This blog was written by Ross Worden
Attack Surface Risk, Challenges and Changes (2023)
While digitization has simplified many organizational tasks, it has simultaneously made other facets of business more complex, including an ever-growing attack surface. As the number of connected devices and online services continues to grow, identifying all of these assets and potential vulnerabilities is a challenge. Implementing effective security measures becomes more difficult, especially if you are relying on manual inventory processes.
Depending on the company size, systems on the attack surface are responsible for creating millions or even billions of dollars in revenue. What's more, a failure in these systems could result in serious operational issues or even a complete shutdown. There’s also the legal, regulatory and brand impacts. As such, it's vital that the availability of IT infrastructure components is fiercely protected.
What Attack Surface Challenges Do Organizations Face?
Transformation comes with many benefits, but these changes bring inherent challenges. For example, in a cloud environment, multiple employees or third-party contractors might have the ability to intentionally or accidentally make a previously isolated end-of-life system publicly available online. Or, they could simply spin up a new cloud instance outside of security controls. These situations were rare with traditional IT infrastructures, but they're becoming increasingly common.
Shadow IT / Rogue IT
Shadow IT (also called rogue IT) refers to situations where employees take IT infrastructure into their own hands to circumvent inconvenient policies, or to avoid the approval process. While they're typically well-meaning, they might inadvertently create attack vectors. For example, an employee may forget to take down a temporary website, provide an overly permissive IAM role for the sake of expediency, or even stand up a new cloud environment without informing IT and security teams.
If IT department and security team members don't know people are adding cloud workloads outside of governance, they won't know how to manage and monitor these attack vectors. These cases aren't entirely new occurrences, but cloud computing and adjacent innovations have certainly increased their frequency. According to the Unit 42 Cloud Threat Report, Volume 7, more than 60% of organizations take longer than four days to resolve security issues, while threat actors typically exploit a misconfiguration or vulnerability within hours.
While many employees are returning to the office, there's no doubt that the remote work landscape has permanently expanded during the pandemic. Having employees work outside of the company network introduces a number of cybersecurity risks, including weaker security controls, increased susceptibility to threats, and sensitive data passing through unsecured networks. We have seen a number of cases where threat actors gained access to corporate devices via an employee’s insecure laptop.
How Is the Attack Surface Changing?
All of these challenges have an impact on the attack surface and overall attack surface management. We see them exacerbated in key ways:
- The Attack Surface Is Growing
- This is often driven by the increasing number of connected devices, systems and cloud instances, all providing cybercriminals with an ever-expanding range of potential vulnerabilities to exploit.
- Systems Are Becoming More Fragmented
- Various departments use different versions of the same software. Some stay current on updates and patches while others don't, which leads to an environment that lacks stability and standardization.
- Expanding Use of Networking Equipment
- VPNs are used as a protective component, but are often vulnerable to compromise. Meanwhile, data storage and analysis systems need to be accessible, but this leads to exposure to malicious actors and to the possibility that an employee inadvertently pushes sensitive information to a public dashboard. This can create massive regulatory and legal headaches even without a threat actor being involved.
How to Better Understand Your Attack Surface
The first step in understanding your digital attack surface is identifying all internet-facing assets that could potentially become a target for cybercriminals. This includes a comprehensive and continuously updated inventory of all assets, including their location, what software is installed, who has access (including third-party entities), who is responsible for that asset, and what security controls are in place.
Once you have identified all internet-facing assets, the next step is to conduct a comprehensive risk assessment. This involves identifying potential vulnerabilities and threats to each asset, as well as assessing the potential impact of a successful attack. Organizations can use a variety of tools and techniques to conduct an attack surface risk assessment, including vulnerability scanners, penetration testing tools and threat modeling. However, organizations must understand that all of these tools and techniques are only as good as the asset inventory you have.
Not all vulnerabilities are created equally, and organizations need to prioritize which vulnerabilities to address first, based on the potential impact of a successful cyberattack. Aside from assessing impact, you also need to consider the resources required to address vulnerabilities.
Attack Surface Reduction Strategies
Adequate protection requires a multi-faceted approach that involves reducing both the internal and external attack surface, as well as implementing effective security measures and attack surface reduction rules to address potential vulnerabilities. From malware to misconfigurations and ransomware attacks, understanding the threat landscape is a critical first step.
One key issue here is remote desktop protocol (RDP), which represents almost one in four IT security problems according to our Attack Surface Threat Report. While RDP is frequently used in organizations,, it's often weakly authenticated and exposed to the internet, offering a host of opportunities to a potential attacker, and it is a key attack vector for ransomware.
Once security teams have identified and prioritized vulnerabilities, the next step is to roll out effective remediation measures to reduce your attack surface. These attack surface reduction rules might include limiting the exposure of certain assets, implementing access controls, applying security patches, deploying firewalls and intrusion detection systems, and conducting employee training on cybersecurity best practices.
Finally, it is critical to monitor your attack surface on an ongoing basis and update your security measures as needed. A successful attack surface reduction strategy involves regularly reviewing your security policies and procedures, maintaining up-to-date inventories of all assets, and monitoring for new vulnerabilities and threats. Ongoing monitoring is especially important when underlying systems and processes may simply recreate previously patched vulnerabilities after they have been remediated.
Why Is Attack Surface Management Important?
Attack surface management (ASM) is the process of identifying and managing all exposures and potential entry points to an organization's internet-facing IT systems. It involves taking a comprehensive approach to analyzing and mitigating potential vulnerabilities across an organization's entire attack surface: its networks, applications, data, employees, and all exposures, including improper access controls on cloud instances and expired digital certificates.
Gone are the days when you could just assume that everything was in your on-premises environment, so it is essential to discover, evaluate and mitigate exposure of your internet-connected assets. Even as recently as 2022, we saw a significant jump in the portion of cloud issues versus on-premises issues as compared to the prior year. Traditional vulnerability management solutions often struggle with out of date or incomplete asset inventories and are especially prone to failure in the cloud since most vulnerability management scanners are IP-based and cloud IPs are constantly changing.
As such, attack surface management is more important than ever to identify potential vulnerabilities before they're exploited by cybercriminals. While conducting regular risk assessments and vulnerability scans, organizations can identify weak points in your security posture. These activities rely on having a comprehensive and up-to-date asset inventory.
These efforts serve to reduce the overall attack surface and lower the risk of cyberattacks and data breaches. This proactive approach to security helps improve brand reputation and avoid losses due to incident response and downtime. It also helps organizations meet industry or government compliance requirements and avoid penalties or legal action, resulting from non-compliance.
Unit 42 Attack Surface Assessment
The Unit 42 Attack Surface Assessment can help you gain full visibility of your on-premise and cloud environments, giving you a comprehensive view of your IT infrastructure strengths and vulnerabilities.
Powered by our unmatched Cortex Xpanse solution, plus Unit 42 security expertise and threat intelligence, we help you discover all public-facing assets vulnerable to CVEs and remediate threats before they can be exploited. Our attack surface management experts provide you with actionable, prioritized recommendations, and ensure you effectively prioritize actions.
The Unit 42 Attack Surface Assessment is an indispensable tool in your ASM program, helping you identify and manage exposure, mitigate risk and bolster your security posture now and in the future. If your organization needs help starting or advancing your attack surface management program, the Unit 42 Attack Surface Assessment can help.