Who is this blog for?
This blog is for security leaders who want to learn how to reduce attack surface complexity. Attack surface complexity is a major challenge for organizations of all sizes, as it can make it difficult to identify and defend against all potential attack vectors.
The attack surface of an organisation is constantly expanding and getting more complex, and often unseen. So how can you secure what you don’t know about?
In this blog, our technology partner Recorded Future suggests how you can better understand and protect your attack surface.
Read time: 5 minutes 20 seconds
—
IT Teams across the globe are under increased pressure to manage their growing attack surface and ensure due diligence is being done to secure their business against cyber threats. To meet these demands, businesses must have a comprehensive understanding of all entry points into their organization’s network, including web applications, remote access points, network infrastructure, and cloud services.
However, only 9% of organizations think they monitor 100% of their attack surface, and considering organizations typically discover somewhere in the range of 40% more assets when using an automated scanner (CSO), it’s fair to have reservations about whether that 9% is truthful.
Since many organizations lack visibility into their entry points, even if they think otherwise, it begs the question of how can you defend and build security processes around what you can’t see?
To help organizations navigate this complex digital environment, we sat down with Geoff Brown, VP of Global Intelligence Platforms at Recorded Future and Former CISO of New York City to learn how Recorded Future Attack Surface Intelligence is helping IT teams secure their business. Below are five pieces of advice we learned to help you reduce attack surface complexity.
#1: There is Always an Adversary
Geoff describes looking at your attack surface the same way you would look at a chess board: “The technology is all the pieces and the environment that you’re playing the game in, but you always have an adversary sitting across the table from you who’s trying to thwart your every move.” The latter part of the quote is the critical piece to pick up on: there’s always an adversary.
Digital transformation initiatives have led to an explosion of assets on the public internet, making it increasingly difficult for organizations to maintain a persistent view of their internet-facing assets. To compound this problem, assets move, change, and appear constantly, and this dynamic nature means traditional manual asset inventory processes simply cannot keep up. On the other hand, attackers are using large scale automation to enumerate everything that’s vulnerable on the internet in minutes to hours. According to Recorded Future Threat Researcher Lindsay Kaye, many threat actors will use openly available tools to identify open ports or specific software installed on the system.
To highlight the importance of understanding your attack surface and securing your business from adversaries, 69% of organizations have experienced some type of cyberattack in which the attack itself started through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset (CSO). Gaining an outside-in view of what an adversary sees gives defenders an important perspective on which assets could be at risk and where to prioritize remediation efforts before exploits happen, providing a significant advantage for defenders.
#2: You Need a Comprehensive Approach
Think of all the different applications that create digital doorways into your organization: web applications, email systems, remote access systems, websites, cloud services, login pages and more. Many organisations have hundreds, if not thousands, of internet-facing assets, with more and more being added each day.
Geoff notes, “It’s pretty essential you’re taking a comprehensive approach… otherwise you’re in the dark”. We’ve already mentioned the perils of being in the dark when it comes to asset visibility, but having a comprehensive approach isn’t just about cataloguing your assets, it’s also about knowing if an asset is vulnerable, if it’s being hosted in a location that’s out-of-policy, or if an adversary has shown an intent to exploit a specific vulnerability.
#3: Enforcing Security Policies Requires Regular Checks
Security leaders put in a significant amount of effort, time, and resources creating security policies that reduce risk and secure the business. However, these days 41% of employees can acquire, modify, or create technology outside IT’s visibility, a number that is likely to grow to 75% by 2027 (Gartner).
Employees may be innocently going outside of security policies for convenience, out of habit, or to avoid detection. Either way, the effect is the same. They’re setting you up for policy violations and security lapses.
To combat against this, Geoff remarks that using Recorded Future Attack Surface Intelligence provides a “check across your total asset base to see whether or not the compute infrastructure is up to policy and then is configured to the standards that your organization has adopted.”
We don’t want all effort that has gone into creating and enforcing security policy to go to waste, a continual check to make sure new assets are being spun up with proper hygiene is a critical aspect of making your organization truly defensible.
#4: Context is Key
Not all risks are the same, and not all risks deserve the same attention. An unpatched vulnerability on a critical server that is accessible from the internet poses a far greater risk to your organization than an end-of-life software application you have running. Context on what needs to be prioritized for remediation is crucial. Additionally, context is key when understanding the total attack surface that needs to be defended.
Geoff explains, “any IT Team needs to really pursue two things in relation to security. One, are all of their assets in a defensible environment? Two, are those assets up to the standards and configurations necessary for protecting your environment?”
Many organizations are surprised to find out how many hosting providers they have, how many assets aren’t behind a WAF, or that they have publicly exposed dev sites. In order to pursue these two components, context is required as to what assets truly belong to your organization, and if something needs to be done to ensure they’re protected.
#5: Access to Intelligence Leads to Informed Decisions
IT Teams spend considerable time in continual pursuit of information around what’s been identified as vulnerable and what to do about it. Geoff points out, “You need intelligence if you’re going to make an informed decision and if you’re going to advise to make a change to your technology or business environment”.
Intelligence provides an advantage to identify and get ahead of risks that matter, make the right decisions for your organization, and build resilience, at the speed and scale of today’s threat environment. IT Teams can leverage intelligence to gain an outside-in view of their infrastructure and an inside-out view of which adversaries could be targeting them, their peers, or critical vendors in their supply chain.
Operating in a digitally connected global environment requires constant protection of your attack surface, as you never know when a new piece of malicious software can spread and impact your operations.
Your organization is likely undertaking some type of digital transformation project, layering more systems into your IT networks to support remote work, and increasing channels and digital interactions with employees and customers, all of which creates new attack vectors that must be secured. Staying ahead of this complexity requires real-time intelligence to craft a defensive strategy that makes it possible to identify infrastructure, prioritize remediation efforts, and ultimately automate the identification of exploitable internet-accessible assets.
“Geoff raises some important points that you need to consider ensuring the security of your attack surface,” agrees Keith Archer, Commercial Director ‑ Babble Defence
“As bad actor attacks increase in sophistication and as organisations’ attack surfaces grow in size and complexity, its vital for IT Teams to use intelligence to shine a light on potential blind spots and protect their business against cyber threats.”
This blog was written and shared by Recorded Future and originally published on their website on 9 May 2023.
