Attack Surface Analysis Guide

With networks growing more and more, companies are introducing an increasing number of endpoints to their systems. Each of these endpoints is a potential target for malicious actors.

An attack surface is a map of all potential access points within your software inventory that a malicious actor could gain access to extract or insert data. Today, we’ll be going over what attack surfaces are, what is an attack analysis, as well as how to do one.

Attack surfaces are quite similar to system vulnerabilities. Because of this, doing an attack surface analysis is quite similar to performing a vulnerability scan.

The biggest difference between the two is that a vulnerability scan focuses on the settings present on your on-prem equipment, while an attack surface analysis focuses on the software side of things. Hackers are always on the lookout for data they can steal. Losing data and having data leaks occur can cause massive issues for a business, regardless of how they occurred. Reports reveal that the average data leak sets a business back $3.86 million. Although there’s a variety of attack vectors malicious actors can use, the most common one these days is through software. Because of this, you must keep access to your software that can lead to important data closely guarded.

What Is An Attack Surface?

An attack surface is simply the number of all possible attack vectors where a malicious actor can gain unauthorized access to your system and extract or insert data. This may seem simple, but attack surfaces these days include quite a few elements.

Attack surfaces are separated into two categories:

  1. The Digital Attack Surface The digital attack surface is all of the software and hardware connected to your network. This includes your applications, all of the code on your network, ports, websites, domains, servers, and third-party software you’re using.
  2. The Physical Attack Surface The physical attack surface is seldom talked about, however, it can be just as important as the digital attack surface. It consists of all of the hardware that a malicious agent could get access to. This includes phones, USBs, desktops, hard drives, and similar.

Although that’s fairly simple, it can be quite difficult for businesses to determine their exact attack surface. Defining your attack surface is a crucial first step to conducting proper attack surface analysis.

Defining & Mapping Your Attack Surface

To define and map your attack surface, you’ll need to identify any potential weaknesses and vulnerabilities on your system, as well as decide upon user roles and privileges. The first step of this is quite simple- identifying all of the physical and digital devices that constitute your attack surface. Most organizations will use an attack surface monitor to do this quickly.

Next, you’ll need to take inventory of all of your storage options and split them into three parts: cloud storage, devices, and on-prem systems. Once this is done, you can decide what users need to access what data, which will determine their privilege level. This will help you grasp how your users and departments interact with each other, making it a lot easier to classify different attack vectors.

With packages, large access right regimes, and single sign-on becoming more and more common, attack surfaces are stretching wider than ever. The first part of your attack surface you need to identify is all of the software that directly accesses data. This means databases, file stores, as well as any software you use to manage files. After that, look at the software that links to those such as ERPs, log management tools, and others.

The software that can directly access data stores sits at the heart of your attack surface. CRM systems and the like belong in this category.

Now, web and mobile apps make defining your attack surface a little more difficult. Since most software these days is built using at least one API hosted externally, that means a portion of your application runs away from your servers.

Since you can’t control how these external servers are protected, you’ll need to secure your data itself. Some of your data is always exchanged with the API, and that very API could become an attack vector if a malicious agent can find a weakness in it.

Similarly, plugins and integrations are often neglected as parts of the attack surface. Once again, plugins and integrations have data being sent from your systems to a secondary location without exact knowledge of what data is exchanged, where the data is processed, or if there are any protection systems in place.

The next issue that makes your attack surface wider is the presence of mobile apps and user-owned hardware. Your business can’t control what other applications your users download to their devices, or what kind of access those applications can ghetto the user’s OS. That application could very well be a virus that’s looking to siphon your corporate data from the user’s OS.

Next, we’ve got your operating systems themselves. This is where the attack surface stops as we get into vulnerability management. Since firmware and OSs are within the scope of vulnerability management and scanners, this is where we usually draw the line for your attack surface.

Your attack surface also doesn’t include misuse of browsers for malware infection or the manipulation of services like PowerShell. These are in the domain of antimalware solutions.

This means that the attack surface and attack surface analysis are only pieces of the broader threat detection puzzle.

Strategies For Conducting Attack Surface Analysis

Much like vulnerability scanning looks at both internal and external portions of your network, attack surface analysis looks at both the internal and external attack surfaces. Because of this, we need to look at attack surfaces from two different perspectives.

When conducting attack surface analysis, first we need to think about a malicious actor or hacker trying to access our data via software means- this is the external component. Next, we need to look at how someone present on-prem, be they a malicious actor or a user can gain access to data.

