In Attack Surface Management, It's What You Don't See That Can Sink You

What's the best way to monitor and protect your attack surface? Ask a dozen security professionals and you'll get answers like run port scanning on (known) IP ranges, use a cyber-risk scorecard service, or hire penetration testers to focus on the organization's "crown jewels." Many might even say you need to do all of those.

Regardless of how they do it, most organizations start (and end) by focusing on the tip of the iceberg: the IT assets, networks, and environments they already know about. They do this by looking at known IP ranges and open ports and services, which any vulnerability scanner, security ratings service, or penetration test can easily see. The danger of this approach is that it leaves substantial areas unmonitored and unprotected. This definition of the attack surface, one that includes only the assets and elements known by the IT or security team, is too narrow. There is still so much lurking under the surface.

Attackers aren't constrained by such narrow viewpoints. They simply take the easiest path into an organization, the path of least resistance. Every asset an organization has exposed to the Internet can offer that path, and one gap is all attackers need. The vast majority of these security gaps are tied to unknown, and therefore unmonitored and unprotected, assets.

So why does this matter? Because there simply is no intrinsic value in security testing for the sake of security testing. If you invest all your limited security assurance resources in securing 70% of your attack surface, that leaves the other 30% wide open to attackers who are looking for an opportunity. And the impact of those gaps can make your security testing investment largely meaningless.

Visibility and scope are foundational in every industry but often overlooked in security. This is a huge mistake. If you navigate securing your digitally transformed IT ecosystem by steering around just the perils you can see, you're setting yourself up for a Titanic-level catastrophe. The implications of failing to eliminate the risk from previously unknown portions of the attack surface are clear. According to a survey by The Enterprise Strategy Group (ESG), 68% of organizations have experienced a cyberattack that began from an unknown, unmanaged, or poorly managed company asset. Over a third say this has happened several times. Perhaps even more alarmingly, 75% expect it will happen again.

The ESG survey also says nearly half of organizations don't think to include third parties, workloads running in the public cloud, or software-as-a-service (SaaS) applications in their attack surface. That includes commonly used apps that handle sensitive or personal data like Box, Dropbox, Microsoft 365, and ServiceNow. One of the key reasons organizations don't think to include subsidiaries, third parties, or SaaS applications when defining their attack surface is that many simply don't know everything that makes up their attack surface. Complexity and dynamic growth make this particularly difficult.

Think Like an Attacker to Discover Unknown Risks
To avoid overlooking critical security gaps, organizations must approach their attack surface the same way an attacker does and employ as few assumptions as possible. That means it is crucial to go beyond what your IT and security teams already know so that you do not inherently limit your possible discoveries from the outset. To update the definition and think more like attackers, organizations must do the following.

First and foremost, they must take a wider and deeper view of the attack surface. It's important to make sure that view does not omit major attack paths like subsidiaries, cloud-based workloads, SaaS applications, and third-party connections — especially those your team is unaware of. The need for this is evidenced by the prominence of supply chain attacks like SolarWinds and Accellion and the fact that 92% of US businesses have experienced a breach because of a supply chain fault.

Knowing your complete attack surface is a crucial first step toward securing it. Attackers can see everything you own that is directly exposed on the Internet as well as everything connected to your organization that is exposed on the Internet. You also need to see everything. This means performing full-scale, black-box attack surface mapping that receives no input from the security and IT teams. That kind of comprehensive reconnaissance process is the only way to find new departments, assets, networks, and environments that you didn't know about before.

Second, consolidate the processes and tools to test and manage the attack surface. Currently, most organizations use a variety of siloed, disconnected security tools in the hopes that a picture will emerge to help eliminate gaps. Instead, this method presents a variety of opportunities for human error, redundancies, increased operational load, and blind spots. Instead of simply layering on additional tools, security leaders should think critically about how their tools are uncovering both known and unknown attack vectors.

And third, turn monitoring and protecting the attack surface into a continuous rather than a discrete process. After all, threat actors are constantly evaluating your attack surface for security gaps, so you should too. Continuous monitoring requires automated security testing for all assets that present a path to business-critical data.

Only by integrating these best practices into the concept of external attack surface management and protection can organizations adequately secure their assets against attacks. It's time to rethink the way you navigate management of the external attack surface so that you see your weaknesses the way attackers do — by discovering them with a fresh, unbounded perspective — and not assume you know the full scope of the iceberg when all you really see is the tip.