What is an Attack Surface?

Imagine you live in a house with two doors and five windows. Each night, you check each door and window to make sure it is locked. But what if there was a hidden sixth window, hiding behind a curtain, forgotten about? This window may not be locked, therefore is a prime opportunity for intruders to break into. 

Attack surface works in a similar way. The attack surface is defined as “the set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, or environment.” Attack Surface Management, also known as Cyber Attack Surface Management, is the process of defining, prioritizing, and acting on the attack surface, faster than your attackers. 

The term “attack surface management” isn’t new, but it’s often mixed up with the terms “asset management” or “asset discovery.” Unlike these terms, attack surface management isn’t just about monitoring known asset inventory, nor about finding shadow and legacy IT, though those are both important and benefit from being well understood by organizations. Attack surface management covers aspects of both, but most importantly, it’s deployed within the context of real risk

Another key thing to understand about the attack surface is the fact that it’s not static – it’s constantly evolving and increasing. There was 50x more online data in 2020 than in 2016. On its own, this increase is not necessarily bad. As organizations mature, they naturally undertake normal growth activities like business transformation, attrition, hyper-growth, and mergers and acquisitions (M&A). These initiatives expand their web of internet-facing assets, but with limited resources and dispersed accountability, the ability to maintain oversight wanes. Unfortunately, there is a long line of malicious attackers waiting and watching, looking for a way in. 

 

Reducing Your Attack Surface

The simplest way to reduce your attack surface is to eliminate assets no longer relevant to your enterprise operations. Eliminating non-relevant assets requires a close and detailed understanding of the components within your technology stack and your asset inventory. You may discover assets previously assumed to have been eliminated. Many asset inventories still live on spreadsheets, which introduce errors and inaccuracy over time. 

Basic data security mechanisms and the best practices that support them need to be in place. Encryption is an easy way to reduce vulnerability and your attack surface. Security controls such as data encryption should be in use across the organization. 

Risk is a key metric to prioritize reduction in your attack surface. Addressing the assets which contain high indicators of risk can provide a good return on investment almost immediately. Risk indicators can include common vulnerabilities and exposures (CVE), a list of publicly disclosed computer security flaws. Other risk indicators can consist of invalid certificates, SSL scores, and more. 

CVEs generally required immediate attention. It is best practice to track CVE’s against the organization’s asset inventory and then applying updates or other mitigation strategies with lightspeed. CVE’s identify exposure that an attacker can use to facilitate network penetration and data breach. Defenders must promptly update and patch identified software or determine adjustments to security controls to protect the identified CVEs. 

In context, attackers are in a race with defenders to exploit newly discovered vulnerabilities. Remember that at some point these are publicly announced and at that moment, many organizations still have not implemented known mitigations. Exploitation happens both before the CVE’s are announced but also within days of announcement. 

Diversification helps reduce risk. Even if you have automated attack surface management tools, you can consider adding an active testing program such as Bugcrowd’s Managed Bug Bounty or Next Gen Pen Test solutions.

 

Don’t Skip the Security – Why Your Company Needs Attack Surface Management

As security teams strive to stay ahead of attackers, visibility into the attack surface is crucial. How can you secure what you don’t know exists?  

Unknown or unprioritized assets are ticking time-bombs when they fail to receive routine maintenance and vulnerability patching. Gartner predicts that 1/3 of successful attacks are against unknown or unprioritized assets. 

Don’t take our word for it – let’s take a look into one of the highest-profile data breaches of the century. In the 2017 Equifax breach involving the Apache Struts vulnerability, 147 million Americans had their personal details exposed. Equifax actually did know about the Apache Struts vulnerability before the now-infamous breach. Equifax relied heavily on automated vulnerability scanners, but failed to maintain a registry of the public-facing technology they owned. This means Equifax failed to find and patch the vulnerability in an unseen asset before the malicious exploit. The problem wasn’t just awareness of external risk, it was awareness of at-risk assets. 

This situation illustrates one of the obvious reasons for attack surface management – protecting your organization’s reputation. A breach creates bad press and impacts customer retention.  

What to Look for in Attack Surface Management Platforms

Traditionally, many organizations rely on attack surface scanners for attack surface management. However, there are some major limitations of these solutions, including:

  1. Lag-time

Let’s start with something that might sound a bit counterintuitive. The fundamental value proposition for most scanners is the ability to provide continual insight into your attack surface, saving time and resources in the process. It’s certain you will save hourly effort, but less certain that you’ll achieve rapid time-to-value. Unless the scanner in question utilizes continually updated, pre-indexed data, you may be forced to wait up to a month for an initial scan to complete. This renders most scanners useless for many critical use cases, including M&A.

 

  1. Known-knowns

Scanners are designed to apply encoded logic or learning frameworks at scale–to cover more ground, with less overhead. For most solutions (other than some relying on Machine Learning), any activity identified as malicious or questionable is derived from what we call “known-knowns,” or patterns that have already been identified as warranting further analysis. And while some of the better tools in-market were originally developed by very skilled members of the hacking community, the ability to stay abreast of the most recent attack methods is still a challenge. In fact, it often takes years before the latest techniques are validated, tested, and incorporated. “Getting a jump on attackers” is almost assuredly not in the cards for organizations relying on such solutions.