When conducting internal attack surface analysis, we look to stop insider threats and stolen accounts from doing damage. Insider threats can come from a variety of places, an angry employee or one tricked by phishing are two of the most common. Similarly, a successful phishing attack gives a hacker your legitimate user’s login credentials.

When conducting external attack surface analysis, we try to minimize factors that could cause a data leak. This means APIs and external services managing your data or giving too many permissions to software that doesn’t need them. Because of this, internal attack surface analysis is mainly about managing access rights correctly.

What We Look To Accomplish With Attack Surface Analysis

The core idea of attack surface analysis is simply to find the best methods to control system vulnerabilities, therefore minimizing the chances that an attack occurs. One of the best ways to do this is simply to ensure that your attack surface is as small as possible.

The first step to internal attack surface analysis focuses on correct user account management. This means looking at all of your user groups and working out how to correctly define them. Look at each user account and see what kind of privileges they need to have access to, then group them based on that.

Having backend accounts for automated processes can be quite an issue. The more you have, the wider your attack surface, and there are few things you can do about it. Because of this, instead of disallowing these packages from accessing your data(rendering them useless in the process), you should look to minimize the number of them you run on your systems.

Next, you need to make sure that you’ve implemented tight access controls that apply to those packages too. For example, if these packages aren’t directly accessed by users, but rather send data to a different place automatically. This further extends your attack surface, so tight controls should be put into place.

When it comes to external attack surface analysis, we need to look at all of the attack vectors available to malicious actors outside of our network. This means every cloud service and API you use. We need to isolate all of these external functions and look at what kind of data they deal with.

Here, we want to look at the security processes that each service provider implements. For example, data encryption for storage and transfers, as well as remote-user access controls are great security measures to see and implement.

This is where third-party risk assessment solutions come in. At the end of the day, you’ll need to use some external applications within your systems, so you’ll have to trust a 3rd party provider at their word. These systems look at data leaks within service providers and make it easier to find which of these cloud services could be a vulnerability.

How Has Attack Surface Analysis Evolved Through The Pandemic?

With the recent shift towards work-from-home operations due to COVID, attack surface analysis has become more important than ever. Since a lot of workers are working from home, software that was previously only accessible within your network now has to be available at your employee’s home. This further increases the attack surface’s area.

Online sales platforms have also become much more popular, with them slowly replacing in-person stores and service points. Many businesses have decided to make their customer system interface public and available online. This leads to a further increase in external attack surface.

Furthermore, businesses are using more and more pre-built solutions within their operations, making tracking software hosting even more difficult.

Due to these factors, attack surface monitoring and analysis are no longer something to be done exclusively manually. Most companies elect to have an attack surface monitor handle the simpler parts of attack surface analysis, leaving their technicians to deal with tasks that require human effort.

Conducting Attack Surface Analysis

Attack surface analysis requires technicians with fairly specialized skillsets. Usually, it is performed by penetration testers. These penetration testers pretend to be malicious actors and try to break into your systems using any avenue they can. Usually, firms are reluctant to do this internally as they are often afraid of compromising their security or breaking their system.

First, you need to conduct an eDiscovery process to find all of your data stores and group them up by how sensitive the data within them is. Next, isolate your most sensitive data and find all of the access points to it. Repeat this process until you’ve found all of the software that can interact with this data. This part of the process can be automated using ASM(attack surface monitoring) tools.

Next, we do this again for each group of data, marking the boundary between your internal and external systems. This is your data access map.

Once you’ve assembled your data access map, you should look for methods to minimize your attack surface. In this step, you should implement access rights management and conduct a third-party risk assessment.

Since hackers can’t look through your system like this, they’ll have to use trial and error to find vulnerabilities, helping you stay one step ahead of them. With that being said, some vulnerabilities are nigh-impossible to fully close. For example, shutting down EDI transmissions can lead to your whole payment system becoming dysfunctional.

Next, you’ll want to educate your users about how dangerous it is to disclose their login details. Monitor all USB and email communication to prevent this kind of data from leaking out of your system.

Closing Words

Attack surface analysis is an extremely complicated process. Because of the increasing reliance on external software and the growth of in-house networks, attack surfaces are bigger than ever.

Because of this, it’s essentially impossible to conduct attack surface analysis manually. By the time you’re done doing it, your business will have introduced a couple of new elements into your network, and you have to do it all over again. Because of this, using attack surface monitoring tools is crucial in defining your attack surface and monitoring it for activity.

How do you think the growth of attack surfaces will impact future businesses?

What is your attack surface monitoring tool of choice?

Let us know in the comments below!