Attackers strike where defenders least expect it — in cybersecurity, certainly, but in the world of physical warfare as well. As a former military officer, I think it's particularly instructive to look at military battles from the cybersecurity defender's perspective. Military battles bring direct lessons and, I find, often serve as a reminder that attack surface blind spots have been an Achilles' heel for defenders for a long time. They remind us that we have to rethink our assumptions, habits, and biases to operate at our best.
One notable example occurred in 1204 at Château Gaillard. The château provided the English a seemingly impenetrable stronghold from which to defend their claim in the Normandy countryside. The base of the keep was built out of natural rock, and all possible approaches were guarded by impressive towers and walls. Undaunted, the French laid siege, and for eight months, continued their constant frontal attack, despite the heavy toll to their forces.
Everything they tried failed to topple the English — until finally they decided to attack the castle's weakest point, one that was completely unmonitored and protected: the latrines. By climbing through the sewer, the French were able to sneak into the chapel in the inner castle. A medieval special-ops team snuck through this opening and set fire to the inner castle.
Cybersecurity attackers follow this same principle today. While most are not diving through sewers, they do show up in unexpected places, seeking out portions of an organization's attack surface that are largely unmonitored and undefended. Companies typically have a sizable number of IT assets within their external attack surface they neither monitor nor defend and probably do not know about in the first place. These are externally accessible assets, resources or infrastructure components that may process or use a company's data or be connected in some way such as exposed production databases, sensitive Git servers, accidentally exposed Internet of Things and industrial control systems, third-party payment mechanisms, etc.
Chateau Gaillard. Credit: Telly via Adobe Stock
Many of these are set up without the knowledge or involvement of security, sometimes even without the knowledge of IT. Some are things once known but later forgotten. Even test or temporary resources intended for short-term use often remain an active conduit into a company's ecosystem without ever getting decommissioned. Assets and applications are constantly created or changed, and the pace of change is fast and dynamic. It is a monumental task for any security organization to stay apprised of all of them.
Unknown and Undefended
Attackers understand this tendency and often use it to their advantage. They seek out the parts of an organization's attack surface that may be largely unknown and undefended. Attackers have access to numerous tools, techniques, and even services that can help find the unknown portion of an organization's attack surface. Most attackers are pragmatic and mission oriented, and they have a goal to find a path of least resistance that will provide the greatest payoff. Often this means focusing on the least monitored and least protected part of an organization's attack surface.
Targeting an organization's unknown attack surface generally means faster and easier penetration and the ability to mount a "low and slow" attack that will keep them reliably undiscovered until after they accomplish their mission. Similar to the 13th century French attackers of Château Gaillard, but with the appeal of lower casualties and lower cost with a greater likelihood of success, pragmatic attackers seek out an organization's externally accessible attack surface.
Of course, fully protecting an organization's cyberattack surface has historically been exceedingly difficult, if not impossible. Part of the problem is that the attack surface is dynamic, and that fast pace of change introduces elements unknown to security or IT teams. Conventional tools are plagued by something I mentioned at the start: assumptions, habits, and biases. These tools all focus only where they are pointed, leaving organizations with unaddressed blind spots that lead to breaches. Periodic penetration tests and vulnerability management tools, for instance, stick to what is known rather than unknown, and do not systematically set out to discover the previously unknown attack surface.
Assessing and protecting only the known portions of the attack surface virtually guarantees that attackers will find unguarded network infrastructure, applications, or data that can provide unimpeded access to valuable resources. Instead, organizations need to devote more resources to discovering and addressing the unknowns in their external attack surface.
It's time to consider your approach to defense and whether your organization has a significant "shadow" conduit that would be attractive to attackers for mounting an attack. Perhaps the walls and flanks of your organization are carefully protected while a largely open, unmonitored passage exists right under your feet.