:00","mainEntityOfPage":{"@id":"https:\/\/www.cycognito.com\/blog\/principles-of-attack-surface-protection-part-three-prioritize-risks-that-endanger-your-business\/"},"wordCount":1004,"publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"keywords":["Risk Prioritization","Vulnerability Prioritization"],"articleSection":["Perspectives"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.cycognito.com\/blog\/principles-of-attack-surface-protection-part-three-prioritize-risks-that-endanger-your-business\/","url":"https:\/\/www.cycognito.com\/blog\/principles-of-attack-surface-protection-part-three-prioritize-risks-that-endanger-your-business\/","name":"Principles of Attack Surface Protection: Prioritize Risks that Endanger Your Business | CyCognito Blog","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/#website"},"datePublished":"2022-02-24T23:15:00+00:00","dateModified":"2024-08-02T21:28:28+00:00","breadcrumb":{"@id":"https:\/\/www.cycognito.com\/blog\/principles-of-attack-surface-protection-part-three-prioritize-risks-that-endanger-your-business\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.cycognito.com\/blog\/principles-of-attack-surface-protection-part-three-prioritize-risks-that-endanger-your-business\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.cycognito.com\/blog\/principles-of-attack-surface-protection-part-three-prioritize-risks-that-endanger-your-business\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.cycognito.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Principles of Attack Surface Protection: Prioritize Risks that Endanger Your Business"}]},{"@type":"WebSite","@id":"https:\/\/www.cycognito.com\/blog\/#website","url":"https:\/\/www.cycognito.com\/blog\/","name":"Cycognito Blog","description":"Research, Product News and Latest Updates","publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.cycognito.com\/blog\/#organization","name":"Cycognito","url":"https:\/\/www.cycognito.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","contentUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","width":1720,"height":550,"caption":"Cycognito"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/d5cdeba13fde783ae5ebf80d0765b679","name":"Rob Gurzeev","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/188f9b5d63c82a731809f453b8cc26f8?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/188f9b5d63c82a731809f453b8cc26f8?s=96&d=mm&r=g","caption":"Rob Gurzeev"},"description":"CEO &amp; Co-Founder","url":"https:\/\/www.cycognito.com\/blog\/author\/rob-gurzeev\/"}]}},"_links":{"self":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/246","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/users\/18"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/comments?post=246"}],"version-history":[{"count":5,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/246\/revisions"}],"predecessor-version":[{"id":1005,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/246\/revisions\/1005"}],"wp:attachment":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/media?parent=246"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/categories?post=246"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/tags?post=246"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}