 

  1. Lack of business context and inability to make logical pivots

The technology landscape for large organizations is often structured in exceedingly complex ways, and no two organizations look the same. Automated scanners are highly susceptible to getting lost in a maze of interconnectivity, unable to make sense of logical business structure and priorities. While training is an important requirement for any such technology, it’s also time-consuming, and never a one-off. In addition, organizations are always evolving, abandoning behavioral trends as quickly as they are established. This often limits scope and attention to particular areas, or conversely, makes it difficult for scanners to develop a trusted baseline.

 

  1. Inability to safely verify and prioritize

While many scanners are tuned to identify assets that may be vulnerable, it is next to impossible for them to verify the accuracy of those initial assessments without serious risk. Scanners often have no concept of scope, nor the implications of various tests across multiple scenarios, where proof of exploitation could cause significant business or security risk to production environments. As a result, scanners are also highly limited in their ability to truly prioritize discovered assets. A rollup of 3,000 newly discovered assets, pulled from the shadows, is only as useful as your ability to action them. Scanners can provide preliminary estimates of risk, but the false positive rate is typically high.

 

  1. Most attackers have built the same, or better

The good news about automated scanners is that they’re designed to rapidly uncover potentially connected assets faster than humans alone can achieve. The bad news–you’re not the only one using them. Attackers use (and frequently develop themselves), tools that rival and often surpass the power of any commercially-available scanner in-market today. In fact, while you might have the resources to deploy one or two, hackers mapping your attack surface (by the thousands), often use 5-10 or more different scanning technologies, creating a serious disadvantage for defenders everywhere.

With these limitations in mind, organizations need to find attack surface management solutions that combine the power of human ingenuity with technology. Leveraging human ingenuity and creativity in your attack surface management strategy is all well and good, but most organizations don’t have the resources to hire entire teams to cover this aspect of security. This is where crowdsourced attack surface management comes in.

Bugcrowd revolutionized attack surface management by leveraging the power and scalability of crowdsourced security for asset discovery, prioritization, and management. By approaching attack surface management with a crowdsourced solution, organizations match the effort and scale of attackers with the ingenuity and impact of trusted attack-minded defenders for the most organic assessment of real risk possible. It gives organizations the defender’s advantage.

Bugcrowd’s Attack Surface Management portfolio contains two elements: Asset Risk and Asset Inventory. Asset Risk is best described as ingenuity-driven asset discovery and prioritization. This on-demand offering leverages the power of our global Crowd of vetted security experts to find and prioritize a previously unknown internet-facing attack surface. With access to the latest reconnaissance strategies and tooling from those actively developing them, Asset Risk helps organizations out-hack digital adversaries before they strike.

If Asset Risk can be summarized by, “human-powered, software-assisted,” Asset Inventory can be thought of as the reverse. Bugcrowd Asset Inventory, which is powered by Bit Discovery, is a software-based continuous scanning solution fueled by an ever-growing pre-indexation of (almost) the entire internet. Organizations can configure alerts, filter inventory, and collaborate with other business units to more effectively manage their internet-facing assets. Additionally, extensive APIs help programmatically ensure compliance and security for the business at large.

While the two solutions can be deployed separately, combining Asset Risk and Asset Inventory enables insights from one to fuel and sharpen the activities of the other. This can improve inventory accuracy, better inform priority rankings, and more rapidly reduce risk across the business.

 

ROI of Attack Surface Management

The SANS Institute created a comprehensive equation for assessing security investments that personalizes the math to reflect your unique environment, as well as the average impact of the solution in question. As such, this has become a popular method for demonstrating the risk reduction potential for your target investment.

The Return On Security Investment, or ROSI formula, requires a business to estimate their annualized loss expectancy (ALE), or the monetary loss from a single incident, multiplied by the number of times such an incident might occur, multiplied by the mitigation ratio, or the expected impact of risk-reduction activities, minus and then divided by cost of solution.

ROSI = (ALE x Mitigation Ratio – Cost of Solution) / Cost of Solution

Applying this to attack surface management, let’s use the Gartner estimate from earlier, assuming that one-third of successful attacks would be against unknown or unprioritized assets. If that has been, or could be true in your organization, then your ALE might be a little higher. It might also be higher if your attack surface has suddenly expanded due to digital transformation, M&A, or a host of other events that often lead to an explosion of unknown and potentially vulnerable assets. 

By using the ROSI formula, you can quickly show security ROI in a way that will speak to your CFO.

Another key piece to consider is the lower headcount needed internally. 

 

Next Steps for Keeping Your Company Safe

As we said earlier in this blog, you can’t secure what you don’t know exists, which is why visibility into the attack surface is so crucial. Check out The Ultimate Guide to Attack Surface Management, which dives into the subject more in-depth, covering the outside-in approach, why automated discovery tools fall short, common attack surface management mistakes, the state of the attack surface, how to action on results, how to build the business case for attack surface management, and more.