5 Attack Elements Every Organizations Should Be Monitoring

The attack surface is expanding as organizations embrace cloud computing and decentralized workloads encompassing multiple clouds, complex digital supply chains, and massive third-party ecosystems. Cybercriminals can penetrate an organization's network perimeter and gain access to local network resources in 93% of cases, according to a recent penetration testing report from Positive Technologies. Organizations must shift their perception of comprehensive security to safeguard their people, products, and profits. After all, the first step to protecting your attack surface is understanding it.

To help evaluate the security of their entire digital enterprise, we identified five key considerations for security teams when assessing the organization’s attack surface.

1. The Global Attack Surface Grows With the Internet

Research shows that 117,298 hosts and 613 domains are created every minute. Each of these Web properties includes underlying operating systems, frameworks, third-party applications, plugins, tracking codes, and more. The ever-changing environment means the scope of the threat landscape is increasing exponentially over time. Security teams must treat the Internet as part of their network.

2. Remote Work Leads to a Rise in Vulnerabilities

The COVID-19 pandemic led to a wave of digital growth as companies expanded their digital footprint to accommodate a remote workforce and new business models. However, the changes also provided attackers with more access points to target.

The use of remote access technologies, like Remote Desktop Protocol (RDP) and Virtual Private Network (VPN), rose 41% and 33%, respectively, in 2020 — directly related to the sharp spike in the number of remote workers during the pandemic. By 2027, the global remote desktop software market size is expected to reach $4.69 billion — a 207% increase from 2019.

Overall, 18,378 vulnerabilities were reported in 2021. Security teams not only have to mitigate vulnerabilities for themselves but also third parties, partners, controlled and uncontrolled apps, and services within and among relationships in the digital supply chain.

3. Shadow IT, M&A, and Digital Supply Chains Create Hidden Attack Surfaces

Web applications are the most commonly exploited entry point into enterprise networks. Organizations should have a complete view of their internet assets and how those assets connect to the global attack surface. Think of an attack surface as the number of entry points that an unauthorized user can exploit to gain access to a system, enact changes, and extract data.

However, that is difficult because organizations rarely have a complete picture of what they have. New RiskIQ customers typically find 30% more assets than they thought they had due to shadow IT. On the network level, RiskIQ detects 15 expired services (making them susceptible to subdomain takeovers) and 143 open ports every minute. Critical business initiatives like a merger and acquisition (M&A) can also expand external attack surfaces as systems belonging to the new company get integrated into the organization — fewer than 10% of deals globally contain cybersecurity due diligence.

Additionally, because enterprise business is so dependent on digital alliances in the modern supply chain, we’ve been left with a complicated web of third-party relationships outside the purview of security teams. Fifty-three percent of organizations have experienced at least one data breach caused by a third party.

4. App Stores Across the World Contain Apps Targeting Organizations and Their Customers

Each year, businesses are investing more in mobile to support the proliferation of mobile apps. RiskIQ noted a 33% overall growth of available mobile apps in 2020, with 23 appearing every minute.

This growing app landscape represents a significant portion of an enterprise’s overall attack surface that exists beyond the firewall. Threat actors often exploit security teams’ lack of visibility by creating “rogue apps” that mimic well-known brands and can be used to phish for sensitive information or upload malware. RiskIQ blocklists a malicious mobile app every five minutes.

5. The Global Attack Surface Is a Part of an Organization’s Attack Surface, Too

If you have an Internet presence, you are interconnected with everyone else — including those that want to do you harm. This makes tracking threat infrastructure just as important as tracking your own infrastructure.

Threat groups often recycle and share infrastructure — IPs, domains, and certificates — and use open source commodity tools like malware, phish kits, and C2 components to avoid easy attribution. More than 560,000 new pieces of malware are detected every day. RiskIQ now detects a Cobalt Strike C2 server every 49 minutes.

While today’s security teams have a larger attack surface to protect, they also have more resources. Zero trust allows organizations to secure their workforce — protecting people, devices, applications, and data regardless of where they’re located or the threats they’re facing. Security teams can assess the maturity of the organization's zero trust program in order to better understand their current cybersecurity gaps and develop a practical deployment plan moving forward.

Read more Partner Perspectives from Microsoft.