With the shift to the cloud, the rise in software-as-a-service (SaaS) applications and a sudden increase in remote work capabilities, most organizations’ attack surface has become larger and more complex, making it exponentially more difficult to define and defend. Since virtually any asset is capable of being an entry point to a cyberattack, it is more important than ever for organizations to improve attack surface visibility across assets — known or unknown, on-premises or in the cloud, internal or external.
What is Attack Surface Management?
Attack surface management is the continuous discovery, monitoring, evaluation, prioritization and remediation of attack vectors within an organization's IT infrastructure.
While similar in nature to asset discovery or asset management, often found in IT hygiene solutions, the critical difference in attack surface management is that it approaches threat detection and vulnerability management from the perspective of the attacker. In so doing, the organization is driven to identify and evaluate risk posed not just by known assets, but unknown and rogue components as well.
What is an attack surface?
The attack surface is the term used to describe the interconnected network of IT assets that can be leveraged by an attacker during a cyberattack. Generally speaking, an organization’s attack surface is comprised of four main components:
- On-premises assets: Assets located on-site, such as servers and hardware.
- Cloud assets: Any asset that leverages the cloud for operation or delivery, such as cloud servers and workloads, SaaS applications or cloud-hosted databases.
- External assets: An online service purchased from an external vendor or partner, that stores and processes company data or is integrated with the corporate network.
- Subsidiary networks: Networks that are shared by more than one organization, such as those owned by a holding company in the event of a merger or acquisition.
It’s important to note that the organization’s attack surface will evolve over time as devices are constantly added, new users are introduced and business needs change. For this reason, organizations must continuously monitor and evaluate all assets and identify vulnerabilities before they are exploited by cybercriminals.
The Value of Attack Surface Management
By assuming the mindset of the attacker and mimicking their toolset, organizations can improve visibility across all potential attack vectors, thereby enabling them to take targeted steps to improve the security posture by mitigating risk associated with certain assets or reducing the attack surface itself. An effective attack surface management tool can enable organizations to:
- Automate asset discovery, review and remediation
- Map all assets on a continuous basis
- Quickly identify and disable shadow IT assets and other previously unknown assets
- Eliminate known vulnerabilities such as weak passwords, misconfigurations and outdated or unpatched software
What are the core functions of attack surface management?
There are five core functions of an effective attack surface management strategy:
Phase 1: Discovery
In this initial phase, organizations identify and map all digital assets across both the internal and external attack surface. While legacy solutions may not be capable of discovering unknown, rogue or external assets, a modern attack surface management solution mimics the toolset used by threat actors to find vulnerabilities and weaknesses within the IT environment. This enhances visibility across the entire attack surface and ensures the organization has mapped any asset that can be used as a potential attack vector.
Phase 2: Testing
The attack surface changes constantly as new devices are connected, users are added and the business evolves. As such, it is important that the tool is able to conduct continuous attack surface monitoring and testing. A modern attack surface management solution will review and analyze assets 24/7 to prevent the introduction of new security vulnerabilities, identify security gaps, and eliminate misconfigurations and other risks.
Phase 3: Context
While any asset can serve as an attack vector, not all IT components carry the same risk. An advanced attack surface management solution conducts attack surface analysis and supplies relevant information about the exposed asset and its context within the IT environment. Factors such as when, where and how the asset is used, who owns the asset, its IP address, and network connection points can help determine the severity of the cyber risk posed to the business.
Phase 4: Prioritization
Because the attack surface management solution is intended to discover and map all IT assets, the organization must have a way of prioritizing remediation efforts for existing vulnerabilities and weaknesses. Attack surface management provides actionable risk scoring and security ratings based on a number of factors, such as how visible the vulnerability is, how exploitable it is, how complicated the risk is to fix, and history of exploitation. Unlike penetration testing, red teaming and other traditional risk assessment and vulnerability management methods which can be somewhat subjective, attack surface management scoring is based on objective criteria, which are calculated using preset system parameters and data.
Phase 5: Remediation
Based on the automated steps in the first five phases of the attack surface management program, the IT staff are now well equipped to identify the most severe risks and prioritize remediation. Since these efforts are often led by IT teams, and not cybersecurity professionals, it’s important to ensure that information is shared across each function and that all team members are aligned on security operations.
How can your organization mitigate attack surface risks?
To identify and stop an evolving array of adversary tactics, security teams require a 360-degree view of their digital attack surface to better detect threats and defend their enterprise. This requires continuous visibility across all assets, including the organization’s internal networks, their presence outside the firewall and an awareness of the systems and entities users and systems are interacting with.
As organizations embrace a digital transformation agenda, it can become more difficult to maintain visibility of a sprawling attack surface. Cloud workloads, SaaS applications, microservices and other digital solutions have all added complexity within the IT environment, making it more challenging to detect, investigate and respond to threats.
CrowdStrike’s RiskIQ Illuminate has integrated with the CrowdStrike Falcon® platform to seamlessly combine internal endpoint telemetry with petabytes of external internet data collected over more than a decade. Layering internet intelligence on top of endpoint data in one location provides crucial context to internal incidents, helping security teams understand how internal assets interact with external infrastructure so they can block or prevent attacks and know if they’ve been breached.
Key capabilities and benefits of RiskIQ Illuminate include:
- Accelerate detection and response: Empower security team with 360-degree context and enhanced visibility inside and outside the firewall to better defend the enterprise from the latest threats, such as data breaches and ransomware attacks.
- Empower collaboration: RiskIQ Illuminate enables enterprise security teams to seamlessly collaborate on threat investigations or incident response engagements by overlaying internal knowledge and threat intelligence on analyst results.
- Proactively manage the digital attack surface: Gain complete visibility into all externally facing assets and ensure that they are managed and protected.