How to start managing your attack surface

Reading time: 15 min

    Published

  • 05/2022
Katie Inns & Jake Knott

Security Consultants

Speed is a critical factor in many cyber defense scenarios, including emergency patching and responding to incidents. A few hours can make the difference between a vulnerability that is patched and one that has been exploited, or an attacker who has been contained before they have done any real damage and one that is uncontained and could be wreaking havoc in your environment.

Think back to the exploit that affected the popular Apache Log4j utility—made public in December 2021. Because Log4j was and is so widely used, huge numbers of organizations suddenly faced the enormous job of identifying and patching all their vulnerable assets before they could be abused.

Mapping assets fully can often take several months, or upwards of a year for larger organizations. This is why ongoing attack surface management is so valuable.

“It was a Friday evening, and Log4j news started blowing up. We didn't know how serious it was going to be at the time, but we decided to do some research and find a way to test for it.  Then our clients started emailing, asking us to look for the vulnerability in their environments.

We came up with a good proof-of-concept exploit and gave our clients all the information they needed. Because they were proactively managing their attack surface through our service, they were able to secure their environments within a few days.”

~ Katie Inns, Security Consultant

What is attack surface management?

An 'attack surface' refers to the externally facing assets that could be targeted by an attacker aiming to gain unauthorized access to resources or to exfiltrate sensitive data.

Attack surface management is the practice of establishing comprehensive knowledge of an organization’s attack surface, monitoring that attack surface over time, and understanding its vulnerability to new threats as they emerge.

This includes understanding which of the assets in the attack surface should be prioritized when it comes to vulnerability patching and other forms of ongoing protection. 

 

"Having a well-managed attack surface means that you can do a lot of the work of responding to an attack before it even occurs. When vulnerabilities emerge or an attack is detected, you don’t want to have to scramble to gather information. You should have an asset list ready to go.”

~ Jake Knott, Security Consultant

“The time saved by having a good understanding of your attack surface and asset inventory in general before you experience an incident can make a huge difference to the response. It can be the difference between containing an attacker quickly and having to pull the internet connection and shut down operations for weeks just to buy time and prevent the attacker moving around in the network.”

~ John Rogers, Principal Incident Response Consultant

“Organizations often have an unknown issue on their network where a few devices are compromised and they don't know how it happened. The attacker had to get there somehow, which is often via a vulnerability on the attack surface.

You need to know what's on your perimeter and which of those assets could have a vulnerability if you want to track the attack path. Sometimes organizations have a good idea, but often they don’t and that can really delay the investigation.”

~ John Rogers, Principal Incident Response Consultant

“When we look back at Log4j, a huge number of the assets that were vulnerable were actually not exposed at all. So we had clients with long lists of vulnerable assets, but no understanding of how those assets should be prioritized in terms of patching urgency.

Our clients who managed the assets on their attack surface were able to immediately identify high-priority exposed assets when the Log4j exploit was made public and patch them before they could be exploited.”

~ WithSecureTM

What does managing the attack surface involve?

Managing an attack surface involves:

  • mapping assets
  • understanding assets
  • making improvements to reduce risk
  • continually reassessing the asset list.

Mapping assets

Mapping the attack surface is about building a list of all the externally facing assets in your environment. Common elements include externally facing websites and services, cloud hosting providers, third parties, and content delivery networks, as well as information assets such as source code, configurations, and databases stored in buckets or code repositories.

“A few weeks ago we found that a client’s employee had uploaded a file with loads of sensitive information on it and saved it online. Once we found a presentation that was meant to be strictly internal stored in an online presentation creator.

This stuff isn’t necessarily hugely vulnerable, but it can help attackers improve their knowledge of the organization. We are calling assets like these ‘unconventional attack surfaces’.”
~ Katie Inns, Security Consultant

It is difficult to predict how long an initial mapping will take. Factors including the size and age of the organization can affect the timeline dramatically. Usually, though, the full initial mapping will take several months.

