The term “attack surface” is sometimes defined as the collection of ways an organization can be breached. But that is really just the sum of your organization’s attack vectors.
A better definition is: Your attack surface is all of your attacker-exposed IT assets, whether secure or vulnerable, known and unknown, wherever they are: on-premises, in the cloud, in third-party or partner environments, or in the networks of your subsidiaries. That’s a better definition of “attack surface” because organizations benefit from having an understanding and visibility into their entire IT ecosystem that includes all of their network interconnectivity.
Attackers are looking for the path of least resistance in your attack surface so that they can break into your high-value digital assets. To stay ahead, you have to think like an attacker too. That requires ongoing visibility of your attack surface, and there’s only one proven way to establish attack surface visibility, and that is to do what attackers do: perform reconnaissance across your entire IT ecosystem, using an outside-in approach.
With the full view of your attacker-exposed assets, you have a good foundation for evaluating your organizational risk and establishing an effective security program that allows you and your team to focus your resources on eliminating the highest priority risks for your business.
We define attack surface management as the ongoing, continuous process of identifying and understanding your organization’s attacker-exposed assets, the business relevance of the assets, potential attacker entry points and a prioritization of which attack vectors to remediate first. The concept of “attack vectors” includes a range of security issues, including data exposure, misconfigured applications, network architecture flaws, outdated ciphers, and vulnerabilities.
Therefore, vulnerability management, the ongoing process for managing an organization's vulnerabilities, is included within our definition of attack surface management.
Many authors providing advice on attack surface management use the term “attack surface reduction” and offer tips for reducing the size of an organization’s attack surface. What’s implied in that approach is that the attack surface is being defined as the sum of vulnerabilities, whereas a better approach is to define the attack surface expansively as the collection of all the assets associated with an organization, whether currently deemed vulnerable or not.
Thus, your goal is not to reduce your attack surface but to increase visibility of your attack surface so that you can reduce the attack vectors in your attack surface, beginning with those that pose the greatest risk to your organization.
Attackers often find your security blind spots – your shadow risk – by targeting the IT assets connected to your organization that you don’t know about or manage: assets in partner, cloud and subsidiary environments. Your shadow risk goes undiscovered by the legacy security risk assessment solutions you use (e.g. vulnerability scanners) because they were designed for the IT environments of twenty years ago, not the IT ecosystem at the heart of your business today. The same is true of attack surface discovery tools like those from RiskIQ and Expanse, which are simply port scanners working within defined or easily discovered IP ranges.
Elimination of shadow risk by illuminating critical blind spots in your attack surface is a goal and an outcome of using the CyCognito platform.
The CyCognito platform helps your team discover and understand more about your attack surface, and not just discover open ports. CyCognito platform also filters out the noise resulting from the use of vulnerability scanners which surface an endless stream of potential vulnerabilities that may be rated as “high” or “critical” using the Common Vulnerability Scoring System (CVSS), but do not rise to a priority level for your organization. Attack vectors identified by the CyCognito platform go beyond known vulnerabilities and isolated CVSS scores and are specific to your organization’s attacker-exposed assets and their business relevance.
In order to protect your most-valued assets, you must have visibility across your entire attack surface, right down to the last connected device. Is your visibility up to the task? To help, we created this white paper and inside, you’ll read about: