{"id":252,"date":"2022-02-24T23:18:00","date_gmt":"2022-02-24T23:18:00","guid":{"rendered":"https:\/\/www.cycognito.com\/blog\/?p=252"},"modified":"2024-01-22T08:47:42","modified_gmt":"2024-01-22T16:47:42","slug":"principles-of-attack-surface-protection-part-one-discover-everything","status":"publish","type":"post","link":"https:\/\/www.cycognito.com\/blog\/principles-of-attack-surface-protection-part-one-discover-everything\/","title":{"rendered":"Principles of Attack Surface Protection: Discover Everything"},"content":{"rendered":"\n

Imagine a cybersecurity team that is working hard with the usual tools and best practices. All seems on course for protecting the enterprise attack surface. But there\u2019s an attractive path for attackers to assets the security team doesn\u2019t manage and may not even be aware of.<\/p>\n\n\n\n

In this case, which happens to be a true story, a Fortune 500 financial services company prevented exploitation of hidden danger from ransomware. Global operations entailed more than 200 subsidiaries and almost half a million IT assets. By using new techniques to probe hidden risks across the entire extended attack surface, this company found it was vulnerable to a critical Pulse Secure VPN CVE, CVE-2019-11510<\/a>, in three of its 30 VPN gateways. One gateway was in a subsidiary and two came with an acquired company. Discovery was in the nick of time!<\/p>\n\n\n\n

Scenarios like this are common and often undiscovered because security controls and their operators cannot see all risks to the entire external attack surface. Let\u2019s take a closer look at how such exposure impacts most large organizations today.<\/p>\n\n\n\n

Defining the Attack Surface<\/h2>\n\n\n\n

The concept of an \u201cattack surface\u201d includes any asset that an attacker may see on or with a path to your network. For a large enterprise, the modern externally exposed attack surface can include thousands of segmented networks, tens or hundreds of thousands of devices, thousands of applications and dozens or hundreds of connected partners. <\/p>\n\n\n\n

Talk about endless exposure! Some of these elements are not systematically addressed by typical security tools and processes. We call these omissions an area of \u201cshadow risk.\u201d <\/p>\n\n\n\n

Shadow risk is a huge lure for attackers who seek the path of least resistance to your assets and data. The main attraction is these targets are unlikely to have any protection from security controls \u2014 especially unknown or unmanaged assets. Let\u2019s consider why shadow risk is a major unaddressed liability.<\/p>\n\n\n\n

Why Legacy Approaches Don\u2019t See the Extended Attack Surface<\/h2>\n\n\n\n

Security practitioners use a variety of tools and processes to map and assess risk exposure. For example, deployment of vulnerability scanners, penetration testing, threat intelligence feeds, security rating services and others are common \u2014 so much so that security frameworks and compliance regimes, such as the Payment Card Industry Data Security Standard (PCI DSS), specify their systematic use. Despite adherence to these requirements, we frequently read about successful exploits. Why?<\/p>\n\n\n\n

I believe there are two reasons why popular tools are unhelpful in seeing the extended attack surface. The first reason is these tools are only good at seeing the targets you focus them on. <\/p>\n\n\n\n

Consider how you configure a legacy vulnerability scan: by entering a target range of IP addresses. That\u2019s where the tool looks. If you want it to look somewhere else, you must tell it where to execute its processes, what to look for and when to run scans. A recent ESG study commissioned by our company offers clues on why many risks are unseen by organizations surveyed:<\/p>\n\n\n\n