Challenges

External asset mapping is a difficult job. It requires input from many different stakeholders, and in larger organizations this can be hard to organize across teams and departments. Tools exist that can help to streamline this process, which may be worth investigating depending on your organization’s context.

One significant challenge is that no matter how much effort you have put into mapping, there is no way to guarantee that you have found every asset. When any developer in an organization can spin up a new test environment, or when an organization has shadow IT, it is incredibly easy to miss assets and leave them out of approval pipelines and ongoing security processes.

Understanding assets

Having a list of assets is helpful, but as we have established, the real value comes from understanding each asset, including what it’s for, what vulnerabilities it has, and how it could be exploited in the future.

What should you know about each asset?

Questions that should be answered in the process of asset mapping include:

  • Who owns the asset?
  • How old is the asset?
  • Is the asset frequently patched?
  • Who is meant to use the asset?
  • Is the asset supposed to be public?
  • Is the asset running web applications?
  • What kind of data are being stored?
  • What relationships does the asset have with other assets?

Which assets are high-risk to your organization?

It’s important that you understand how the assets in your attack surface connect to other assets in your inventory. Some assets may be high risk, such as a website with an admin log-in capability, because they provide a foothold into a key area of the environment.

If these assets can’t be removed or altered so that they are not part of the attack surface, make sure that they are highly prioritized in the asset list so that they are among the first assets to receive defensive updates, such as vulnerability patching.

Reducing risk

There are a lot of ways to reduce risk when it comes to an attack surface. Some of the most common risks and related recommendations given by our consultants are outlined below.

Reduction

The overarching recommendation we give is reduction. If you can reduce the number of assets that are exposed, you reduce the opportunities for an attacker to get a foothold.

After mapping your attack surface, disabled needless or unused software and devices. Aim to simplify the network by reducing endpoints. Review every asset to check whether it needs to be exposed to the internet to perform its function.

Remediate vulnerabilities

You should regularly patch vulnerabilities as you become aware of them, prioritizing assets in the attack surface followed by those that are not externally facing.

You can use a vulnerability management tool to assess which vulnerabilities exist in your environment. Remember to stress test patched in a sample group of your assets to ensure that they don’t negatively impact your operations.

Understand threats

Certain types of organizations are often targeted more frequently by particular types of attackers. For example, Magecart style attacks are particularly associated with retail organizations.

Consider what types of threats are common to organizations like yours, as well as what attacks, if any, your organization has experienced in the past. You can use this context to prioritize defensive actions relevant to your attack surface.

Continuous reassessment

“Asset management needs to be continuous. Sometimes we will look for assets one day, and then look again a week later and find an entirely different set of assets. We often call these ‘ephemeral assets.’”
~ Jake Knott, Security Consultant

Ideally, you should automate asset discovery and run the program all the time in the background of your day-to-day operations.

If that is unfeasible, the next-best method is to re-map assets regularly, at a frequency that makes sense for your organization. So long as your asset list is revisited and updated regularly at predefined intervals, you will be a lower risk of having unmanaged, unknown assets in your environment.

When new assets go live

Consider establishing processes to regulate the creation of new assets. If you can standardize actions around documenting new assets at the time of their creation, you can really reduce the number of invisible exposed assets that are not being tracked or supported by security teams. This is a useful practice for all assets, but especially those that are on the attack surface.

“I once tracked a compromise to a backup network that an admin had set up for disaster recovery purposes. It had never been put on an official asset register, so it didn't receive any patches. After a few years an attacker just logged into the VPN through that network using a common exploit.”

~ John Rogers, Principal Incident Response Consultant

Conclusion

Understanding and managing your attack surface can make a huge difference in how you are able to prevent and respond to cyber attacks.

The key benefits of attack surface management are:

  • decreased opportunities for threat actors
  • decreased time taken to patch vulnerabilities, especially in prioritized assets
  • increased ability to track attack paths.

Effective attack surface management relies on a sustained strategic commitment from organizational leaders, but we believe that the rewards are well worth the effort.

To find out how WithSecureTM can help you manage your attack surface, visit our site here.