How to Manage Your Attack Surface?
The attack surface is growing faster than security teams can keep up. To stay ahead, you need to know what is exposed and where attackers are most likely to strike. With cloud migrations dramatically increasing the number of internal and external targets, prioritizing threats and managing your attack surface from an attacker’s perspective has never been more important. Let’s see why growing, and how to properly monitor and manage it with a tool like troublemaker.
What is your attack surface?
First, it is important to understand that your attack surface is the amount of your digital assets that are ‘exposed’ – whether they are safe or vulnerable, known or unknown, actively used or not. This attack surface is constantly changing over time, and includes digital assets that are on-premises, in the cloud, in subsidiary networks, and in third-party environments. In short, anything that can be attacked by hackers.
What is attack surface management?
Attack surface management is the process of discovering these assets and services and then reducing or minimizing their exposure to prevent hackers from exploiting them. Exposure can mean two things: current vulnerabilities such as missing patches or misconfigurations that reduce the security of services or assets. But it can also mean exposure to vulnerabilities in the future.
Take for example an admin interface like cPanel or a firewall administration page – these may be secure against all known current attacks today, but vulnerabilities may be found in the software tomorrow – when that immediately becomes a significant risk. Assets need not be vulnerable today to be vulnerable tomorrow. If you reduce your attack surface, regardless of your vulnerability, you become more difficult to attack tomorrow.
So an important part of attack surface management is reducing the likelihood of future vulnerabilities by removing unnecessary services and assets from the internet. This is what causes Deloitte breach and what differentiates it from traditional vulnerability management. But to do this, you first need to know what’s there.
Asset management vs vulnerability management
Often considered a poor link to vulnerability management, asset management has traditionally been a labor-intensive and time-consuming task for IT teams. Even when they have control over the hardware assets within their organization and network perimeter, it is still fraught with problems. If only one asset is left out of the asset inventory, it can circumvent the entire vulnerability management process and, depending on the sensitivity of the asset, can have far-reaching implications for the business.
Today, it is much more complicated. Businesses are migrating to SaaS and moving their systems and services to the cloud, internal teams are downloading their own workflow, project management, and collaboration tools, and individual users are looking forward to customizing their environment. As companies grow through mergers and acquisitions as well, they often take over systems they weren’t even aware of – a classic example is the telco days of TalkTalk. violated in 2015 and up to 4 million unencrypted records stolen from systems they didn’t even know existed.
Shifting security from IT to DevOps
Today’s cloud platforms allow development teams to move and scale quickly when needed. But it puts a lot of responsibility for security in the hands of the development team – moving away from a traditional, centralized IT team with a strong, trusted change control process.
This means cyber security teams struggle to see what is going on or find where their assets are. Similarly, it’s becoming increasingly difficult for large corporations or businesses with dispersed teams – often located around the world – to keep track of where all of their systems are.
As a result, organizations are increasingly understanding that their vulnerability management process should feed into a more holistic ‘attack surface management’ process as you must first know what you have exposed to the internet before thinking about what vulnerabilities you have, and what fixes you have to fix. done. prioritize.
An important feature of an attack surface management tool
The various tools on the market are great for asset discovery, finding new domains similar to yours, and finding websites with content similar to yours. Your team can then check whether or not this is a company asset, choose whether it should be included in your vulnerability management process, and how to secure it. But this requires internal resources as the tool cannot do this for you.
Similarly, some tools only focus on external attack surfaces. But because a common attack vector is through employee workstations, attack surface management must also include internal systems. Here are three important features each has attack surface monitoring device must provide:
1. Asset discovery
You can’t manage assets if you don’t know they exist. As we’ve seen, most organizations have various “unknown unknowns”, such as assets stored on partner or third-party sites, workloads running on public cloud environments, IoT devices, abandoned IP addresses and credentials, and more. CloudBot Intruder runs hourly checks for new IP addresses or hostnames in connected AWS, Google Cloud, or Azure accounts.
 |
| CloudBot Intruder automatically adds a new external IP address or hostname in the cloud account as a target for vulnerability monitoring & scanning. |
2. Business context
Not all attack vectors are created equal and ‘context’ – what is exposed to the internet – is an important part of attack surface management. Older tools don’t provide this context; they treat all attack surfaces (external, internal office, internal data center) the same, making it difficult to prioritize vulnerabilities. Attack surface management tools identify gaps in your internal and external security controls to reveal weaknesses in your security that need to be addressed and fixed first.
The intruder takes it a step further and provides insight into any given asset, and the business unit the application belongs to. For example, knowing whether the compromised workload is part of a critical application that manages SWIFT transactions between banks will help you formulate a repair plan.
3. Proactive and reactive scanning
You can’t just test your attack surface once. Every day continues to grow as you add new devices, workloads, and services. As it grows, security risks also increase. Not only the risk of new vulnerabilities, but also misconfiguration, data exposure or other security holes. It’s important to test all possible attack vectors, and it’s important to do this constantly so your understanding doesn’t become obsolete.
Even better than continuous scanning is a platform that can scan proactively or reactively depending on the circumstances. For example, reacting to a new cloud service brought online by launching a scan, or proactively scanning all assets as soon as a new vulnerability check is available.
Reduce your attack surface with Intruder
Attack surface monitoring tools such as troublemaker do all this and more. Intruders ensure that everything you encounter on the internet is what it should be – by making it easy to search and browse. Its Network View feature shows you exactly what ports and services are available, including screenshots of websites or apps running on them.
Most automated tools are very good at getting the data out for the analyst to look at, but don’t cut down on the ‘noise’. Intruders prioritize problems and vulnerabilities based on context, or whether they need to be on the internet or not. Combined with Intruder’s constant monitoring and scanning of emerging threats, this makes it easier and faster to find and fix new vulnerabilities before they can be exploited.
Try Intruder yourself!
With its attack surface monitoring capabilities, Intruder solves one of the most fundamental problems in cybersecurity: the need to understand how attackers see your organization, where they are likely to come in, and how you can identify, prioritize, and eliminate risk.Ready to start ?
