Understanding an organisation’s attack surface is more challenging than it has ever been. Historically, attack surfaces were made up of on-premise systems and in-house built applications that were hosted in a data centre located in the middle of nowhere. However, over the last 10 years many organisations have gone through technology transformation processes to migrate systems to the cloud, creating a hybrid environment scattered with ‘shadow IT’. This has made it difficult for organisations to maintain visibility over the systems that are considered targets in the eyes of an attacker.
What is ‘shadow IT‘?
Shadow IT refers to systems and applications in use by an organisation that may not have gone through the proper approval processes before being used. For example, this could be a productivity application purchased by the Finance team that hasn’t been deployed by central IT. Or an internally developed application that has bypassed assurance processes in order to hit ‘go live’ targets.
Attackers are also seeking out targets with a higher payoff, through the exploitation of Software-as-a-Service (SaaS) platforms through supply chain-style attacks. These platforms store data belonging to multiple companies, introducing a new type of attack surface that was previously never considered. This is evidence that asset management is more important than it has ever been.
You can’t defend what you don’t know exists. Therefore, without a good understanding of an attack surface, acting upon the latest vulnerability releases has limited value. According to research, the average time to exploit a vulnerability in 2023 was just five days. Therefore, organisations cannot afford to leave systems unpatched for long periods of time, and fast patching is only made easy through good attack surface visibility.
So long, endless vulnerability lists
When it comes to addressing these vulnerabilities, organisations have shifted away from traditional vulnerability management, in favour of more pragmatic approaches. Endless lists of vulnerabilities left security teams feeling overwhelmed, with priorities being focused towards patching the highest severity vulnerabilities first. However, without understanding the context, these vulnerabilities may be irrelevant to the organisation, lowering their overall risk level. It’s common for organisations to have one individual responsible for the entirety of their IT and Cyber Security, meaning it’s just not possible for one person to be able to effectively deal with the output from traditional vulnerability scanning tools. This also makes it challenging to respond quickly to those emerging threats with five-day exploit times, when resource is low.
Newer approaches such as Attack Surface Management (ASM) aim to tackle this by applying context to the list of vulnerabilities to answer the questions; “What is most important to my organisation?” and “What are the top five issues that I need to fix today, as a priority?”. This is achieved through the consumption of threat intelligence, to understand which vulnerabilities are actively being exploited by threat actors and which are not.
How Attack Surface Management brings clarity and context
Asset discovery
Firstly, ASM helps organisations understand what they have, where their data is stored and how it could be targeted by an attacker. This involves carrying out continuous asset discovery through automated and manual scanning techniques. These scans aim to identify assets such as domains, subdomains and IP addresses that can be linked back to an organisation. It’s important that these scans are run on a continuous basis, to observe the changes in an organisation’s attack surface, as and when they occur. This is especially important when understanding susceptibility to a zero-day. Having the most accurate representation of your organisation’s attack surface will ensure that nothing is missed and that no systems are left unpatched and exposed to the internet. To further understand how an organisation could be targeted, it is important to consider data points outside of the ‘traditional’ asset types. For example, which SaaS applications and third-party libraries are in use, and where data is stored in cloud storage buckets. Not only will this assist with third-party risk assessments, but it will also help organisations understand the type of data they have and where it is stored.
What is a zero-day?
A zero-day is a vulnerability in software, hardware or firmware for which a patch has not yet been developed by the vendor.
Vulnerability identification
Secondly, ASM helps organisations understand the risk associated with the systems that comprise their attack surface. This can be achieved through various activities, such as automated scanning and manual intelligence-driven testing. By applying an ‘attacker mindset’, security experts can piece together attack paths that may lead to the comprise of ‘crown jewel’ systems or access into an organisation’s internal network. This approach considers breadth as opposed to depth with regards to coverage and looks to identify the highest severity issues across the entire attack surface.
Risk prioritisation
Lastly, ASM focuses on simplifying the process of addressing these vulnerabilities by highlighting the most important weaknesses. This is based on factors such as; whether the affected system is considered a ‘crown jewel’ or whether the vulnerability is actively being exploited in the wild. Traditional approaches would typically focus on severity ratings, however may not consider factors that may be specific to an organisation. In addition, severity-based approaches may not reflect changes in the risk landscape. For example, the likelihood of exploitation for a particular vulnerability may change over time, meaning the overall risk level may fluctuate. Adopting a dynamic risk-based approach will help under-resourced teams focus on the highest priority remediations that will significantly improve their security posture.
Conclusion
Overall, Attack Surface Management is a pragmatic approach to dealing with the threats faced by an organisation. By providing a real-time attack surface view, organisations will discover areas of shadow IT and assets that may not have been observed within the traditional ‘perimeter’. Having an up-to-date list of systems will allow organisations to act quickly upon new vulnerability releases, ensuring they have the best chance at protecting their systems from attack. Remediation activities will become much more manageable by using threat intelligence data and organisational context, reducing the burden on small IT teams.
