Cyber threats and attacks are inevitable and unpredictable. It does not matter how big or small an organization is–everyone can become a victim. When cybercriminals strike, they usually do it indiscriminately and with the element of surprise. As one Harvard Business Review piece wrote, “Cyberattacks always happen when you least expect them. And when they happen, they happen quickly.”
Addressing cyber threats is not as easy as it sounds. Attack surfaces will always be there even in organizations that have the most stringent of security policies and controls. There are many challenges in securing these potential attack points, and these should be addressed effectively to achieve a formidable security posture.
Attack surface management challenges can be grouped into two main categories: technical and human. Both of these should be addressed if organizations were to avoid the worst consequences of an attack.
Technical challenges are those that are associated with processes and technologies. They are mostly attributable to mistakes or errors including misconfigurations, non-updating of software, the use of applications from unknown sources, shadow IT, and other vulnerabilities that may be discovered by bad actors. With the multitude of digital assets in modern organizations, keeping track of everything can be very difficult. Even with all the leading security controls in place, securing everything remains to be a tall order.
The good thing is that there are convenient solutions to address all of these technical challenges. An automated attack surface management platform, in particular, makes it easy to keep track of all possible cyber attack points and make sure that they are properly secured and free from vulnerabilities or exploitable weaknesses.
Attack surfaces can be any of the following:
- Known attack surfaces – These include websites, servers, apps, and a host of other digital assets. Most of the web-enabled or network-connected devices in an organization are also classified as known attack surfaces.
- Unknown attack surfaces – These are usually referred to as shadow or orphaned IT. They are digital assets that evade monitoring because they are no longer being used regularly, are fragments of previous or legacy tech that continue to exist after a reorganization, or hardware that continue to be connected to an organization’s network.
- Rogue attack surfaces – As the name implies, these are digital devices, software, or IT infrastructure that have been established discreetly in an organization to be used for adversarial actions. Examples of which are ransomware and malware used to siphon data or record user activities in devices. There are also times when third-party vendor-managed assets become rogue assets because of the negligence of the provider.
Monitoring all of these attack surfaces can be challenging because of the lack of transparency, lack of cooperation among departments or the previous and new management of an organization, poor cybersecurity hygiene, and bad security culture that includes a policy that veers away from the meticulous and continuous examination of IT assets.
It also becomes difficult to effectively manage attack surfaces because organizations try to avoid the costs, time, and effort involved. They make do with the basic security testing and ignore the possibility of missing a lot of vulnerabilities, especially with the addition of new systems and devices including numerous IoT appliances. Some organizations also rely too much on the security afforded by third-party digital assets and service providers.
To make sure that these challenges are resolved, it is advisable to adopt attack surface management best practices, particularly the use of a reputable ASM platform. Attack surface management entails the discovery and analysis of assets and threats, monitoring, and the implementation of mitigation and remediation measures. This is particularly useful when organizations go through major changes with the replacement of existing systems and the addition of new hardware and software.
SANS (a cybersecurity learning institute) senior instructor Lance Spitzner’s observation that humans are the weakest link in cybersecurity holds true in attack surface management. Advanced and automated security platforms can only do so much. If the people in an organization fall for deceptive cyber-attack schemes, all of the technical controls can easily be invalidated.
How? It’s people, after all, who have the final say on how to respond to security alerts and reminders. They can ignore or even deactivate some security controls if they are convinced that they need to do something more important. Many continue to download and execute email attachments from dubious sources simply because they are intrigued by what the attachments really are. There are also those who cluelessly become victims of phishing and smishing attacks and submit sensitive information about their organizations or themselves.
ASM platforms can significantly reduce the chances of successful cyber attacks, but they cannot overrule human decision-making. The solution is to provide adequate cybersecurity training or orientation for everyone in an organization, especially to those who have access to digital resources and the management of security controls.
Some ASM providers can provide assistance to address the human weakness factor, but as mentioned, the key is still to make sure everybody understands the importance of having good cybersecurity hygiene and familiarity with the MOs of cybercriminals. Social engineering continues to be a serious threat because many fail to learn and develop better cybersecurity instincts.
Some may think that attack surface management is unnecessary because the overall idea of doing it is similar to continuous red teaming and purple teaming. Many organizations may skip it because it appears redundant, considering that they are already doing security validation measures. What makes ASM different, however, is that it focuses on what can be discovered by a possibly cyber attacker at the reconnaissance phase of an attack and in cases when an organization is undergoing significant changes like during M&As, major organizational overhauls, and shifting to new business operations.
There’s a reason why MITRE developed its PRE-ATT&CK framework. It aims to concentrate on the preparatory stages of cyberattacks, which may not be given enough attention when doing the usual security validation processes, which are covered by the standard MITRE ATT&CK framework.
The ATT&CK framework focuses on the steps undertaken the moment an attack is launched, while PRE-ATT&CK narrows down preparations and responses to target actions during the preceding phases of an attack. “The further right you move in the PRE-ATT&CK matrix, the greater the potential for the network defense community to detect and potentially mitigate adversary techniques,” wrote Kristin Esbeck and Blake Strom, cybersecurity engineers at MITRE.
ASM is not some new concept developed for security firms for vanity or simply to create a new revenue driver. Attack surface management is becoming an important part of modern cybersecurity in view of the growing aggressiveness, sophistication, volume, and frequency of cyberattacks. Catching attacks during their preparatory or before the actual attack launch makes perfect sense, especially for organizations that are encountering new known attack surfaces, more unknown attack surfaces, and the rise of rogue attack surfaces.